volatility-2.3.1/0000755000175000017500000000000012234427260013613 5ustar mikemike00000000000000volatility-2.3.1/README.txt0000644000175000017500000005700312234427241015315 0ustar mikemike00000000000000============================================================================ Volatility Framework - Volatile memory extraction utility framework ============================================================================ The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. The Volatility distribution is available from: http://code.google.com/p/volatility/downloads/list Volatility should run on any platform that supports Python (http://www.python.org) Volatility supports investigations of the following memory images: Windows: * 32-bit Windows XP Service Pack 2 and 3 * 32-bit Windows 2003 Server Service Pack 0, 1, 2 * 32-bit Windows Vista Service Pack 0, 1, 2 * 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0) * 32-bit Windows 7 Service Pack 0, 1 * 64-bit Windows XP Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows Vista Service Pack 0, 1, 2 * 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0) * 64-bit Windows 2008 R2 Server Service Pack 0 and 1 * 64-bit Windows 7 Service Pack 0 and 1 Linux: * 32-bit Linux kernels 2.6.11 to 3.5 * 64-bit Linux kernels 2.6.11 to 3.5 * OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc Mac OSX: * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported) * 32-bit 10.6.x Snow Leopard * 64-bit 10.6.x Snow Leopard * 32-bit 10.7.x Lion * 64-bit 10.7.x Lion * 64-bit 10.8.x Mountain Lion (there is no 32-bit version) Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available. If you would like suggestions about suitable acquisition solutions, please contact us at: volatility (at) volatilityfoundation (dot) org Volatility supports a variety of sample file formats and the ability to convert between these formats: - Raw linear sample (dd) - Hibernation file - Crash dump file - VirtualBox ELF64 core dump - VMware saved state and snapshot files - EWF format (E01) - LiME (Linux Memory Extractor) format - Firewire - HPAK (FDPro) For a more detailed list of capabilities, see the following: https://code.google.com/p/volatility/wiki/Release23 https://code.google.com/p/volatility/wiki/CommandReference23 https://code.google.com/p/volatility/wiki/CommandReferenceGui23 https://code.google.com/p/volatility/wiki/CommandReferenceMal23 https://code.google.com/p/volatility/wiki/CommandReferenceRegistryApi23 https://code.google.com/p/volatility/wiki/LinuxCommandReference23 https://code.google.com/p/volatility/wiki/MacCommandReference23 Example Data ============ If you want to give Volatility a try, you can download exemplar data hosted by NIST at the following url: http://www.cfreds.nist.gov/mem/memory-images.rar Links to other public memory images can be found at the following url: https://code.google.com/p/volatility/wiki/SampleMemoryImages Mailing Lists ============= Mailing lists to support the users and developers of Volatility can be found at the following address: http://lists.volatilesystems.com/mailman/listinfo Contact ======= For information or requests, contact: Volatility Foundation Web: http://www.volatilityfoundation.org/ http://volatility.tumblr.com/ Email: volatility (at) volatilityfoundation (dot) org IRC: #volatility on freenode Twitter: @volatility Requirements ============ - Python 2.6 or later, but not 3.0. http://www.python.org Some plugins may have other requirements which can be found at: https://code.google.com/p/volatility/wiki/VolatilityInstallation Quick Start =========== 1. Unpack the latest version of Volatility from http://code.google.com/p/volatility/downloads/list 2. To see available options, run "python vol.py -h" Example: $ python vol.py -h Volatility Foundation Volatility Framework 2.3 Usage: Volatility - A memory forensics analysis platform. Options: -h, --help list all available options and their default values. Default values may be set in the configuration file (/etc/volatilityrc) --conf-file=/Users/michaelligh/.volatilityrc User based configuration file -d, --debug Debug volatility --plugins=PLUGINS Additional plugin directories to use (colon separated) --info Print information about all registered objects --cache-directory=/Users/michaelligh/.cache/volatility Directory where cache files are stored --cache Use caching --tz=TZ Sets the timezone for displaying timestamps -f FILENAME, --filename=FILENAME Filename to use when opening an image --profile=WinXPSP2x86 Name of the profile to load -l LOCATION, --location=LOCATION A URN location from which to load an address space -w, --write Enable write support --dtb=DTB DTB Address --output=text Output in this format (format support is module specific) --output-file=OUTPUT_FILE write output in this file -v, --verbose Verbose information --shift=SHIFT Mac KASLR shift address -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address -k KPCR, --kpcr=KPCR Specify a specific KPCR address $ python vol.py --info Volatility Foundation Volatility Framework 2.3 Profiles -------- VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 Win2003SP0x86 - A Profile for Windows 2003 SP0 x86 Win2003SP1x64 - A Profile for Windows 2003 SP1 x64 Win2003SP1x86 - A Profile for Windows 2003 SP1 x86 Win2003SP2x64 - A Profile for Windows 2003 SP2 x64 Win2003SP2x86 - A Profile for Windows 2003 SP2 x86 Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64 Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64 Win2008SP1x64 - A Profile for Windows 2008 SP1 x64 Win2008SP1x86 - A Profile for Windows 2008 SP1 x86 Win2008SP2x64 - A Profile for Windows 2008 SP2 x64 Win2008SP2x86 - A Profile for Windows 2008 SP2 x86 Win7SP0x64 - A Profile for Windows 7 SP0 x64 Win7SP0x86 - A Profile for Windows 7 SP0 x86 Win7SP1x64 - A Profile for Windows 7 SP1 x64 Win7SP1x86 - A Profile for Windows 7 SP1 x86 WinXPSP1x64 - A Profile for Windows XP SP1 x64 WinXPSP2x64 - A Profile for Windows XP SP2 x64 WinXPSP2x86 - A Profile for Windows XP SP2 x86 WinXPSP3x86 - A Profile for Windows XP SP3 x86 Address Spaces -------------- AMD64PagedMemory - Standard AMD 64-bit address space. ArmAddressSpace - No docs FileAddressSpace - This is a direct file AS. HPAKAddressSpace - This AS supports the HPAK format IA32PagedMemory - Standard IA-32 paging address space. IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible LimeAddressSpace - Address space for Lime MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader VMWareSnapshotFile - This AS supports VMware snapshot files VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files. Plugins ------- apihooks - Detect API hooks in process and kernel memory atoms - Print session and window station atom tables atomscan - Pool scanner for _RTL_ATOM_TABLE bioskbd - Reads the keyboard buffer from Real Mode memory callbacks - Print system-wide notification routines clipboard - Extract the contents of the windows clipboard cmdscan - Extract command history by scanning for _COMMAND_HISTORY connections - Print list of open connections [Windows XP and 2003 Only] connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp connections) consoles - Extract command history by scanning for _CONSOLE_INFORMATION crashinfo - Dump crash-dump information deskscan - Poolscaner for tagDESKTOP (desktops) devicetree - Show device tree dlldump - Dump DLLs from a process address space dlllist - Print list of loaded dlls for each process driverirp - Driver IRP hook detection driverscan - Scan for driver objects _DRIVER_OBJECT dumpcerts - Dump RSA private and public SSL keys dumpfiles - Extract memory mapped and cached files envars - Display process environment variables eventhooks - Print details on windows event hooks evtlogs - Extract Windows Event Logs (XP/2003 only) filescan - Scan Physical memory for _FILE_OBJECT pool allocations gahti - Dump the USER handle type information gditimers - Print installed GDI timers and callbacks gdt - Display Global Descriptor Table getservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each process handles - Print list of open handles for each process hashdump - Dumps passwords hashes (LM/NTLM) from memory hibinfo - Dump hibernation file information hivedump - Prints out a hive hivelist - Print list of registry hives. hivescan - Scan Physical memory for _CMHIVE objects (registry hives) hpakextract - Extract physical memory from an HPAK file hpakinfo - Info on an HPAK file idt - Display Interrupt Descriptor Table iehistory - Reconstruct Internet Explorer cache / history imagecopy - Copies a physical address space out as a raw DD image imageinfo - Identify information for the image impscan - Scan for calls to imported functions kdbgscan - Search for and dump potential KDBG values kpcrscan - Search for and dump potential KPCR values ldrmodules - Detect unlinked DLLs linux_arp - Print the ARP table linux_bash - Recover bash history from bash process memory linux_check_afinfo - Verifies the operation function pointers of network protocols linux_check_creds - Checks if any processes are sharing credential structures linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking linux_check_fop - Check file operation structures for rootkit modifications linux_check_idt - Checks if the IDT has been altered linux_check_modules - Compares module list to sysfs info, if available linux_check_syscall - Checks if the system call table has been altered linux_check_syscall_arm - Checks if the system call table has been altered linux_check_tty - Checks tty devices for hooks linux_cpuinfo - Prints info about each active processor linux_dentry_cache - Gather files from the dentry cache linux_dmesg - Gather dmesg buffer linux_dump_map - Writes selected memory mappings to disk linux_find_file - Recovers tmpfs filesystems from memory linux_ifconfig - Gathers active interfaces linux_iomem - Provides output similar to /proc/iomem linux_keyboard_notifier - Parses the keyboard notifier call chain linux_lsmod - Gather loaded kernel modules linux_lsof - Lists open files linux_memmap - Dumps the memory map for linux tasks linux_moddump - Extract loaded kernel modules linux_mount - Gather mounted fs/devices linux_mount_cache - Gather mounted fs/devices from kmem_cache linux_netstat - Lists open sockets linux_pidhashtable - Enumerates processes through the PID hash table linux_pkt_queues - Writes per-process packet queues out to disk linux_proc_maps - Gathers process maps for linux linux_psaux - Gathers processes along with full command line and start time linux_pslist - Gather active tasks by walking the task_struct->task list linux_pslist_cache - Gather tasks from the kmem_cache linux_pstree - Shows the parent/child relationship between processes linux_psxview - Find hidden processes with various process listings linux_route_cache - Recovers the routing cache from memory linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache linux_slabinfo - Mimics /proc/slabinfo on a running machine linux_tmpfs - Recovers tmpfs filesystems from memory linux_vma_cache - Gather VMAs from the vm_area_struct cache linux_volshell - Shell in the memory image linux_yarascan - A shell in the Linux memory image lsadump - Dump (decrypted) LSA secrets from the registry mac_arp - Prints the arp table mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if mach trap table entries are hooked mac_dead_procs - Prints terminated/de-allocated processes mac_dmesg - Prints the kernel debug buffer mac_dump_maps - Dumps memory ranges of processes mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_ifconfig - Lists network interface information for all devices mac_ip_filters - Reports any hooked IP filters mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_lsmod - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_psaux - Prints processes with arguments in user land (**argv) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_route - Prints the routing table mac_tasks - List Active Tasks mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_volshell - Shell in the memory image mac_yarascan - Scan memory for yara signatures machoinfo - Dump Mach-O file format information malfind - Find hidden and injected code mbrparser - Scans for and parses potential Master Boot Records (MBRs) memdump - Dump the addressable memory for a process memmap - Print the memory map messagehooks - List desktop and thread window message hooks mftparser - Scans for and parses potential MFT entries moddump - Dump a kernel driver to an executable file sample modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects modules - Print list of loaded modules mutantscan - Scan for mutant objects _KMUTANT netscan - Scan a Vista, 2008 or Windows 7 image for connections and sockets patcher - Patches memory based on page scans printkey - Print a registry key, and its subkeys and values privs - Display process privileges procexedump - Dump a process to an executable file sample procmemdump - Dump a process to an executable memory sample pslist - Print all running processes by following the EPROCESS lists psscan - Scan Physical memory for _EPROCESS pool allocations pstree - Print process list as a tree psxview - Find hidden processes with various process listings raw2dmp - Converts a physical memory sample to a windbg crash dump screenshot - Save a pseudo-screenshot based on GDI windows sessions - List details on _MM_SESSION_SPACE (user logon sessions) shellbags - Prints ShellBags info shimcache - Parses the Application Compatibility Shim Cache registry key sockets - Print list of open sockets sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) ssdt - Display SSDT entries strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) svcscan - Scan for Windows services symlinkscan - Scan for symbolic link objects thrdscan - Scan physical memory for _ETHREAD objects threads - Investigate _ETHREAD and _KTHREADs timeliner - Creates a timeline from various artifacts in memory timers - Print kernel timers and associated module DPCs unloadedmodules - Print list of unloaded modules userassist - Print userassist registry keys and information userhandles - Dump the USER handle tables vaddump - Dumps out the vad sections to a file vadinfo - Dump the VAD info vadtree - Walk the VAD tree and display in tree format vadwalk - Walk the VAD tree vboxinfo - Dump virtualbox information vmwareinfo - Dump VMware VMSS/VMSN information volshell - Shell in the memory image windows - Print Desktop Windows (verbose details) wintree - Print Z-Order Desktop Windows Tree wndscan - Pool scanner for tagWINDOWSTATION (window stations) yarascan - Scan process or kernel memory with Yara signatures Scanner Checks -------------- CheckHiveSig - Check for a registry hive signature CheckPoolIndex - Checks the pool index CheckPoolSize - Check pool block size CheckPoolType - Check the pool type CheckProcess - Check sanity of _EPROCESS CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense CheckThreads - Check sanity of _ETHREAD KPCRScannerCheck - Checks the self referential pointers to find KPCRs MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset MultiStringFinderCheck - Checks for multiple strings per page PoolTagCheck - This scanner checks for the occurance of a pool tag 3. To get more information on a sample and to make sure Volatility supports that sample type, run 'python vol.py imageinfo -f ' Example: > python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw Volatility Foundation Volatility Framework 2.3 Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64) AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/Users/Michael/Desktop/memory/WIN-II7VOJTUNGL-20120324-193051.raw) PAE type : PAE DTB : 0x187000L KDBG : 0xf800016460a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001647d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2012-03-24 19:30:53 UTC+0000 Image local date and time : 2012-03-25 03:30:53 +0800 4. Run some other tools. -f is a required option for all tools. Some also require/accept other options. Run "python vol.py -h" for more information on a particular command. A Command Reference wiki is also available on the Google Code site: http://code.google.com/p/volatility/wiki/CommandReference23 as well as Basic Usage: http://code.google.com/p/volatility/wiki/VolatilityUsage23 Licensing and Copyright ======================= Copyright (C) 2007-2013 Volatility Foundation All Rights Reserved Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License. Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Volatility. If not, see . Bugs and Support ================ There is no support provided with Volatility. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. If you think you've found a bug, please report it at: http://code.google.com/p/volatility/issues In order to help us solve your issues as quickly as possible, please include the following information when filing a bug: * The version of volatility you're using * The operating system used to run volatility * The version of python used to run volatility * The suspected operating system of the memory image * The complete command line you used to run volatility Depending on the operating system of the memory image, you may need to provide additional information, such as: For Windows: * The suspected Service Pack of the memory image For Linux: * The suspected kernel version of the memory image Other options for communicaton can be found at: http://code.google.com/p/volatility/wiki/VolatilityIntroduction Missing or Truncated Information ================================ Volatility Foundation makes no claims about the validity or correctness of the output of Volatility. Many factors may contribute to the incorrectness of output from Volatility including, but not limited to, malicious modifications to the operating system, incomplete information due to swapping, and information corruption on image acquisition. Command Reference ==================== The following url contains a reference of all commands supported by Volatility. http://code.google.com/p/volatility/wiki/CommandReference23 volatility-2.3.1/Makefile0000644000175000017500000000026211602715531015252 0ustar mikemike00000000000000all: build build: python setup.py build install: python setup.py install dist: python setup.py sdist clean: rm -f `find . -name "*.pyc" -o -name "*~"` rm -rf dist build volatility-2.3.1/setup.py0000644000175000017500000000703412227253532015332 0ustar mikemike00000000000000#!/usr/bin/env python # Volatility # # Authors: # AAron Walters # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # try: from setuptools import setup except ImportError: from distutils.core import setup import volatility.constants import sys import os py2exe_available = True try: import py2exe #pylint: disable-msg=W0611,F0401 except ImportError: py2exe_available = False def find_files(topdirs, py = False): """Lists all python files under any topdir from the topdirs lists. Returns an appropriate list for data_files, with source and destination directories the same""" ret = [] for topdir in topdirs: for r, _ds, fs in os.walk(topdir): ret.append((r, [ os.path.join(r, f) for f in fs if (f.endswith('.py') or not py)])) return ret opts = {} opts['name'] = "volatility" opts['version'] = volatility.constants.VERSION opts['description'] = "Volatility -- Volatile memory framwork" opts['author'] = "AAron Walters" opts['author_email'] = "awalters@4tphi.net" opts['url'] = "http://www.volatilityfoundation.org" opts['license'] = "GPL" opts['scripts'] = ["vol.py"] opts['packages'] = ["volatility", "volatility.win32", "volatility.plugins", "volatility.plugins.addrspaces", "volatility.plugins.overlays", "volatility.plugins.overlays.windows", "volatility.plugins.overlays.linux", "volatility.plugins.overlays.mac", "volatility.plugins.gui", "volatility.plugins.gui.vtypes", "volatility.plugins.linux", "volatility.plugins.registry", "volatility.plugins.malware", "volatility.plugins.mac"] opts['data_files'] = find_files(['contrib'], py = True) + find_files(['tools']) if py2exe_available: py2exe_distdir = 'dist/py2exe' opts['console'] = [{ 'script': 'vol.py', 'icon_resources': [(1, 'resources/volatility.ico')] }] # Optimize must be 1 for plugins that use docstring for the help value, # otherwise the help gets optimized out opts['options'] = {'py2exe':{'optimize': 1, 'dist_dir': py2exe_distdir, 'packages': opts['packages'] + ['socket', 'ctypes', 'Crypto.Cipher', 'urllib', 'distorm3', 'yara', 'xml.etree.ElementTree'], # This, along with zipfile = None, ensures a single binary 'bundle_files': 1, } } opts['zipfile'] = None distrib = setup(**opts) #pylint: disable-msg=W0142 if 'py2exe' in sys.argv: # Any py2exe specific files or things that need doing can go in here pass volatility-2.3.1/setup.cfg0000644000175000017500000000007312234427260015434 0ustar mikemike00000000000000[egg_info] tag_build = tag_date = 0 tag_svn_revision = 0 volatility-2.3.1/MANIFEST.in0000644000175000017500000000053412204143450015344 0ustar mikemike00000000000000include *.txt include *.win include MANIFEST.in include setup.py include resources/* include pyinstaller/*.py include volatility/*.py include contrib/plugins/*.py include contrib/plugins/aspaces/*.py include tools/*.py include tools/linux/* include tools/linux/pmem/* include tools/mac/*.py include vol.py include Makefile include pyinstaller.spec volatility-2.3.1/volatility/0000755000175000017500000000000012234427260016013 5ustar mikemike00000000000000volatility-2.3.1/volatility/exceptions.py0000644000175000017500000000342712227253532020555 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # class VolatilityException(Exception): """Generic Volatility Specific exception, to help differentiate from other exceptions""" def __init__(self, *args, **kwargs): Exception.__init__(self, *args, **kwargs) class AddrSpaceError(VolatilityException): """Address Space Exception, so we can catch and deal with it in the main program""" def __init__(self): self.reasons = [] VolatilityException.__init__(self, "No suitable address space mapping found") def append_reason(self, driver, reason): self.reasons.append((driver, reason)) def __str__(self): result = VolatilityException.__str__(self) + "\nTried to open image as:\n" #pylint: disable-msg=E1101 for k, v in self.reasons: result += " {0}: {1}\n".format(k, v) return result class CacheRelativeURLException(VolatilityException): """Exception for gracefully not saving Relative URLs in the cache""" class SanityCheckException(VolatilityException): """Exception for failed sanity checks (which can potentially be disabled)""" volatility-2.3.1/volatility/commands.py0000644000175000017500000002016712232063406020170 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys, textwrap import volatility.debug as debug import volatility.fmtspec as fmtspec import volatility.obj as obj import volatility.registry as registry import volatility.addrspace as addrspace class Command(object): """ Base class for each plugin command """ op = "" opts = "" args = "" cmdname = "" # meta_info will be removed meta_info = {} # Make these class variables so they can be modified across every plugin elide_data = True tablesep = " " def __init__(self, config, *_args, **_kwargs): """ Constructor uses args as an initializer. It creates an instance of OptionParser, populates the options, and finally parses the command line. Options are stored in the self.opts attribute. """ self._config = config self._formatlist = [] @staticmethod def register_options(config): """Registers options into a config object provided""" config.add_option("OUTPUT", default = 'text', cache_invalidator = False, help = "Output in this format (format support is module specific)") config.add_option("OUTPUT-FILE", default = None, cache_invalidator = False, help = "write output in this file") config.add_option("VERBOSE", default = 0, action = 'count', cache_invalidator = False, short_option = 'v', help = 'Verbose information') @classmethod def help(cls): """ This function returns a string that will be displayed when a user lists available plugins. """ try: return textwrap.dedent(cls.__doc__) except (AttributeError, TypeError): return "" @staticmethod def is_valid_profile(profile): return True def calculate(self): """ This function is responsible for performing all calculations We should not have any output functions (e.g. print) in this function at all. If this function is expected to take a long time to return some data, the function should return a generator. """ def execute(self): """ Executes the plugin command.""" # Check we can support the plugins profs = registry.get_plugin_classes(obj.Profile) if self._config.PROFILE not in profs: debug.error("Invalid profile " + self._config.PROFILE + " selected") if not self.is_valid_profile(profs[self._config.PROFILE]()): debug.error("This command does not support the profile " + self._config.PROFILE) # # Executing plugins is done in two stages - first we calculate data = self.calculate() ## Then we render the result in some way based on the ## requested output mode: function_name = "render_{0}".format(self._config.OUTPUT) if self._config.OUTPUT_FILE: outfd = open(self._config.OUTPUT_FILE, 'w') # TODO: We should probably check that this won't blat over an existing file else: outfd = sys.stdout try: func = getattr(self, function_name) except AttributeError: ## Try to find out what formats are supported result = [] for x in dir(self): if x.startswith("render_"): _a, b = x.split("_", 1) result.append(b) print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result) return func(outfd, data) def _formatlookup(self, profile, code): """Code to turn profile specific values into format specifications""" code = code or "" if not code.startswith('['): return code # Strip off the square brackets code = code[1:-1].lower() if code.startswith('addr'): spec = fmtspec.FormatSpec("#10x") if profile.metadata.get('memory_model', '32bit') == '64bit': spec.minwidth += 8 if 'pad' in code: spec.fill = "0" spec.align = spec.align if spec.align else "=" else: # Non-padded addresses will come out as numbers, # so titles should align > spec.align = ">" return spec.to_string() # Something went wrong debug.warning("Unknown table format specification: " + code) return "" def _elide(self, string, length): """Adds three dots in the middle of a string if it is longer than length""" # Only elide data if we've been asked to (which we are by default) if not self.elide_data: return string if length == -1: return string if len(string) < length: return (" " * (length - len(string))) + string elif len(string) == length: return string else: if length < 5: debug.error("Cannot elide a string to length less than 5") even = ((length + 1) % 2) length = (length - 3) / 2 return string[:length + even] + "..." + string[-length:] def format_value(self, value, fmt): """ Formats an individual field using the table formatting codes""" profile = addrspace.BufferAddressSpace(self._config).profile return ("{0:" + self._formatlookup(profile, fmt) + "}").format(value) def table_header(self, outfd, title_format_list = None): """Table header renders the title row of a table This also stores the header types to ensure everything is formatted appropriately. It must be a list of tuples rather than a dict for ordering purposes. """ titles = [] rules = [] self._formatlist = [] profile = addrspace.BufferAddressSpace(self._config).profile for (k, v) in title_format_list: spec = fmtspec.FormatSpec(self._formatlookup(profile, v)) # If spec.minwidth = -1, this field is unbounded length if spec.minwidth != -1: spec.minwidth = max(spec.minwidth, len(k)) # Get the title specification to follow the alignment of the field titlespec = fmtspec.FormatSpec(formtype = 's', minwidth = max(spec.minwidth, len(k))) titlespec.align = spec.align if spec.align in "<>^" else "<" # Add this to the titles, rules, and formatspecs lists titles.append(("{0:" + titlespec.to_string() + "}").format(k)) rules.append("-" * titlespec.minwidth) self._formatlist.append(spec) # Write out the titles and line rules if outfd: outfd.write(self.tablesep.join(titles) + "\n") outfd.write(self.tablesep.join(rules) + "\n") def table_row(self, outfd, *args): """Outputs a single row of a table""" reslist = [] if len(args) > len(self._formatlist): debug.error("Too many values for the table") for index in range(len(args)): spec = self._formatlist[index] result = self._elide(("{0:" + spec.to_string() + "}").format(args[index]), spec.minwidth) reslist.append(result) outfd.write(self.tablesep.join(reslist) + "\n") volatility-2.3.1/volatility/protos.py0000644000175000017500000001442211630474630017720 0ustar mikemike00000000000000protos = { 0:"HOPOPT", 1:"ICMP", 2:"IGMP", 3:"GGP", 4:"IPv4", 5:"ST", 6:"TCP", 7:"CBT", 8:"EGP", 9:"IGP", 10:"BBN-RCC-MON", 11:"NVP-II", 12:"PUP", 13:"ARGUS", 14:"EMCON", 15:"XNET", 16:"CHAOS", 17:"UDP", 18:"MUX", 19:"DCN-MEAS", 20:"HMP", 21:"PRM", 22:"XNS-IDP", 23:"TRUNK-1", 24:"TRUNK-2", 25:"LEAF-1", 26:"LEAF-2", 27:"RDP", 28:"IRTP", 29:"ISO-TP4", 30:"NETBLT", 31:"MFE-NSP", 32:"MERIT-INP", 33:"DCCP", 34:"3PC", 35:"IDPR", 36:"XTP", 37:"DDP", 38:"IDPR-CMTP", 39:"TP++", 40:"IL", 41:"IPv6", 42:"SDRP", 43:"IPv6-Route", 44:"IPv6-Frag", 45:"IDRP", 46:"RSVP", 47:"GRE", 48:"DSR", 49:"BNA", 50:"ESP", 51:"AH", 52:"I-NLSP", 53:"SWIPE", 54:"NARP", 55:"MOBILE", 56:"TLSP", 57:"SKIP", 58:"IPv6-ICMP", 59:"IPv6-NoNxt", 60:"IPv6-Opts", 61:"Host-interal", 62:"CFTP", 63:"Local Network", 64:"SAT-EXPAK", 65:"KRYPTOLAN", 66:"RVD", 67:"IPPC", 68:"Dist-FS", 69:"SAT-MON", 70:"VISA", 71:"IPCV", 72:"CPNX", 73:"CPHB", 74:"WSN", 75:"PVP", 76:"BR-SAT-MON", 77:"SUN-ND", 78:"WB-MON", 79:"WB-EXPAK", 80:"ISO-IP", 81:"VMTP", 82:"SECURE-VMTP", 83:"VINES", 84:"TTP", 84:"IPTM", 85:"NSFNET-IGP", 86:"DGP", 87:"TCF", 88:"EIGRP", 89:"OSPFIGP", 90:"Sprite-RPC", 91:"LARP", 92:"MTP", 93:"AX.25", 94:"IPIP", 95:"MICP", 96:"SCC-SP", 97:"ETHERIP", 98:"ENCAP", 99:"Encryption", 100:"GMTP", 101:"IFMP", 102:"PNNI", 103:"PIM", 104:"ARIS", 105:"SCPS", 106:"QNX", 107:"A/N", 108:"IPComp", 109:"SNP", 110:"Compaq-Peer", 111:"IPX-in-IP", 112:"VRRP", 113:"PGM", 114:"0-hop", 115:"L2TP", 116:"DDX", 117:"IATP", 118:"STP", 119:"SRP", 120:"UTI", 121:"SMP", 122:"SM", 123:"PTP", 124:"ISIS over IPv4", 125:"FIRE", 126:"CRTP", 127:"CRUDP", 128:"SSCOPMCE", 129:"IPLT", 130:"SPS", 131:"PIPE", 132:"SCTP", 133:"FC", 134:"RSVP-E2E-IGNORE", 135:"Mobility Header", 136:"UDPLite", 137:"MPLS-in-IP", 138:"manet", 139:"HIP", 140:"Shim6", 141:"WESP", 142:"ROHC", 143:"Unassigned", 144:"Unassigned", 145:"Unassigned", 146:"Unassigned", 147:"Unassigned", 148:"Unassigned", 149:"Unassigned", 150:"Unassigned", 151:"Unassigned", 152:"Unassigned", 153:"Unassigned", 154:"Unassigned", 155:"Unassigned", 156:"Unassigned", 157:"Unassigned", 158:"Unassigned", 159:"Unassigned", 160:"Unassigned", 161:"Unassigned", 162:"Unassigned", 163:"Unassigned", 164:"Unassigned", 165:"Unassigned", 166:"Unassigned", 167:"Unassigned", 168:"Unassigned", 169:"Unassigned", 170:"Unassigned", 171:"Unassigned", 172:"Unassigned", 173:"Unassigned", 174:"Unassigned", 175:"Unassigned", 176:"Unassigned", 177:"Unassigned", 178:"Unassigned", 179:"Unassigned", 180:"Unassigned", 181:"Unassigned", 182:"Unassigned", 183:"Unassigned", 184:"Unassigned", 185:"Unassigned", 186:"Unassigned", 187:"Unassigned", 188:"Unassigned", 189:"Unassigned", 190:"Unassigned", 191:"Unassigned", 192:"Unassigned", 193:"Unassigned", 194:"Unassigned", 195:"Unassigned", 196:"Unassigned", 197:"Unassigned", 198:"Unassigned", 199:"Unassigned", 200:"Unassigned", 201:"Unassigned", 202:"Unassigned", 203:"Unassigned", 204:"Unassigned", 205:"Unassigned", 206:"Unassigned", 207:"Unassigned", 208:"Unassigned", 209:"Unassigned", 210:"Unassigned", 211:"Unassigned", 212:"Unassigned", 213:"Unassigned", 214:"Unassigned", 215:"Unassigned", 216:"Unassigned", 217:"Unassigned", 218:"Unassigned", 219:"Unassigned", 220:"Unassigned", 221:"Unassigned", 222:"Unassigned", 223:"Unassigned", 224:"Unassigned", 225:"Unassigned", 226:"Unassigned", 227:"Unassigned", 228:"Unassigned", 229:"Unassigned", 230:"Unassigned", 231:"Unassigned", 232:"Unassigned", 233:"Unassigned", 234:"Unassigned", 235:"Unassigned", 236:"Unassigned", 237:"Unassigned", 238:"Unassigned", 239:"Unassigned", 240:"Unassigned", 241:"Unassigned", 242:"Unassigned", 243:"Unassigned", 244:"Unassigned", 245:"Unassigned", 246:"Unassigned", 247:"Unassigned", 248:"Unassigned", 249:"Unassigned", 250:"Unassigned", 251:"Unassigned", 252:"Unassigned", 253:"Experimental", 254:"Experimental", 255:"Reserved", } volatility-2.3.1/volatility/plugins/0000755000175000017500000000000012234427260017474 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/volshell.py0000644000175000017500000004626412227253532021713 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ import struct import sys import volatility.plugins.common as common import volatility.win32 as win32 import volatility.utils as utils import volatility.obj as obj try: import distorm3 #pylint: disable-msg=F0401 except ImportError: pass class volshell(common.AbstractWindowsCommand): """Shell in the memory image""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.3' def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS Offset (in hex) in kernel address space', action = 'store', type = 'int') config.add_option('IMNAME', short_option = 'n', default = None, help = 'Operate on this Process name', action = 'store', type = 'str') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') self.addrspace = None self.proc = None def getpidlist(self): return win32.tasks.pslist(self.addrspace) def getmodules(self): return win32.modules.lsmod(self.addrspace) def context_display(self): print "Current context: process {0}, pid={1}, ppid={2} DTB={3:#x}".format(self.proc.ImageFileName, self.proc.UniqueProcessId.v(), self.proc.InheritedFromUniqueProcessId.v(), self.proc.Pcb.DirectoryTableBase.v()) def ps(self, procs = None): print "{0:16} {1:6} {2:6} {3:8}".format("Name", "PID", "PPID", "Offset") for eproc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:<6} {3:#08x}".format(eproc.ImageFileName, eproc.UniqueProcessId.v(), eproc.InheritedFromUniqueProcessId.v(), eproc.obj_offset) def modules(self, modules = None): if self.addrspace.profile.metadata.get('memory_model', '32bit') == '32bit': print "{0:10} {1:10} {2}".format("Offset", "Base", "Name") else: print "{0:18} {1:18} {2}".format("Offset", "Base", "Name") for module in modules or self.getmodules(): print "{0:#08x} {1:#08x} {2}".format(module.obj_offset, module.DllBase, module.FullDllName or module.BaseDllName or '') def set_context(self, offset = None, pid = None, name = None): if pid is not None: offsets = [] for p in self.getpidlist(): if p.UniqueProcessId.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.ImageFileName.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self.proc = obj.Object("_EPROCESS", offset = offset, vm = self.addrspace) self.context_display() def render_text(self, _outfd, _data): self.addrspace = utils.load_as(self._config) if not self._config.OFFSET is None: self.set_context(offset = self._config.OFFSET) self.context_display() elif self._config.PID is not None: # FIXME: volshell is really not intended to switch into multiple # process contexts at once, so it doesn't make sense to use a csv # pid list. However, the linux and mac volshell call the respective # linux_pslist and mac_pslist which require a csv pidlist. After # the 2.3 release we should close this along with issue 375. pidlist = [int(p) for p in self._config.PID.split(',')] for p in pidlist: self.set_context(pid = p) break elif self._config.IMNAME is not None: self.set_context(name = self._config.IMNAME) else: # Just use the first process, whatever it is for p in self.getpidlist(): self.set_context(offset = p.v()) break # Functions inside the shell def cc(offset = None, pid = None, name = None): """Change current shell context. This function changes the current shell context to to the process specified. The process specification can be given as a virtual address (option: offset), PID (option: pid), or process name (option: name). If multiple processes match the given PID or name, you will be shown a list of matching processes, and will have to specify by offset. """ self.set_context(offset = offset, pid = pid, name = name) def db(address, length = 0x80, space = None): """Print bytes as canonical hexdump. This function prints bytes at the given virtual address as a canonical hexdump. The address will be translated in the current process context (see help on cc for information on how to change contexts). The length parameter (default: 0x80) specifies how many bytes to print, the width parameter (default: 16) allows you to change how many bytes per line should be displayed, and the space parameter allows you to optionally specify the address space to read the data from. """ if not space: space = self.proc.get_process_address_space() #if length % 4 != 0: # length = (length+4) - (length%4) data = space.read(address, length) if not data: print "Memory unreadable at {0:08x}".format(address) return for offset, hexchars, chars in utils.Hexdump(data): print "{0:#010x} {1:<48} {2}".format(address + offset, hexchars, ''.join(chars)) def dd(address, length = 0x80, space = None): """Print dwords at address. This function prints the data at the given address, interpreted as a series of dwords (unsigned four-byte integers) in hexadecimal. The address will be translated in the current process context (see help on cc for information on how to change contexts). The optional length parameter (default: 0x80) controls how many bytes to display, and space allows you to optionally specify the address space to read the data from. """ if not space: space = self.proc.get_process_address_space() # round up to multiple of 4 if length % 4 != 0: length = (length + 4) - (length % 4) data = space.read(address, length) if not data: print "Memory unreadable at {0:08x}".format(address) return dwords = [] for i in range(0, length, 4): (dw,) = struct.unpack(")'" elif type(cmd) == str: try: doc = pydoc.getdoc(shell_funcs[cmd]) except KeyError: print "No such command: {0}".format(cmd) return print doc else: doc = pydoc.getdoc(cmd) print doc # Break into shell banner = "Welcome to volshell! Current memory image is:\n{0}\n".format(self._config.LOCATION) banner += "To get help, type 'hh()'" try: from IPython.Shell import IPShellEmbed #pylint: disable-msg=W0611,F0401 shell = IPShellEmbed([], banner = banner) shell() except ImportError: import code, inspect frame = inspect.currentframe() # Try to enable tab completion try: import rlcompleter, readline #pylint: disable-msg=W0612 readline.parse_and_bind("tab: complete") except ImportError: pass # evaluate commands in current namespace namespace = frame.f_globals.copy() namespace.update(frame.f_locals) code.interact(banner = banner, local = namespace) volatility-2.3.1/volatility/plugins/registry/0000755000175000017500000000000012234427260021344 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/registry/hivelist.py0000644000175000017500000000741212227253532023552 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.hivescan as hs import volatility.obj as obj import volatility.utils as utils import volatility.cache as cache class HiveList(hs.HiveScan): """Print list of registry hives. You can supply the offset of a specific hive. Otherwise this module will use the results from hivescan automatically. """ # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def render_text(self, outfd, result): self.table_header(outfd, [('Virtual', '[addrpad]'), ('Physical', '[addrpad]'), ('Name', ''), ]) hive_offsets = [] for hive in result: if hive.Hive.Signature == 0xbee0bee0 and hive.obj_offset not in hive_offsets: try: name = str(hive.FileFullPath or '') or str(hive.FileUserName or '') or str(hive.HiveRootPath or '') or "[no name]" except AttributeError: name = "[no name]" # Spec of 10 rather than 8 width, since the # puts 0x at the start, which is included in the width self.table_row(outfd, hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name) hive_offsets.append(hive.obj_offset) @cache.CacheDecorator("tests/hivelist") def calculate(self): flat = utils.load_as(self._config, astype = 'physical') addr_space = utils.load_as(self._config) hives = hs.HiveScan.calculate(self) ## The first hive is normally given in physical address space ## - so we instantiate it using the flat address space. We ## then read the Flink of the list to locate the address of ## the first hive in virtual address space. hmm I wish we ## could go from physical to virtual memory easier. for offset in hives: hive = obj.Object("_CMHIVE", int(offset), flat, native_vm = addr_space) if hive.HiveList.Flink.v(): start_hive_offset = hive.HiveList.Flink.v() - addr_space.profile.get_obj_offset('_CMHIVE', 'HiveList') ## Now instantiate the first hive in virtual address space as normal start_hive = obj.Object("_CMHIVE", start_hive_offset, addr_space) for hive in start_hive.HiveList: yield hive volatility-2.3.1/volatility/plugins/registry/lsadump.py0000644000175000017500000001042712227253532023370 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32.lsasecrets as lsasecrets import volatility.win32.hashdump as hashdumpmod import volatility.debug as debug import volatility.cache as cache import volatility.utils as utils import volatility.plugins.common as common class LSADump(common.AbstractWindowsCommand): """Dump (decrypted) LSA secrets from the registry""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SEC-OFFSET', short_option = 's', type = 'int', help = 'SECURITY hive offset (virtual)') @cache.CacheDecorator(lambda self: "tests/lsadump/sys_offset={0}/sec_offset={1}".format(self._config.SYS_OFFSET, self._config.SEC_OFFSET)) def calculate(self): addr_space = utils.load_as(self._config) if not self._config.sys_offset or not self._config.sec_offset: debug.error("Both SYSTEM and SECURITY offsets must be provided") secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset) if not secrets: debug.error("Unable to read LSA secrets from registry") return secrets def render_text(self, outfd, data): for k in data: outfd.write(k + "\n") for offset, hex, chars in utils.Hexdump(data[k]): outfd.write("{0:#010x} {1:<48} {2}\n".format(offset, hex, ''.join(chars))) outfd.write("\n") class HashDump(common.AbstractWindowsCommand): """Dumps passwords hashes (LM/NTLM) from memory""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SYS-OFFSET', short_option = 'y', type = 'int', help = 'SYSTEM hive offset (virtual)') config.add_option('SAM-OFFSET', short_option = 's', type = 'int', help = 'SAM hive offset (virtual)') @cache.CacheDecorator(lambda self: "tests/hashdump/sys_offset={0}/sam_offset={1}".format(self._config.SYS_OFFSET, self._config.SAM_OFFSET)) def calculate(self): addr_space = utils.load_as(self._config) if not self._config.sys_offset or not self._config.sam_offset: debug.error("Both SYSTEM and SAM offsets must be provided") return hashdumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sam_offset) def render_text(self, outfd, data): for d in data: if d == None: debug.debug("Unable to read hashes from registry") else: outfd.write(d + "\n") volatility-2.3.1/volatility/plugins/registry/__init__.py0000644000175000017500000000000011602715532023443 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/registry/hivescan.py0000644000175000017500000000743012227253532023523 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.scan as scan import volatility.obj as obj import volatility.utils as utils import volatility.plugins.common as common import volatility.cache as cache class CheckHiveSig(scan.ScannerCheck): """ Check for a registry hive signature """ def check(self, offset): # Instead of hard-coding 4 here, calculate it safely in case # additional fields are added to _POOL_HEADER after the pool tag. offset += (self.address_space.profile.get_obj_size("_POOL_HEADER") - self.address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) # We don't need to use pool alignment here because we're not # carving from the bottom-up like other objects. There is no # object header or optional headers for _HHIVE. sig = obj.Object('_HHIVE', vm = self.address_space, offset = offset).Signature return sig == 0xbee0bee0 class PoolScanHiveFast2(scan.PoolScanner): def object_offset(self, found, address_space): return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) checks = [ ('PoolTagCheck', dict(tag = "CM10")), # Dummy condition, since this will be changed during initialization ('CheckPoolSize', dict(condition = lambda x: x == 0x638)), #('CheckPoolType', dict(non_paged = True)), #doesn't work for win7 and vista ('CheckHiveSig', {}) ] def __init__(self, poolsize): self.checks[1] = ('CheckPoolSize', dict(condition = lambda x: x >= poolsize)) scan.PoolScanner.__init__(self) class HiveScan(common.AbstractWindowsCommand): """ Scan Physical memory for _CMHIVE objects (registry hives) You will need to obtain these offsets to feed into the hivelist command. """ # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @cache.CacheDecorator("tests/hivescan") def calculate(self): ## Just grab the AS and scan it using our scanner pspace = utils.load_as(self._config, astype = 'physical') poolsize = pspace.profile.get_obj_size('_CMHIVE') return PoolScanHiveFast2(poolsize).scan(pspace) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]')]) for offset in data: self.table_row(outfd, offset) volatility-2.3.1/volatility/plugins/registry/printkey.py0000644000175000017500000001431612227253532023571 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 # from volatility.win32.datetime import windows_to_unix_time import volatility.win32.hive as hivemod import volatility.win32.rawreg as rawreg import volatility.debug as debug import volatility.utils as utils import volatility.commands as commands import volatility.plugins.common as common import volatility.plugins.registry.hivelist as hivelist def vol(k): return bool(k.obj_offset & 0x80000000) class PrintKey(hivelist.HiveList): "Print a registry key, and its subkeys and values" # Declare meta information associated with this plugin meta_info = commands.Command.meta_info meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def __init__(self, config, *args, **kwargs): hivelist.HiveList.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') config.add_option('KEY', short_option = 'K', help = 'Registry Key', type = 'str') def hive_name(self, hive): try: return hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]" except AttributeError: return "[no name]" def calculate(self): addr_space = utils.load_as(self._config) if not self._config.HIVE_OFFSET: hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] for name, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error("Unable to find root key. Is the hive offset correct?") else: if self._config.KEY: yield name, rawreg.open_key(root, self._config.KEY.split('\\')) else: yield name, root def voltext(self, key): return "(V)" if vol(key) else "(S)" def render_text(self, outfd, data): outfd.write("Legend: (S) = Stable (V) = Volatile\n\n") keyfound = False for reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key))) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s))) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v))) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n") class HiveDump(common.AbstractWindowsCommand): """Prints out a hive""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', type = 'int', help = 'Hive offset (virtual)') def calculate(self): addr_space = utils.load_as(self._config) if not self._config.hive_offset: debug.error("A Hive offset must be provided (--hive-offset)") h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset) return rawreg.get_root(h) def render_text(self, outfd, data): outfd.write("{0:20s} {1}\n".format("Last Written", "Key")) self.print_key(outfd, '', data) def print_key(self, outfd, keypath, key): if key.Name != None: outfd.write("{0:20s} {1}\n".format(key.LastWriteTime, keypath + "\\" + key.Name)) for k in rawreg.subkeys(key): self.print_key(outfd, keypath + "\\" + key.Name, k) volatility-2.3.1/volatility/plugins/registry/shimcache.py0000644000175000017500000002452512227253532023653 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.plugins.registry.registryapi as registryapi import volatility.debug as debug import volatility.utils as utils import volatility.obj as obj import volatility.commands as commands import volatility.addrspace as addrspace # Structures taken from the ShimCache Whitepaper: https://blog.mandiant.com/archives/2459 #### SHIMRECS #### shimrecs_type_xp = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xDEADBEEF 'NumRecords' : [ 0x8, ['short']], 'Entries' : [0x190, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } shimrecs_type_2003vista = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xBADC0FFE 'NumRecords' : [ 0x4, ['int']], 'Entries' : [0x8, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } shimrecs_type_win7 = { 'ShimRecords' : [ None, { 'Magic' : [ 0x0, ['unsigned int']], #0xBADC0FFE 'NumRecords' : [ 0x4, ['int']], 'Entries' : [0x80, ['array', lambda x: x.NumRecords, ['AppCompatCacheEntry']]], } ], } #### APPCOMPAT TYPES #### appcompat_type_xp_x86 = { 'AppCompatCacheEntry' : [ 0x228, { 'Path' : [ 0x0, ['NullString', dict(length = 0x208, encoding = 'utf8')]], 'LastModified' : [ 0x210, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x218, ['long long']], 'LastUpdate' : [ 0x220, ['WinTimeStamp', dict(is_utc = True)]], } ], } appcompat_type_2003_x86 = { 'AppCompatCacheEntry' : [ 0x18, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x10, ['_LARGE_INTEGER']], } ], } appcompat_type_vista_x86 = { 'AppCompatCacheEntry' : [ 0x18, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x10, ['unsigned int']], 'Flags' : [0x14, ['unsigned int']], } ], } appcompat_type_win7_x86 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x8, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x10, ['unsigned int']], 'ShimFlags' : [0x14, ['unsigned int']], 'BlobSize' : [0x18, ['unsigned int']], 'BlobOffset' : [0x1c, ['unsigned int']], } ], } appcompat_type_2003_x64 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned long long']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'FileSize': [0x18, ['_LARGE_INTEGER']], } ], } appcompat_type_vista_x64 = { 'AppCompatCacheEntry' : [ 0x20, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned int']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x18, ['unsigned int']], 'Flags' : [0x1c, ['unsigned int']], } ], } appcompat_type_win7_x64 = { 'AppCompatCacheEntry' : [ 0x30, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [0x2, ['unsigned short']], 'PathOffset' : [ 0x8, ['unsigned long long']], 'LastModified' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], 'InsertFlags' : [0x18, ['unsigned int']], 'ShimFlags' : [0x1c, ['unsigned int']], 'BlobSize' : [0x20, ['unsigned long long']], 'BlobOffset' : [0x28, ['unsigned long long']], } ], } class ShimCacheTypesXPx86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_xp) profile.vtypes.update(appcompat_type_xp_x86) class ShimCacheTypes2003x86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_2003_x86) class ShimCacheTypesVistax86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_vista_x86) class ShimCacheTypesWin7x86(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_win7) profile.vtypes.update(appcompat_type_win7_x86) class ShimCacheTypes2003x64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_2003_x64) class ShimCacheTypesVistax64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_2003vista) profile.vtypes.update(appcompat_type_vista_x64) class ShimCacheTypesWin7x64(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(shimrecs_type_win7) profile.vtypes.update(appcompat_type_win7_x64) class ShimCache(commands.Command): """Parses the Application Compatibility Shim Cache registry key""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown').lower() == 'windows' def remove_unprintable(self, item): return ''.join([str(c) for c in item if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) def calculate(self): addr_space = utils.load_as(self._config) regapi = registryapi.RegistryApi(self._config) regapi.reset_current() currentcs = regapi.reg_get_currentcontrolset() if currentcs == None: currentcs = "ControlSet001" version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) xp = False if version <= (5, 1): key = currentcs + '\\' + "Control\\Session Manager\\AppCompatibility" xp = True else: key = currentcs + '\\' + "Control\\Session Manager\\AppCompatCache" data_raw = regapi.reg_get_value('system', key, "AppCompatCache") if data_raw == None or len(data_raw) < 0x1c: debug.warning("No ShimCache data found") return bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw) shimdata = obj.Object("ShimRecords", offset = 0, vm = bufferas) if shimdata == None: debug.warning("No ShimCache data found") return for e in shimdata.Entries: if xp: yield e.Path, e.LastModified, e.LastUpdate else: yield self.remove_unprintable(bufferas.read(int(e.PathOffset), int(e.Length))), e.LastModified, None def render_text(self, outfd, data): first = True for path, lm, lu in data: if lu: if first: self.table_header(outfd, [("Last Modified", "30"), ("Last Update", "30"), ("Path", ""), ]) first = False outfd.write("{0:30} {1:30} {2}\n".format(lm, lu, path)) else: if first: self.table_header(outfd, [("Last Modified", "30"), ("Path", ""), ]) first = False outfd.write("{0:30} {1}\n".format(lm, path)) volatility-2.3.1/volatility/plugins/registry/shellbags.py0000644000175000017500000012621312227253532023670 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.registry.registryapi as registryapi import volatility.obj as obj import volatility.addrspace as addrspace import volatility.plugins.overlays.basic as basic import volatility.timefmt as timefmt import struct import datetime import calendar ''' Some references for further reading, all of which were used for building this plugin: http://download.polytechnic.edu.na/pub4/download.sourceforge.net/pub/sourceforge/l/project/li/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format specification (pdf) by Joachim Metz http://www.dfrws.org/2009/proceedings/p69-zhu.pdf Using shellbag information to reconstruct user activities (pdf) by Yuandong Zhu, Pavel Gladyshev and Joshua James http://www.williballenthin.com/forensics/shellbags/index.html Windows shellbag forensics by Willi Ballenthin http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py ShellBagMRU.py from Registry Decoder by Kevin Moore http://code.google.com/p/regripper/wiki/ShellBags Shellbags RegRipper plugin by Harlan Carvey ''' EXT_VERSIONS = { "0x0003":"Windows XP", "0x0007":"Windows Vista", "0x0008":"Windows 7", } # http://support.microsoft.com/kb/813711 BAG_KEYS = [ "Software\\Microsoft\\Windows\\Shell", "Software\\Microsoft\\Windows\\ShellNoRoam", ] USERDAT_KEYS = [ "Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell", "Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam", "Local Settings\\Software\\Microsoft\\Windows\\Shell", "Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam", ] # These are abbreviated only because there can be more than one in output # so it gets cluttered FILE_ATTRS = { 0x00000001:"RO", #Is read-Only 0x00000002:"HID", #Is hidden 0x00000004:"SYS", #Is a system file or directory 0x00000008:"VOL", #Is a volume label 0x00000010:"DIR", #Is a directory 0x00000020:"ARC", #Should be archived 0x00000040:"DEV", #Is a device 0x00000080:"NORM", #Is normal None of the other flags should be set 0x00000100:"TEMP", #Is temporary 0x00000200:"SPARSE", #Is a sparse file 0x00000400:"RP", #Is a reparse point or symbolic link 0x00000800:"COM", #Is compressed 0x00001000:"OFFLINE", #Is offline The data of the file is stored on an offline storage. 0x00002000:"NI", #Do not index content The content of the file or directory should not be indexed by the indexing service. 0x00004000:"ENC", #Is encrypted 0x00010000:"VIR", #Is virtual } # GUIDs and FOLDER_IDs copied from Will Ballenthin's shellbags parser: # https://github.com/williballenthin/shellbags KNOWN_GUIDS = { "031e4825-7b94-4dc3-b131-e946b44c8dd5": "Libraries", "1ac14e77-02e7-4e5d-b744-2eb1ae5198b7": "CSIDL_SYSTEM", "208d2c60-3aea-1069-a2d7-08002b30309d": "My Network Places", "20d04fe0-3aea-1069-a2d8-08002b30309d": "My Computer", "21ec2020-3aea-1069-a2dd-08002b30309d": "{Unknown CSIDL}", "22877a6d-37a1-461a-91b0-dbda5aaebc99": "{Unknown CSIDL}", "2400183a-6185-49fb-a2d8-4a392a602ba3": "Public Videos", "2559a1f1-21d7-11d4-bdaf-00c04f60b9f0": "{Unknown CSIDL}", "2559a1f3-21d7-11d4-bdaf-00c04f60b9f0": "{Unknown CSIDL}", "26ee0668-a00a-44d7-9371-beb064c98683": "{Unknown CSIDL}", "3080f90e-d7ad-11d9-bd98-0000947b0257": "{Unknown CSIDL}", "3214fab5-9757-4298-bb61-92a9deaa44ff": "Public Music", "33e28130-4e1e-4676-835a-98395c3bc3bb": "Pictures", "374de290-123f-4565-9164-39c4925e467b": "Downloads", "4336a54d-038b-4685-ab02-99bb52d3fb8b": "{Unknown CSIDL}", "450d8fba-ad25-11d0-98a8-0800361b1103": "My Documents", "4bd8d571-6d19-48d3-be97-422220080e43": "Music", "5399e694-6ce5-4d6c-8fce-1d8870fdcba0": "Control Panel", "59031a47-3f72-44a7-89c5-5595fe6b30ee": "Users", "645ff040-5081-101b-9f08-00aa002f954e": "Recycle Bin", "724ef170-a42d-4fef-9f26-b60e846fba4f": "Administrative Tools", "7b0db17d-9cd2-4a93-9733-46cc89022e7c": "Documents Library", "7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e": "Program Files (x86)", "871c5380-42a0-1069-a2ea-08002b30309d": "Internet Explorer (Homepage)", "905e63b6-c1bf-494e-b29c-65b732d3d21a": "Program Files", "9e52ab10-f80d-49df-acb8-4330f5687855": "Temporary Burn Folder", "a305ce99-f527-492b-8b1a-7e76fa98d6e4": "Installed Updates", "b4bfcc3a-db2c-424c-b029-7fe99a87c641": "Desktop", "b6ebfb86-6907-413c-9af7-4fc2abf07cc5": "Public Pictures", "c1bae2d0-10df-4334-bedd-7aa20b227a9d": "Common OEM Links", "cce6191f-13b2-44fa-8d14-324728beef2c": "{Unknown CSIDL}", "d0384e7d-bac3-4797-8f14-cba229b392b5": "Common Administrative Tools", "d65231b0-b2f1-4857-a4ce-a8e7c6ea7d27": "System32 (x86)", "de61d971-5ebc-4f02-a3a9-6c82895e5c04": "Get Programs", "df7266ac-9274-4867-8d55-3bd661de872d": "Programs and Features", "dfdf76a2-c82a-4d63-906a-5644ac457385": "Public", "de974d24-d9c6-4d3e-bf91-f4455120b917": "Common Files", "ed228fdf-9ea8-4870-83b1-96b02cfe0d52": "My Games", "f02c1a0d-be21-4350-88b0-7367fc96ef3c": "Network", "f38bf404-1d43-42f2-9305-67de0b28fc23": "Windows", "f3ce0f7c-4901-4acc-8648-d5d44b04ef8f": "Users Files", "fdd39ad0-238f-46af-adb4-6c85480369c7": "Documents", # Control Panel Items "d20ea4e1-3957-11d2-a40b-0c5020524153": "Administrative Tools", "9c60de1e-e5fc-40f4-a487-460851a8d915": "AutoPlay", "d9ef8727-cac2-4e60-809e-86f80a666c91": "BitLocker Drive Encryption", "b2c761c6-29bc-4f19-9251-e6195265baf1": "Color Management", "e2e7934b-dce5-43c4-9576-7fe4f75e7480": "Date and Time", "17cd9488-1228-4b2f-88ce-4298e93e0966": "Default Programs", "74246bfc-4c96-11d0-abef-0020af6b0b7a": "Device Manager", "d555645e-d4f8-4c29-a827-d93c859c4f2a": "Ease of Access Center", "6dfd7c5c-2451-11d3-a299-00c04f8ef6af": "Folder Options", "93412589-74d4-4e4e-ad0e-e0cb621440fd": "Fonts", "259ef4b1-e6c9-4176-b574-481532c9bce8": "Game Controllers", "15eae92e-f17a-4431-9f28-805e482dafd4": "Get Programs", "87d66a43-7b11-4a28-9811-c86ee395acf7": "Indexing Options", "a3dd4f92-658a-410f-84fd-6fbbbef2fffe": "Internet Options", "a304259d-52b8-4526-8b1a-a1d6cecc8243": "iSCSI Initiator", "725be8f7-668e-4c7b-8f90-46bdb0936430": "Keyboard", "6c8eec18-8d75-41b2-a177-8831d59d2d50": "Mouse", "8e908fc9-becc-40f6-915b-f4ca0e70d03d": "Network and Sharing Center", "d24f75aa-4f2b-4d07-a3c4-469b3d9030c4": "Offline Files", "96ae8d84-a250-4520-95a5-a47a7e3c548b": "Parental Controls", "5224f545-a443-4859-ba23-7b5a95bdc8ef": "People Near Me", "78f3955e-3b90-4184-bd14-5397c15f1efc": "Performance Information and Tools", "ed834ed6-4b5a-4bfe-8f11-a626dcb6a921": "Personalization", "025a5937-a6be-4686-a844-36fe4bec8b6d": "Power Options", "7b81be6a-ce2b-4676-a29e-eb907a5126c5": "Programs and Features", "00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3": "Scanners and Cameras", "9c73f5e5-7ae7-4e32-a8e8-8d23b85255bf": "Sync Center", "bb06c0e4-d293-4f75-8a90-cb05b6477eee": "System ", "80f3f1d5-feca-45f3-bc32-752c152e456e": "Tablet PC Settings", "0df44eaa-ff21-4412-828e-260a8728e7f1": "Taskbar and Start Menu", "d17d1d6d-cc3f-4815-8fe3-607e7d5d10b3": "Text to Speech", "60632754-c523-4b62-b45c-4172da012619": "User Accounts", "be122a0e-4503-11da-8bde-f66bad1e3f3a": "Windows Anytime Upgrade", "78cb147a-98ea-4aa6-b0df-c8681f69341c": "Windows CardSpace", "d8559eb9-20c0-410e-beda-7ed416aecc2a": "Windows Defender", "4026492f-2f69-46b8-b9bf-5654fc07e423": "Windows Firewall", "5ea4f148-308c-46d7-98a9-49041b1dd468": "Windows Mobility Center", "e95a4861-d57a-4be1-ad0f-35267e261739": "Windows SideShow", "36eef7db-88ad-4e81-ad49-0e313f0c35f8": "Windows Update", # Vista Control Panel Items "7a979262-40ce-46ff-aeee-7884ac3b6136": "Add Hardware", "f2ddfc82-8f12-4cdd-b7dc-d4fe1425aa4d": "Sound", "b98a2bea-7d42-4558-8bd1-832f41bac6fd": "Backup and Restore Center", "3e7efb4c-faf1-453d-89eb-56026875ef90": "Windows Marketplace", "a0275511-0e86-4eca-97c2-ecd8f1221d08": "Infrared", "f82df8f7-8b9f-442e-a48c-818ea735ff9b": "Pen and Input Devices", "40419485-c444-4567-851a-2dd7bfa1684d": "Phone and Modem", "2227a280-3aea-1069-a2de-08002b30309d": "Printers", "fcfeecae-ee1b-4849-ae50-685dcf7717ec": "Problem Reports and Solutions", "62d8ed13-c9d0-4ce8-a914-47dd628fb1b0": "Regional and Language Options", "087da31b-0dd3-4537-8e23-64a18591f88b": "Windows Security Center", "58e3c745-d971-4081-9034-86e34b30836a": "Speech Recognition Options", # Windows 7 Control Panel Items "bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6": "Action Center", "0142e4d0-fb7a-11dc-ba4a-000ffe7ab428": "Biometric Devices", "1206f5f1-0569-412c-8fec-3204630dfb70": "Credential Manager", "00c6d95f-329c-409a-81d7-c46c66ea7f33": "Default Location", "37efd44d-ef8d-41b1-940d-96973a50e9e0": "Desktop Gadgets", "a8a91a66-3a7d-4424-8d24-04e180695c7a": "Devices and Printers", "c555438b-3c23-4769-a71f-b6d3d9b6053a": "Display", "cb1b7f8c-c50a-4176-b604-9e24dee8d4d1": "Getting Started", "67ca7650-96e6-4fdd-bb43-a8e774f73a57": "HomeGroup", "e9950154-c418-419e-a90a-20c5287ae24b": "Location and Other Sensors", "05d7b0f4-2121-4eff-bf6b-ed3f69b894d9": "Notification Area Icons", "9fe63afd-59cf-4419-9775-abcc3849f861": "Recovery", "241d7c96-f8bf-4f85-b01f-e2b043341a4b": "RemoteApp and Desktop Connections", "c58c4893-3be0-4b45-abb5-a63e4b8c8651": "Troubleshooting", # Folder Types "0b2baaeb-0042-4dca-aa4d-3ee8648d03e5": "Pictures Library", "36011842-dccc-40fe-aa3d-6177ea401788": "Documents Search Results", "3f2a72a7-99fa-4ddb-a5a8-c604edf61d6b": "Music Library", "4dcafe13-e6a7-4c28-be02-ca8c2126280d": "Pictures Search Results", "5c4f28b5-f869-4e84-8e60-f11db97c5cc7": "Generic (All folder items)", "5f4eab9a-6833-4f61-899d-31cf46979d49": "Generic Library", "5fa96407-7e77-483c-ac93-691d05850de8": "Videos", "631958a6-ad0f-4035-a745-28ac066dc6ed": "Videos Library", "71689ac1-cc88-45d0-8a22-2943c3e7dfb3": "Music Search Results", "7d49d726-3c21-4f05-99aa-fdc2c9474656": "Documents", "7fde1a1e-8b31-49a5-93b8-6be14cfa4943": "Generic Search Results", "80213e82-bcfd-4c4f-8817-bb27601267a9": "Compressed Folder (zip folder)", "94d6ddcc-4a68-4175-a374-bd584a510b78": "Music", "b3690e58-e961-423b-b687-386ebfd83239": "Pictures", "ea25fbd7-3bf7-409e-b97f-3352240903f4": "Videos Search Results", "fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9": "Documents Library", } FOLDER_IDS = { 0x00:"EXPLORER", 0x42:"LIBRARIES", 0x44:"USERS", 0x48:"MY_DOCUMENTS", 0x50:"MY_COMPUTER", 0x58:"NETWORK", 0x60:"RECYCLE_BIN", 0x68:"EXPLORER", 0x70:"UKNOWN", 0x78:"RECYCLE_BIN", 0x80:"MY_GAMES", } SHELL_ITEM_TYPES = { 0x00:"UNKNOWN_00", #Varied 0x01:"UNKNOWN_01", 0x2e:"UNKNOWN_2E", # DEVICE from ShellBagMRU.py in RegistryDecoder 0x31:"FILE_ENTRY", # Folder 0x32:"FILE_ENTRY", # Zip file 0xb1:"FILE_ENTRY", # Hidden folder 0x1f:"FOLDER_ENTRY", # System folder 0x2f:"VOLUME_NAME", 0x41:"NETWORK_VOLUME_NAME", # Windows Domain 0x42:"NETWORK_VOLUME_NAME", # Computer Name 0x46:"NETWORK_VOLUME_NAME", # MS Windows Network 0x47:"NETWORK_VOLUME_NAME", # Entire Network 0xc3:"NETWORK_SHARE", # Remote Share 0x61:"URI", 0x71:"CONTROL_PANEL", 0x74:"UNKNOWN_74", # System protected folder } FLAGS = { 0x02:"has network volume name", 0x80:"has unknown 16-bit value", } ##### Type overrides for output below ##### # http://msdn.microsoft.com/en-us/library/aa379358%28v=vs.85%29.aspx # http://msdn.microsoft.com/en-us/library/cc248286%28v=prot.10%29.aspx ''' '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], ''' class _GUID(obj.CType): def __str__(self): return "{0:08x}-{1:04x}-{2:04x}-{3:02x}{4:02x}-{5:02x}{6:02x}{7:02x}{8:02x}{9:02x}{10:02x}".format(self.Data1, self.Data2, self.Data3, self.Data4[0], self.Data4[1], self.Data4[2], self.Data4[3], self.Data4[4], self.Data4[5], self.Data4[6], self.Data4[7]) class ITEMPOS(obj.CType): def get_file_attrs(self): fileattrs = "" if self.Size >= 0x15: for f in FILE_ATTRS: if self.Attributes.FileAttrs & f == f: fileattrs += FILE_ATTRS[f] + ", " fileattrs = fileattrs.rstrip(", ") return fileattrs def body(self, details): return "0|[SHELLBAGS ITEMPOS] Name: {3}/Attrs: {4}/{5}|0|---------------|0|0|0|{0}|{1}|{2}|{2}\n".format( self.Attributes.AccessDate.v(), self.Attributes.ModifiedDate.v(), self.Attributes.CreatedDate.v(), str(self.Attributes.UnicodeFilename), self.get_file_attrs(), details) def __str__(self): return "{0:<14} {1:30} {2:30} {3:30} {4:25} {5}".format(self.Attributes.FileName, str(self.Attributes.ModifiedDate), str(self.Attributes.CreatedDate), str(self.Attributes.AccessDate), self.get_file_attrs(), str(self.Attributes.UnicodeFilename)) def get_header(self): return [("File Name", "14s"), ("Modified Date", "30"), ("Create Date", "30"), ("Access Date", "30"), ("File Attr", "25"), ("Unicode Name", ""), ] class FILE_ENTRY(ITEMPOS): def get_file_attrs(self): fileattrs = "" for f in FILE_ATTRS: if self.Attributes.FileAttrs & f == f: fileattrs += FILE_ATTRS[f] + ", " fileattrs = fileattrs.rstrip(", ") return fileattrs def body(self, details): return "0|[SHELLBAGS FILE_ENTRY] Name: {3}/Attrs: {4}/{5}|0|---------------|0|0|0|{0}|{1}|{2}|{2}\n".format( self.Attributes.AccessDate.v(), self.Attributes.ModifiedDate.v(), self.Attributes.CreatedDate.v(), str(self.Attributes.UnicodeFilename), self.get_file_attrs(), details) def __str__(self): return "{0:<14} {1:30} {2:30} {3:30} {4:25}".format(self.Attributes.FileName, str(self.Attributes.ModifiedDate), str(self.Attributes.CreatedDate), str(self.Attributes.AccessDate), self.get_file_attrs()) def get_header(self): return [("File Name", "14s"), ("Modified Date", "30"), ("Create Date", "30"), ("Access Date", "30"), ("File Attr", "25"), ("Path", ""), ] class FOLDER_ENTRY(obj.CType): def get_folders(self): folder_ids = "" for f in FOLDER_IDS: if self.Flags & f == f: folder_ids += FOLDER_IDS[f] + ", " folder_ids = folder_ids.rstrip(", ") return folder_ids def __str__(self): return "{0:<14} {1:40} {2:20} {3}".format("Folder Entry", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) def get_header(self): return [("Entry Type", "14s"), ("GUID", "40"), ("GUID Description", "20"), ("Folder IDs", ""), ] class _VOLUSER_ASSIST_TYPES(obj.CType): def get_header(self): if hasattr(self, "Count") and hasattr(self, "FocusCount"): return [("Entry Type", "14s"), ("Count", "5"), ("Focus Count", "5"), ("Time Focused", "20"), ("Last Update", ""), ] else: return [("Entry Type", "14s"), ("ID", "10"), ("Count", "10"), ("Last Update", ""), ] def __str__(self): if hasattr(self, "Count") and hasattr(self, "FocusCount"): return "{0:<14} {1:5} {2:5} {3:20} {4}".format("UserAssist", self.Count, self.FocusCount, self.FocusTime, self.LastUpdated) else: return "{0:<14} {1:5} {2:5} {3}".format("UserAssist", self.ID, self.CountStartingAtFive, self.LastUpdated) def body(self, reg, key, subname, lastwrite): ID = "N/A" count = "N/A" fc = "N/A" tf = "N/A" if hasattr(self, "ID"): ID = "{0}".format(self.ID) if hasattr(self, "Count"): count = "{0}".format(self.Count) else: count = "{0}".format(self.CountStartingAtFive if self.CountStartingAtFive < 5 else self.CountStartingAtFive - 5) if hasattr(self, "FocusCount"): seconds = (self.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else self.FocusTime fc = "{0}".format(self.FocusCount) tf = "{0}".format(time) subname = subname.replace("|", "%7c") return "0|[SHELLBAGS USERASSIST] Registry: {1}/Key: {7}/Value: {2}/LW: {8}/ID: {3}/Count: {4}/FocusCount: {5}/TimeFocused: {6}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( self.LastUpdated.v(), reg, subname, ID, count, fc, tf, key, lastwrite) class CONTROL_PANEL(FOLDER_ENTRY): def __str__(self): return "{0:<14} {1:40} {2:20} {3}".format("Control Panel", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) # taken from http://code.google.com/p/registrydecoder/source/browse/trunk/templates/template_files/ShellBagMRU.py#388 class UNKNOWN_00(FOLDER_ENTRY): def __str__(self): if self.DataSize == 0x1a: return "{0:<14} {1:40} {2:20} {3}".format("Folder", str(self.GUID), KNOWN_GUIDS.get(str(self.GUID), "Unknown GUID"), self.get_folders()) #elif self.DataSize in [0xa4, 0xb4, 0x7a, 0xc4, 0x9a, 0x30]: # TODO: this is not clear yet # return "{0:<14} {1:40} {2:20} {3}".format("Device Property", # str(self.Name), "", "") # TODO: fix this for other types like "AugM" and 1SPS else: return "{0:<14} {1:40} {2:20} {3}".format("Folder (unsupported)", "This property is not yet supported", "", "") class VOLUME_NAME(obj.CType): def __str__(self): return "{0:14} {1}".format("Volume Name", self.Name) def get_header(self): return [("Entry Type", "14s"), ("Path", ""), ] class NETWORK_VOLUME_NAME(obj.CType): def get_flags(self): flags = "" for f in FLAGS: if self.Flags & f == f: flags += FLAGS[f] + ", " flags = flags.rstrip(", ") return flags def __str__(self): return "{0:25} {1:20} {2} |".format("Network Volume Name", self.Description, self.Name) def get_header(self): return [("Entry Type", "25s"), ("Description", "20"), ("Name | Full Path", ""), ] class NETWORK_SHARE(NETWORK_VOLUME_NAME): def __str__(self): return "{0:25} {1:20} {2}".format("Network Volume Share", self.Description, self.Name) ##### End Type Overrides ##### class DosDate(obj.NativeType): def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "H", ''.join([chr(x) for x in [(dosdate >> 8) & 0xff, (dosdate & 0xff)]]))[0] time = struct.unpack(">H", ''.join([chr(x) for x in [(dosdate >> 24) & 0xff, (dosdate >> 16) & 0xff]]))[0] seconds = (time & 0x1F) * 2 minutes = (time & 0x7E0) >> 5 hours = (time & 0xF800) >> 11 day = date & 0x1F month = (date & 0x1E0) >> 5 year = ((date & 0xFE00) >> 9) + 1980 #convert into timestamp and return: try: return calendar.timegm(datetime.datetime(year, month, day, hours, minutes, seconds).utctimetuple()) except ValueError: return 0 # if we use the following we need to s/utcfromtimestamp/fromtimestamp/ in as_datetime() function: #return time.mktime(datetime.datetime(year, month, day, hours, minutes, seconds).timetuple()) class NullString(basic.String): def __str__(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "") if not result: result = "" return result def v(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "") if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result shell_item_types = { 'SHELLITEM': [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], # SHELL_ITEM_TYPES } ], 'FOLDER_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], # FOLDER_IDS 'GUID': [ 0x4, ['_GUID']], } ], 'VOLUME_NAME': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Name': [ 0x3, ['String', dict(length = 22)]], } ], 'NETWORK_VOLUME_NAME': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x4, ['unsigned char']], 'Name': [ 0x5, ['String', dict(length = 255)]], 'Description': [ lambda x: x.Name.obj_offset + len(x.Name), ['String', dict(length = 4096)]], } ], 'URI': [ None, { 'Flags': [ 0x3, ['unsigned char']], 'UString': [ 0x8, ['String', dict(length = 4096)]], # other stuff here not filled in... } ], 'CONTROL_PANEL': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'GUID': [ 0xe, ['_GUID']], } ], 'NETWORK_SHARE': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x4, ['unsigned char']], 'Name': [ 0x5, ['String', dict(length = 255)]], 'Description': [ lambda x: x.Name.obj_offset + len(x.Name), ['String', dict(length = 4096)]], } ], # These "OTHER" types are really not clear yet... 'UNKNOWN_00': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'DataSize': [ 0x4, ['unsigned short']], #size of the following data 'FolderAugM': [ 0x4, ['String', dict(length = 4)]], 'PropertyList': [ 0xa, ['unsigned short']], 'IdentifierSize': [ 0xc, ['unsigned short']], 'GUID': [ 0xe, ['_GUID']], #'NameLength': [ 0x42, ['unsigned short']], # size of following data #'Name': [ 0x4a, ['String', dict(length = lambda x: x.NameLength * 2)]], } ], 'UNKNOWN_01': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'Unknown': [ 0x4, ['unsigned int']], } ], 'UNKNOWN_2E': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'GUID': [ 0x4, ['_GUID']], } ], 'UNKNOWN_74': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], 'Flags': [ 0x3, ['unsigned char']], 'Attributes' : [12, ['ATTRIBUTES']], } ], } itempos_types_XP = { 'ATTRIBUTES': [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], # 8.3 File name although sometimes it's longer than 14 chars 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'UnicodeFilename': [ lambda x: x.Unknown3.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesXP(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, 'DosDate':DosDate, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_XP) itempos_types_Vista = { 'ATTRIBUTES' : [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'FileReference': [ lambda x: x.Unknown3.obj_offset + 4, ['unsigned long long']], #MFT entry index 0-6, Sequense number 6-7 'Unknown4': [ lambda x: x.FileReference.obj_offset + 8, ['unsigned long long']], 'LongStringSize': [ lambda x: x.Unknown4.obj_offset + 8, ['unsigned short']], 'UnicodeFilename': [ lambda x: x.LongStringSize.obj_offset + 2, ['NullString', dict(length = 4096, encoding = 'utf8')]], 'AdditionalLongString': [ lambda x: x.UnicodeFilename.obj_offset + len(x.UnicodeFilename), ['NullString', dict(length = (lambda k: k.LongStringSize), encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesVista(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, 'DosDate':DosDate, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_Vista) itempos_types_Win7 = { 'ATTRIBUTES': [ None, { 'ModifiedDate': [ 0x0, ['DosDate', dict(is_utc = True)]], 'FileAttrs': [ 0x4, ['unsigned short']], 'FileName': [ 0x6, ['String', dict(length = 255)]], 'FDataSize': [ lambda x: x.FileName.obj_offset + len(x.FileName) + (1 if len(x.FileName) % 2 == 1 else 2), ['unsigned short']], 'EVersion': [ lambda x: x.FDataSize.obj_offset + 2, ['unsigned short']], 'Unknown1': [ lambda x: x.EVersion.obj_offset + 2, ['unsigned short']], 'Unknown2': [ lambda x: x.Unknown1.obj_offset + 2, ['unsigned short']], # 0xBEEF 'CreatedDate': [ lambda x: x.Unknown2.obj_offset + 2, ['DosDate', dict(is_utc = True)]], 'AccessDate': [ lambda x: x.CreatedDate.obj_offset + 4, ['DosDate', dict(is_utc = True)]], 'Unknown3': [ lambda x: x.AccessDate.obj_offset + 4, ['unsigned int']], 'FileReference': [ lambda x: x.Unknown3.obj_offset + 4, ['unsigned long long']], #MFT entry index 0-6, Sequense number 6-7 'Unknown4': [ lambda x: x.FileReference.obj_offset + 8, ['unsigned long long']], 'LongStringSize': [ lambda x: x.Unknown4.obj_offset + 8, ['unsigned short']], 'Unknown5': [ lambda x: x.LongStringSize.obj_offset + 2, ['unsigned int']], 'UnicodeFilename': [ lambda x: x.Unknown5.obj_offset + 4, ['NullString', dict(length = 4096, encoding = 'utf8')]], 'AdditionalLongString': [ lambda x: x.UnicodeFilename.obj_offset + len(x.UnicodeFilename), ['NullString', dict(length = (lambda k: k.LongStringSize), encoding = 'utf8')]], } ], 'ITEMPOS' : [ None, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'FileSize' : [ 0x4, ['short']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], 'FILE_ENTRY': [ None, { 'ShellItem': [ 0x0, ['SHELLITEM']], # Type: 0x31, 0x32, 0xb1 'Flags': [ 0x3, ['unsigned char']], 'FileSize': [ 0x4, ['int']], 'Attributes' : [ 0x8, ['ATTRIBUTES']], } ], } class ShellBagsTypesWin7(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): profile.object_classes.update({ 'NullString': NullString, 'DosDate':DosDate, '_GUID':_GUID, 'ITEMPOS':ITEMPOS, 'FILE_ENTRY':FILE_ENTRY, 'FOLDER_ENTRY':FOLDER_ENTRY, 'CONTROL_PANEL':CONTROL_PANEL, 'VOLUME_NAME':VOLUME_NAME, 'NETWORK_VOLUME_NAME':NETWORK_VOLUME_NAME, 'NETWORK_SHARE':NETWORK_SHARE, 'UNKNOWN_00':UNKNOWN_00, '_VOLUSER_ASSIST_TYPES':_VOLUSER_ASSIST_TYPES, }) profile.vtypes.update(shell_item_types) profile.vtypes.update(itempos_types_Win7) class ShellBags(common.AbstractWindowsCommand): """Prints ShellBags info""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) self.supported = ["FILE_ENTRY", "FOLDER_ENTRY", "CONTROL_PANEL", "VOLUME_NAME", "NETWORK_VOLUME_NAME", "NETWORK_SHARE", "UNKNOWN_00"] self.paths = {} def rreplace(self, s, old, new, occurrence): li = s.rsplit(old, occurrence) return new.join(li) def parse_key(self, regapi, reg, thekey, given_root = None): items = {} # a dictionary of shellbag objects indexed by value name for value, data in regapi.reg_yield_values(None, thekey, thetype = 'REG_BINARY', given_root = given_root): if data == None or thekey.find("S-") != -1 or str(value).startswith("LastKnownState") or thekey.lower().find("cmi-create") != -1: continue if str(value).startswith("ItemPos"): items[str(value)] = [] bufferas = addrspace.BufferAddressSpace(self._config, data = data) i = 0x18 while i < len(data) - 0x10: item = obj.Object("ITEMPOS", offset = i, vm = bufferas) if item != None and item.Size >= 0x15: items[str(value)].append(item) i += item.Size + 0x8 elif str(value).lower().startswith("mrulistex"): list = {} bufferas = addrspace.BufferAddressSpace(self._config, data = data) i = 0 while i < len(data) - 4: list[obj.Object("int", offset = i, vm = bufferas).v()] = (i / 4) i += 4 items["MruListEx"] = list elif len(data) >= 0x10: bufferas = addrspace.BufferAddressSpace(self._config, data = data) item = obj.Object("SHELLITEM", offset = 0, vm = bufferas) thetype = SHELL_ITEM_TYPES.get(int(item.Type), None) if thetype != None: if thetype == "UNKNOWN_00" and len(data) == bufferas.profile.get_obj_size("_VOLUSER_ASSIST_TYPES"): # this is UserAssist Data item = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) try: value = value.encode('rot_13') except UnicodeDecodeError: pass else: if bufferas.profile.get_obj_size(thetype) > len(data): continue item = obj.Object(thetype, offset = 0, vm = bufferas) if hasattr(item, "DataSize") and item.DataSize <= 0: continue if thetype in self.supported: temp = "" if hasattr(item, "Attributes"): temp = str(item.Attributes.UnicodeFilename) elif hasattr(item, "Name"): temp = str(item.Name) self.paths[reg + ":" + thekey + ":" + str(value)] = temp items[str(value)] = [] items[str(value)].append(item) return items def calculate(self): addr_space = utils.load_as(self._config) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) #set our current registry of interest and get its path regapi = registryapi.RegistryApi(self._config) regapi.reset_current() #scan for registries and populate them: print "Scanning for registries...." regapi.set_current('ntuser.dat') shellbag_data = [] print "Gathering shellbag items and building path tree..." seen = {} for bk in BAG_KEYS: for cat, current_path in regapi.reg_yield_key("ntuser.dat", bk): keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = cat)] for key, start in keys: if key.Name: if str(key.Name).lower().find("cmi-create") != -1 or str(key.Name).find("S-") != -1 or seen.get(start + "\\" + k.Name, None) != None: continue seen[start + "\\" + k.Name] = key.obj_offset subkeys = [k for k in regapi.reg_get_all_subkeys("ntuser.dat", key = None, given_root = key)] for k in subkeys: keys.append((k, start + "\\" + k.Name)) items = self.parse_key(regapi, current_path, start, given_root = key) if len(items) > 0: shellbag_data.append((start, current_path, key, items)) if version >= (6, 0): regapi.reset_current() regapi.set_current("UsrClass.dat") seen = {} for bk in USERDAT_KEYS: for cat, current_path in regapi.reg_yield_key("UsrClass.dat", bk): keys = [(k, bk + "\\" + k.Name) for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = cat)] for key, start in keys: if key.Name: if str(key.Name).lower().find("cmi-create") != -1 or str(key.Name).find("S-") != -1 or seen.get(start + "\\" + k.Name, None) != None: continue seen[start + "\\" + k.Name] = key.obj_offset subkeys = [k for k in regapi.reg_get_all_subkeys("UsrClass.dat", key = None, given_root = key)] for k in subkeys: keys.append((k, start + "\\" + k.Name)) items = self.parse_key(regapi, current_path, start, given_root = key) if len(items) > 0: shellbag_data.append((start, current_path, key, items)) return shellbag_data def build_path(self, reg, key, item): path = "" if hasattr(item, "Attributes"): path = str(item.Attributes.UnicodeFilename) elif hasattr(item, "Name"): path = str(item.Name) else: return path while key != "": parent = self.rreplace(key, "\\" + key.split("\\")[-1], "", 1) prev = self.paths.get(reg + ":" + parent + ":" + key.split("\\")[-1], "") if prev == "": break path = prev + "\\" + path key = parent return path def render_body(self, outfd, data): for name, reg, key, items in data: for item in items: if item == "MruListEx": continue for shell in items[item]: if type(shell) == ITEMPOS or type(shell) == FILE_ENTRY: full_path = self.build_path(reg, name, shell).replace("\\\\", "\\") outfd.write("{0}".format(shell.body("FullPath: {0}/Registry: {1}/Key: {2}/LW: {3}".format(full_path, reg, name, str(key.LastWriteTime))))) elif type(shell) == _VOLUSER_ASSIST_TYPES: outfd.write("{0}".format(shell.body(reg, name, item, str(key.LastWriteTime)))) def render_text(self, outfd, data): border = "*" * 75 for name, reg, key, items in data: if not key: continue first = True mru = items.get("MruListEx", None) mruheader = [("Value", "7"), ("Mru", "5")] if mru else [("Value", "25")] for item in items: if item == "MruListEx": continue for shell in items[item]: full_path = "" if type(shell) != ITEMPOS and type(shell) != VOLUME_NAME: full_path = self.build_path(reg, name, shell).replace("\\\\", "\\") if first: outfd.write(border + "\n") outfd.write("Registry: " + reg + "\n") outfd.write("Key: " + name + "\n") outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) curheader = shell.get_header() self.table_header(outfd, mruheader + curheader) first = False if curheader != shell.get_header(): curheader = shell.get_header() outfd.write("\n") self.table_header(outfd, mruheader + curheader) if mru: outfd.write("{0:7} {1:<5} {2} {3}\n".format(item, mru[int(item)], str(shell), full_path)) else: outfd.write("{0:25} {1} {2}\n".format(item, str(shell), full_path)) if not first: outfd.write(border + "\n\n") volatility-2.3.1/volatility/plugins/registry/registryapi.py0000644000175000017500000003000712227253532024261 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.win32.hive as hivemod import volatility.win32.rawreg as rawreg import volatility.win32.hashdump as hashdump import volatility.utils as utils import volatility.plugins.registry.hivelist as hl from heapq import nlargest class RegistryApi(object): """A wrapper several highly used Registry functions""" def __init__(self, config): self._config = config self.addr_space = utils.load_as(self._config) self.all_offsets = {} self.current_offsets = {} self.populate_offsets() def print_offsets(self): ''' this is just in case we want to check our offsets and which hive(s) was/were chosen ''' for item in self.all_offsets: print "0x{0:x}".format(item), self.all_offsets[item] for item in self.current_offsets: print 'current', "0x{0:x}".format(item), self.current_offsets[item] def populate_offsets(self): ''' get all hive offsets so we don't have to scan again... ''' hive_offsets = [] hiveroot = hl.HiveList(self._config).calculate() for hive in hiveroot: if hive.obj_offset not in hive_offsets: hive_offsets.append(hive.obj_offset) try: name = hive.FileFullPath.v() or hive.FileUserName.v() or hive.HiveRootPath.v() or "[no name]" # What exception are we expecting here? except: name = "[no name]" self.all_offsets[hive.obj_offset] = name def reg_get_currentcontrolset(self, fullname = True): ''' get the CurrentControlSet If fullname is not specified, we only get the number like "1" or "2" etc The default is ControlSet00{#} so we can append it to the desired key path We return None if it fails, so you need to verify before using. ''' for offset in self.all_offsets: name = self.all_offsets[offset] + " " if name.lower().find("\\system ") != -1: sysaddr = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) if fullname: return "ControlSet00{0}".format(hashdump.find_control_set(sysaddr)) else: return hashdump.find_control_set(sysaddr) return None def set_current(self, hive_name = None, user = None): ''' if we find a hive that fits the given criteria, save its offset so we don't have to scan again. this can be reset using reset_current if context changes ''' for item in self.all_offsets: name = self.all_offsets[item] + " " if user == None and hive_name == None: #no particular preference: all hives self.current_offsets[item] = name elif user != None and name.lower().find('\\' + user.lower() + '\\') != -1 and name.lower().find("\\" + "ntuser.dat ") != -1: #user's NTUSER.DAT hive self.current_offsets[item] = name elif hive_name != None and hive_name.lower() == 'hklm' \ and (name.lower().find("\\security ") != -1 or name.lower().find("\\system ") != -1 \ or name.lower().find("\\software ") != -1 or name.lower().find("\\sam ") != -1): #any HKLM hive self.current_offsets[item] = name elif hive_name != None and name.lower().find("\\" + hive_name.lower() + " ") != -1 and user == None: #a particular hive indicated by hive_name if hive_name.lower() == "system" and name.lower().find("\\syscache.hve ") == -1: self.current_offsets[item] = name elif hive_name.lower() != "system": self.current_offsets[item] = name def reset_current(self): ''' this is in case we switch to a different hive/user/context ''' self.current_offsets = {} def reg_get_key(self, hive_name, key, user = None, given_root = None): ''' Returns a key from a requested hive; assumes this is from a single hive if more than one hive is specified, the hive/key found is returned ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: return k return None def reg_yield_key(self, hive_name, key, user = None, given_root = None): ''' Use this function if you are collecting keys from more than one hive ''' if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) if key: for offset in self.current_offsets: name = self.current_offsets[offset] if given_root == None: h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) else: root = given_root if root != None: k = rawreg.open_key(root, key.split('\\')) if k: yield k, name def reg_enum_key(self, hive_name, key, user = None): ''' This function enumerates the requested key ''' k = self.reg_get_key(hive_name, key, user) if k: for s in rawreg.subkeys(k): if s.Name: item = key + '\\' + s.Name yield item def reg_get_all_subkeys(self, hive_name, key, user = None, given_root = None): ''' This function enumerates the subkeys of the requested key ''' k = given_root if given_root != None else self.reg_get_key(hive_name, key) if k: for s in rawreg.subkeys(k): if s.Name: yield s def reg_yield_values(self, hive_name, key, thetype = None, given_root = None): ''' This function yields all values for a requested registry key ''' if key: h = given_root if given_root != None else self.reg_get_key(hive_name, key) if h != None: for v in rawreg.values(h): tp, dat = rawreg.value_data(v) if thetype == None or tp == thetype: yield v.Name, dat def reg_get_value(self, hive_name, key, value, strcmp = None, given_root = None): ''' This function returns the requested value of a registry key ''' if key and value: h = given_root if given_root != None else self.reg_get_key(hive_name, key) if h != None: for v in rawreg.values(h): if value == v.Name: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or strcmp == None: # We want raw data return dat else: # This is a string comparison dat = str(dat) dat = dat.strip() dat = ''.join([x for x in dat if ord(x) != 0]) #get rid of funky nulls for string comparison if strcmp == dat: return dat return None def reg_get_all_keys(self, hive_name, user = None, start = None, end = None, reg = False, rawtime = False): ''' This function enumerates all keys in specified hives and collects lastwrite times. ''' keys = [] if self.all_offsets == {}: self.populate_offsets() if self.current_offsets == {}: self.set_current(hive_name, user) # Collect the root keys for offset in self.current_offsets: reg_name = self.current_offsets[offset] h = hivemod.HiveAddressSpace(self.addr_space, self._config, offset) root = rawreg.get_root(h) if not root: pass else: time = "{0}".format(root.LastWriteTime) if not rawtime else root.LastWriteTime if reg: if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, root.Name) elif start == None and end == None: yield (time, reg_name, root.Name) else: if start and end and str(time) >= start and str(time) <= end: yield (time, root.Name) elif start == None and end == None: yield (time, root.Name) for s in rawreg.subkeys(root): if reg: keys.append([s, reg_name, root.Name + "\\" + s.Name]) else: keys.append([s, root.Name + "\\" + s.Name]) # Get subkeys if reg: for k, reg_name, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, reg_name, name) elif start == None and end == None: yield (time, reg_name, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, reg_name, item]) else: for k, name in keys: time = "{0}".format(k.LastWriteTime) if not rawtime else k.LastWriteTime if start and end and str(time) >= start and str(time) <= end: yield (time, name) elif start == None and end == None: yield (time, name) for s in rawreg.subkeys(k): if name and s.Name: item = name + '\\' + s.Name keys.append([s, item]) def reg_get_last_modified(self, hive_name, count = 1, user = None, start = None, end = None, reg = False): ''' Wrapper function using reg_get_all_keys. These functions can take a WHILE since all subkeys have to be collected before you can compare lastwrite times. ''' data = nlargest(count, self.reg_get_all_keys(hive_name, user, start, end, reg)) if reg: for t, regname, name in data: yield (t, regname, name) else: for t, name in data: yield (t, name) volatility-2.3.1/volatility/plugins/modules.py0000644000175000017500000000615612227253532021527 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import volatility.plugins.common as common import volatility.cache as cache import volatility.win32 as win32 import volatility.utils as utils class Modules(common.AbstractWindowsCommand): """Print list of loaded modules""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Name", "20"), ('Base', "[addrpad]"), ('Size', "[addr]"), ('File', "") ]) for module in data: if not self._config.PHYSICAL_OFFSET: offset = module.obj_offset else: offset = module.obj_vm.vtop(module.obj_offset) self.table_row(outfd, offset, str(module.BaseDllName or ''), module.DllBase, module.SizeOfImage, str(module.FullDllName or '')) @cache.CacheDecorator("tests/lsmod") def calculate(self): addr_space = utils.load_as(self._config) result = win32.modules.lsmod(addr_space) return result class UnloadedModules(common.AbstractWindowsCommand): """Print list of unloaded modules""" def render_text(self, outfd, data): self.table_header(outfd, [ ("Name", "20"), ('StartAddress', "[addrpad]"), ('EndAddress', "[addrpad]"), ('Time', "")]) for drv in data: self.table_row(outfd, drv.Name, drv.StartAddress, drv.EndAddress, drv.CurrentTime) def calculate(self): addr_space = utils.load_as(self._config) kdbg = win32.tasks.get_kdbg(addr_space) for drv in kdbg.MmUnloadedDrivers.dereference().dereference(): yield drv volatility-2.3.1/volatility/plugins/hibinfo.py0000644000175000017500000000574112227253532021474 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.debug as debug import volatility.cache as cache import volatility.win32.tasks as tasks class HibInfo(common.AbstractWindowsCommand): """Dump hibernation file information""" @cache.CacheDecorator("tests/hibinfo") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config) result = None adrs = addr_space while adrs: if adrs.__class__.__name__ == 'WindowsHiberFileSpace32': sr = adrs.ProcState.SpecialRegisters peb = obj.NoneObject("Cannot locate a valid PEB") # Find the PEB by cycling through processes. This method works # on all versions of Windows x86 and x64. for task in tasks.pslist(addr_space): if task.Peb: peb = task.Peb break result = {'header': adrs.get_header(), 'sr': sr, 'peb': peb, 'adrs': adrs } adrs = adrs.base if result == None: debug.error("Memory Image could not be identified or did not contain hiberation information") return result def render_text(self, outfd, data): """Renders the hiberfil header as text""" hdr = data['header'] sr = data['sr'] peb = data['peb'] outfd.write("PO_MEMORY_IMAGE:\n") outfd.write(" Signature: {0}\n".format(hdr.Signature)) outfd.write(" SystemTime: {0}\n".format(hdr.SystemTime)) outfd.write("\nControl registers flags\n") outfd.write(" CR0: {0:08x}\n".format(sr.Cr0)) outfd.write(" CR0[PAGING]: {0}\n".format((sr.Cr0 >> 31) & 1)) outfd.write(" CR3: {0:08x}\n".format(sr.Cr3)) outfd.write(" CR4: {0:08x}\n".format(sr.Cr4)) outfd.write(" CR4[PSE]: {0}\n".format((sr.Cr4 >> 4) & 1)) outfd.write(" CR4[PAE]: {0}\n".format((sr.Cr4 >> 5) & 1)) outfd.write("\nWindows Version is {0}.{1} ({2})\n\n".format(peb.OSMajorVersion, peb.OSMinorVersion, peb.OSBuildNumber)) volatility-2.3.1/volatility/plugins/patcher.py0000644000175000017500000002021612227253532021476 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import timeit import binascii import xml.etree.cElementTree as etree import volatility.commands as commands import volatility.debug as debug import volatility.utils as utils PAGESIZE = 4096 #XML Example file format # # # # # DEADBEEFC0FFEE # ... # # # BEEFF00DEE # # ... # # class MultiPageScanner(object): """Scans a page at a time through the address space Designed to minimize reads/writes to the address space """ def __init__(self, patchers, full = False): self.patchers = list(patchers) self.maxlen = 0 self.remove_patchers = not full def use_fullpage(self, address_space): """Calibrate the scanner to ensure fastest speed""" # Define the calibration functions timeit_fullpage = lambda: list(self.scan_page(address_space, 0, True)) timeit_nonfullpage = lambda: list(self.scan_page(address_space, 0, False)) with_fullpage = timeit.repeat(timeit_fullpage, number = 100) without_fullpage = timeit.repeat(timeit_nonfullpage, number = 100) return min(with_fullpage) < min(without_fullpage) def scan(self, address_space, outfd): """Scans through the pages""" page_offset = 0 sys.stdout.write("Calibrating for speed: ") sys.stdout.flush() fullpage = self.use_fullpage(address_space) if fullpage: sys.stdout.write("Reading full pages\n") else: sys.stdout.write("Reading patch locations per page\n") sys.stdout.flush() done = False while address_space.is_valid_address(page_offset + PAGESIZE) and not done: sys.stdout.write("\rScanning: {0:08X}".format(page_offset)) sys.stdout.flush() # Run through any patchers that didn't fail for patcher in self.scan_page(address_space, page_offset, fullpage): outfd.write("\rPatching {0} at page {1:x}\n".format(patcher.get_name(), page_offset)) patcher.patch(address_space, page_offset) if self.remove_patchers: self.patchers.remove(patcher) # Stop if we've got nothing left to look for if not len(self.patchers): done = True # Jump to the next page page_offset += PAGESIZE sys.stdout.write("\n") def scan_page(self, address_space, page_offset, fullpage = False): """Runs through patchers for a single page""" if fullpage: pagedata = address_space.read(page_offset, PAGESIZE) for patcher in self.patchers: for offset, data in patcher.get_constraints(): if fullpage: testdata = pagedata[offset:offset + len(data)] else: testdata = address_space.read(page_offset + offset, len(data)) if data != testdata: break else: yield patcher class PatcherObject(object): """Simple object to hold patching data""" def __init__(self, name): self.name = name self.patches = set() self.constraints = set() def add_constraint(self, offset, data): """Adds a constraint to the constraintlist""" # Ensure that all offsets are within PAGESIZE self.constraints.add((offset % PAGESIZE, data)) def add_patch(self, offset, patch): """Adds a patch to the patchlist""" # Ensure that all offsets are within PAGESIZE self.patches.add((offset % PAGESIZE, patch)) def patch(self, addr_space, page_offset): """Writes to the address space""" result = True for offset, patch, in self.patches: result = result and addr_space.write(page_offset + offset, patch) return result def get_patches(self): """Returns the list of patches for this patcher""" return self.patches def get_constraints(self): return self.constraints def get_name(self): """Returns the name of the patcher""" return self.name class Patcher(commands.Command): """Patches memory based on page scans""" def __init__(self, config, *args, **kwargs): commands.Command.__init__(self, config, *args, **kwargs) config.add_option('XML-INPUT', short_option = 'x', help = 'Input XML file for patching binaries') def calculate(self): """Calculates the patchers""" addr_space = utils.load_as(self._config, astype = 'physical') scanner = MultiPageScanner(self.parse_patchfile()) return scanner, addr_space def render_text(self, outfd, data): """Renders the text and carries out the patching""" scanner, addr_space = data scanner.scan(addr_space, outfd) def get_offset(self, tag): """Returns the offset from a tag""" offset = tag.get('offset', None) if not offset: return None base = 10 if offset.startswith('0x'): offset = offset[2:] base = 16 return int(offset, base) def parse_patchfile(self): """Parses the patch XML data""" if not self._config.WRITE: print "Warning: WRITE support not enabled, no patching will occur" if self._config.XML_INPUT is None: debug.error("No XML input file was specified") try: root = etree.parse(self._config.XML_INPUT).getroot() except SyntaxError, e: debug.error("XML input file was improperly formed: " + str(e)) for element in root: if element.tag == 'patchinfo': if element.get('method', 'nomethod') == 'pagescan': patcher = PatcherObject(element.get('name', 'Unlabelled')) constraints = None for tag in element: if tag.tag == 'constraints': constraints = tag if tag.tag == 'patches': patches = tag if constraints is None: debug.error("Patch input file does not contain any valid constraints") # Parse the patches section for tag in patches: if tag.tag == 'setbytes': offset = self.get_offset(tag) data = binascii.a2b_hex(tag.text) if offset is not None and len(data): patcher.add_patch(offset, data) if not len(patcher.get_patches()): # No patches, no point adding this break # Parse the constraints section for c in constraints: if c.tag == 'match': offset = self.get_offset(c) data = binascii.a2b_hex(c.text) if offset is not None and len(data): patcher.add_constraint(offset, data) yield patcher else: debug.error("Unsupported patchinfo method " + element.method) volatility-2.3.1/volatility/plugins/iehistory.py0000644000175000017500000001465312227253532022077 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # ## http://www.docslide.com/forensic-analysis-of-internet-explorer-activity-files/ ## http://libmsiecf.googlecode.com/files/MSIE%20Cache%20File%20%28index.dat%29%20format.pdf import volatility.obj as obj import volatility.plugins.taskmods as taskmods import volatility.utils as utils import volatility.win32.tasks as tasks class _URL_RECORD(obj.CType): """A class for URL and LEAK records""" def is_valid(self): return obj.CType.is_valid(self) and self.Length > 0 and self.Length < 32768 @property def Length(self): return self.m('Length') * 0x80 def has_data(self): """Determine if a record has data""" ## for LEAK records the DataOffset is sometimes 0xdeadbeef return (self.DataOffset > 0 and self.DataOffset < self.Length and not self.Url.split(":")[0] in ["PrivacIE", "ietld", "iecompat", "Visited"]) class IEHistoryVTypes(obj.ProfileModification): """Apply structures for IE history parsing""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_URL_RECORD' : [ None, { 'Signature' : [ 0, ['String', dict(length = 4)]], 'Length' : [ 0x4, ['unsigned int']], 'LastModified' : [ 0x08, ['WinTimeStamp', dict(is_utc = True)]], # secondary 'LastAccessed' : [ 0x10, ['WinTimeStamp', dict(is_utc = True)]], # primary 'UrlOffset' : [ 0x34, ['unsigned char']], 'FileOffset' : [ 0x3C, ['unsigned int']], 'DataOffset' : [ 0x44, ['unsigned int']], 'DataSize': [ 0x48, ['unsigned int']], 'Url' : [ lambda x : x.obj_offset + x.UrlOffset, ['String', dict(length = 4096)]], 'File' : [ lambda x : x.obj_offset + x.FileOffset, ['String', dict(length = 4096)]], 'Data' : [ lambda x : x.obj_offset + x.DataOffset, ['String', dict(length = 4096)]], }], '_REDR_RECORD' : [ None, { 'Signature' : [ 0, ['String', dict(length = 4)]], 'Length' : [ 0x4, ['unsigned int']], 'Url' : [ 0x10, ['String', dict(length = 4096)]], }], }) profile.object_classes.update({ '_URL_RECORD' : _URL_RECORD, '_REDR_RECORD': _URL_RECORD, }) class IEHistory(taskmods.DllList): """Reconstruct Internet Explorer cache / history""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("LEAK", short_option = 'L', default = False, action = 'store_true', help = 'Find LEAK records (deleted)') config.add_option("REDR", short_option = 'R', default = False, action = 'store_true', help = 'Find REDR records (redirected)') def calculate(self): kernel_space = utils.load_as(self._config) ## Select the tags to scan for. Always find visited URLs, ## but make freed and redirected records optional. tags = ["URL "] if self._config.LEAK: tags.append("LEAK") if self._config.REDR: tags.append("REDR") ## Define the record type based on the tag tag_records = { "URL " : "_URL_RECORD", "LEAK" : "_URL_RECORD", "REDR" : "_REDR_RECORD"} ## Enumerate processes based on the --pid and --offset for proc in self.filter_tasks(tasks.pslist(kernel_space)): ## Acquire a process specific AS ps_as = proc.get_process_address_space() for hit in proc.search_process_memory(tags): ## Get a preview of the data to see what tag was detected tag = ps_as.read(hit, 4) ## Create the appropriate object type based on the tag record = obj.Object(tag_records[tag], offset = hit, vm = ps_as) if record.is_valid(): yield proc, record def render_text(self, outfd, data): for process, record in data: outfd.write("*" * 50 + "\n") outfd.write("Process: {0} {1}\n".format(process.UniqueProcessId, process.ImageFileName)) outfd.write("Cache type \"{0}\" at {1:#x}\n".format(record.Signature, record.obj_offset)) outfd.write("Record length: {0:#x}\n".format(record.Length)) outfd.write("Location: {0}\n".format(record.Url)) ## Extended fields are available for these records if record.obj_name == "_URL_RECORD": outfd.write("Last modified: {0}\n".format(record.LastModified)) outfd.write("Last accessed: {0}\n".format(record.LastAccessed)) outfd.write("File Offset: {0:#x}, Data Offset: {1:#x}, Data Length: {2:#x}\n".format(record.Length, record.FileOffset, record.DataOffset, record.DataSize)) if record.FileOffset > 0: outfd.write("File: {0}\n".format(record.File)) if record.has_data(): outfd.write("Data: {0}\n".format(record.Data)) def render_csv(self, outfd, data): for process, record in data: if record.obj_name == "_URL_RECORD": t1 = str(record.LastModified or '') t2 = str(record.LastAccessed or '') else: t1 = t2 = "" outfd.write("{0},{1},{2},{3}\n".format(record.Signature, t1.strip(), t2.strip(), record.Url)) volatility-2.3.1/volatility/plugins/procdump.py0000644000175000017500000002273612227253532021712 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import struct import volatility.plugins.taskmods as taskmods import volatility.debug as debug import volatility.obj as obj import volatility.exceptions as exceptions class ProcExeDump(taskmods.DllList): """Dump a process to an executable file sample""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump executable files') config.add_option("UNSAFE", short_option = "u", default = False, action = 'store_true', help = 'Bypasses certain sanity checks when creating image') def dump_pe(self, space, base, dump_file): """ Dump a PE from an AS into a file. @param space: an AS to use @param base: PE base address @param dump_file: dumped file name @returns a string status message """ of = open(os.path.join(self._config.DUMP_DIR, dump_file), 'wb') try: for offset, code in self.get_image(space, base): of.seek(offset) of.write(code) result = "OK: {0}".format(dump_file) except ValueError, ve: result = "Error: {0}".format(ve) except exceptions.SanityCheckException, ve: result = "Error: {0} Try -u/--unsafe".format(ve) finally: of.close() return result def render_text(self, outfd, data): """Renders the tasks to disk images, outputting progress as they go""" if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Process(V)", "[addrpad]"), ("ImageBase", "[addrpad]"), ("Name", "20"), ("Result", "")]) for task in data: task_space = task.get_process_address_space() if task_space == None: result = "Error: Cannot acquire process AS" elif task.Peb == None: # we must use m() here, because any other attempt to # reference task.Peb will try to instantiate the _PEB result = "Error: PEB at {0:#x} is paged".format(task.m('Peb')) elif task_space.vtop(task.Peb.ImageBaseAddress) == None: result = "Error: ImageBaseAddress at {0:#x} is paged".format(task.Peb.ImageBaseAddress) else: dump_file = "executable." + str(task.UniqueProcessId) + ".exe" result = self.dump_pe(task_space, task.Peb.ImageBaseAddress, dump_file) self.table_row(outfd, task.obj_offset, task.Peb.ImageBaseAddress, task.ImageFileName, result) def round(self, addr, align, up = False): """Rounds down an address based on an alignment""" if addr % align == 0: return addr else: if up: return (addr + (align - (addr % align))) return (addr - (addr % align)) def get_nt_header(self, addr_space, base_addr): """Returns the NT Header object for a task""" dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = base_addr, vm = addr_space) return dos_header.get_nt_header() def get_code(self, addr_space, data_start, data_size, offset): """Returns a single section of re-created data from a file image""" first_block = 0x1000 - data_start % 0x1000 full_blocks = ((data_size + (data_start % 0x1000)) / 0x1000) - 1 left_over = (data_size + data_start) % 0x1000 paddr = addr_space.vtop(data_start) code = "" # Deal with reads that are smaller than a block if data_size < first_block: data_read = addr_space.zread(data_start, data_size) if paddr == None: if self._config.verbose: debug.debug("Memory Not Accessible: Virtual Address: 0x{0:x} File Offset: 0x{1:x} Size: 0x{2:x}\n".format(data_start, offset, data_size)) code += data_read return (offset, code) data_read = addr_space.zread(data_start, first_block) if paddr == None: if self._config.verbose: debug.debug("Memory Not Accessible: Virtual Address: 0x{0:x} File Offset: 0x{1:x} Size: 0x{2:x}\n".format(data_start, offset, first_block)) code += data_read # The middle part of the read new_vaddr = data_start + first_block for _i in range(0, full_blocks): data_read = addr_space.zread(new_vaddr, 0x1000) if addr_space.vtop(new_vaddr) == None: if self._config.verbose: debug.debug("Memory Not Accessible: Virtual Address: 0x{0:x} File Offset: 0x{1:x} Size: 0x{2:x}\n".format(new_vaddr, offset, 0x1000)) code += data_read new_vaddr = new_vaddr + 0x1000 # The last part of the read if left_over > 0: data_read = addr_space.zread(new_vaddr, left_over) if addr_space.vtop(new_vaddr) == None: if self._config.verbose: debug.debug("Memory Not Accessible: Virtual Address: 0x{0:x} File Offset: 0x{1:x} Size: 0x{2:x}\n".format(new_vaddr, offset, left_over)) code += data_read return (offset, code) def get_image(self, addr_space, base_addr): """Outputs an executable disk image of a process""" nt_header = self.get_nt_header(addr_space = addr_space, base_addr = base_addr) soh = nt_header.OptionalHeader.SizeOfHeaders header = addr_space.zread(base_addr, soh) yield (0, header) fa = nt_header.OptionalHeader.FileAlignment for sect in nt_header.get_sections(self._config.UNSAFE): foa = self.round(sect.PointerToRawData, fa) if foa != sect.PointerToRawData: debug.warning("Section start on disk not aligned to file alignment.\n") debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa)) yield self.get_code(addr_space, sect.VirtualAddress + base_addr, sect.SizeOfRawData, foa) class ProcMemDump(ProcExeDump): """Dump a process to an executable memory sample""" def replace_header_field(self, sect, header, item, value): """Replaces a field in a sector header""" field_size = item.size() start = item.obj_offset - sect.obj_offset end = start + field_size newval = struct.pack(item.format_string, int(value)) result = header[:start] + newval + header[end:] return result def get_image(self, addr_space, base_addr): """Outputs an executable memory image of a process""" nt_header = self.get_nt_header(addr_space, base_addr) sa = nt_header.OptionalHeader.SectionAlignment shs = addr_space.profile.get_obj_size('_IMAGE_SECTION_HEADER') yield self.get_code(addr_space, base_addr, nt_header.OptionalHeader.SizeOfImage, 0) prevsect = None sect_sizes = [] for sect in nt_header.get_sections(self._config.UNSAFE): if prevsect is not None: sect_sizes.append(sect.VirtualAddress - prevsect.VirtualAddress) prevsect = sect if prevsect is not None: sect_sizes.append(self.round(prevsect.Misc.VirtualSize, sa, up = True)) counter = 0 start_addr = nt_header.FileHeader.SizeOfOptionalHeader + (nt_header.OptionalHeader.obj_offset - base_addr) for sect in nt_header.get_sections(self._config.UNSAFE): sectheader = addr_space.read(sect.obj_offset, shs) # Change the PointerToRawData sectheader = self.replace_header_field(sect, sectheader, sect.PointerToRawData, sect.VirtualAddress) sectheader = self.replace_header_field(sect, sectheader, sect.SizeOfRawData, sect_sizes[counter]) sectheader = self.replace_header_field(sect, sectheader, sect.Misc.VirtualSize, sect_sizes[counter]) yield (start_addr + (counter * shs), sectheader) counter += 1 volatility-2.3.1/volatility/plugins/dlldump.py0000644000175000017500000001156412227253532021517 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import re import volatility.plugins.procdump as procdump import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.utils as utils import volatility.cache as cache class DLLDump(procdump.ProcExeDump): """Dump DLLs from a process address space""" def __init__(self, config, *args, **kwargs): procdump.ProcExeDump.__init__(self, config, *args, **kwargs) config.remove_option("OFFSET") config.add_option('REGEX', short_option = 'r', help = 'Dump dlls matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('OFFSET', short_option = 'o', default = None, help = 'Dump DLLs for Process with physical address OFFSET', action = 'store', type = 'int') config.add_option('BASE', short_option = 'b', default = None, help = 'Dump DLLS at the specified BASE offset in the process address space', action = 'store', type = 'int') @cache.CacheDecorator(lambda self: "tests/dlldump/regex={0}/ignore_case={1}/offset={2}/base={3}".format(self._config.REGEX, self._config.IGNORE_CASE, self._config.OFFSET, self._config.BASE)) def calculate(self): addr_space = utils.load_as(self._config) if self._config.OFFSET != None: data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] else: data = self.filter_tasks(tasks.pslist(addr_space)) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: %s' % e) for proc in data: ps_ad = proc.get_process_address_space() if ps_ad == None: continue mods = dict((mod.DllBase.v(), mod) for mod in proc.get_load_modules()) if self._config.BASE: if mods.has_key(self._config.BASE): mod_name = mods[self._config.BASE].BaseDllName else: mod_name = "UNKNOWN" yield proc, ps_ad, int(self._config.BASE), mod_name else: for mod in mods.values(): if self._config.REGEX: if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')): continue yield proc, ps_ad, mod.DllBase.v(), mod.BaseDllName def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Process(V)", "[addrpad]"), ("Name", "20"), ("Module Base", "[addrpad]"), ("Module Name", "20"), ("Result", "")]) for proc, ps_ad, mod_base, mod_name in data: if not ps_ad.is_valid_address(mod_base): result = "Error: DllBase is paged" else: process_offset = ps_ad.vtop(proc.obj_offset) dump_file = "module.{0}.{1:x}.{2:x}.dll".format(proc.UniqueProcessId, process_offset, mod_base) result = self.dump_pe(ps_ad, mod_base, dump_file) self.table_row(outfd, proc.obj_offset, proc.ImageFileName, mod_base, str(mod_name or ''), result) volatility-2.3.1/volatility/plugins/getservicesids.py0000644000175000017500000011734112227253532023101 0ustar mikemike00000000000000# Volatility # Copyright (C) 2011-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.win32.rawreg as rawreg import volatility.debug as debug import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.common as common import hashlib import struct # This is a dictionary of default services from Vista+ machines servicesids = { 'S-1-5-80-3476726845-1218940557-3240126423-1396283824-3706223860': '.NET CLR Data', 'S-1-5-80-3749761688-76038143-2425834820-4129736068-309120712': '.NET CLR Networking', 'S-1-5-80-603392709-3706100282-1779817366-3290147925-2109454977': '.NET Data Provider for Oracle', 'S-1-5-80-1168016597-2140435647-491797002-352772175-817350590': '.NET Data Provider for SqlServer', 'S-1-5-80-255220978-1106536095-1636044468-311807000-281316439': '.NETFramework', 'S-1-5-80-799694863-4024754253-4060439485-3284853837-2852070736': '1394ohci', 'S-1-5-80-550892281-1246201444-2906082186-2301917840-2280485454': 'ACPI', 'S-1-5-80-2750316143-92726786-3671103447-4285640526-595803658': 'AcpiPmi', 'S-1-5-80-4277731759-3688284049-1726419820-405794046-874834352': 'adp94xx', 'S-1-5-80-1668430318-2462354215-3771841206-4231263990-2365432302': 'adpahci', 'S-1-5-80-1558789706-915067316-2610504951-4085128407-2746609837': 'adpu320', 'S-1-5-80-2580340827-1408356417-1236233457-3361088231-1362281560': 'adsi', 'S-1-5-80-1452425288-2709461340-3274533413-2407537074-986069024': 'AeLookupSvc', 'S-1-5-80-958185937-3813565417-3041720555-255702914-2218388865': 'AFD', 'S-1-5-80-1478021307-2683864309-2840291008-2654641652-1914939368': 'agp440', 'S-1-5-80-2964793103-1312530465-1873688160-795174673-2945876561': 'aic78xx', 'S-1-5-80-2387347252-3645287876-2469496166-3824418187-3586569773': 'ALG', 'S-1-5-80-1587539839-2488332913-1287008632-3751426284-4220573165': 'aliide', 'S-1-5-80-2808999507-317517852-2612044860-3916887390-3713671788': 'amdagp', 'S-1-5-80-4100430975-1934021090-490597466-3817433801-2954987127': 'amdide', 'S-1-5-80-2291534435-3322220689-2735625597-3465650106-1340236923': 'AmdK8', 'S-1-5-80-4046459391-4016695280-780100908-1621843708-2839135617': 'AmdPPM', 'S-1-5-80-1967003600-1747618720-202510732-1118110944-2056302645': 'amdsata', 'S-1-5-80-3946629880-3877146532-1020811794-3209710663-3707805237': 'amdsbs', 'S-1-5-80-2663151763-304964558-3327380674-1150567875-3378868591': 'amdxata', 'S-1-5-80-4206070390-3011771559-4179333097-3486196663-2896243697': 'AppID', 'S-1-5-80-2078495744-2416903469-4072184685-3943858305-976987417': 'AppIDSvc', 'S-1-5-80-1345931346-2714066941-3624776837-1617505694-3927660246': 'Appinfo', 'S-1-5-80-3213379692-3546485254-1309469428-3810262102-2442199571': 'AppMgmt', 'S-1-5-80-2586396289-3967100905-3140788560-3910242148-3554126937': 'arc', 'S-1-5-80-4275531960-1601664531-2254151532-3075236607-956726506': 'arcsas', 'S-1-5-80-3772676405-1029441937-3739550121-1000989080-3364480489': 'AsyncMac', 'S-1-5-80-3126347352-2401679295-1536073615-3396758597-3783091149': 'atapi', 'S-1-5-80-1580948945-3239616721-2529237571-3761093093-1214243633': 'AudioEndpointBuilder', 'S-1-5-80-2676549577-1911656217-2625096541-4178041876-1366760775': 'Audiosrv', 'S-1-5-80-1058592404-331734164-3167594226-3910907650-1299295147': 'AxInstSV', 'S-1-5-80-1401731874-3996074688-1963706087-3130220608-1140295258': 'b06bdrv', 'S-1-5-80-528874604-3378394362-3426265968-3876211711-2956305666': 'b57nd60x', 'S-1-5-80-2490514847-2461341327-10008697-1811907875-602803682': 'BattC', 'S-1-5-80-2962817144-200689703-2266453665-3849882635-1986547430': 'BDESVC', 'S-1-5-80-3186183977-1861961257-3523979229-167170737-1516062821': 'Beep', 'S-1-5-80-1383147646-27650227-2710666058-1662982300-1023958487': 'BFE', 'S-1-5-80-864916184-135290571-3087830041-1716922880-4237303741': 'BITS', 'S-1-5-80-3199704608-2688121514-1535149675-608666402-3313731745': 'blbdrive', 'S-1-5-80-26818074-245702967-483560604-1005139437-3076944027': 'bowser', 'S-1-5-80-1926592986-1411939489-3259133927-4064956769-2216240612': 'BrFiltLo', 'S-1-5-80-3843808474-1199403037-3395254522-1605808544-3221186762': 'BrFiltUp', 'S-1-5-80-764937145-223273921-1726433829-265908364-3948077829': 'Browser', 'S-1-5-80-3715020542-2003794336-3716799247-4001019941-1245790858': 'Brserid', 'S-1-5-80-4014097382-2743177720-3750454595-1699596626-866516122': 'BrSerWdm', 'S-1-5-80-1195671069-1048138941-897119314-1432864274-834752102': 'BrUsbMdm', 'S-1-5-80-1736549233-1399426098-2600293700-2473969234-3259996387': 'BrUsbSer', 'S-1-5-80-505608135-4274227953-3632766965-1888639892-3184055934': 'BTHMODEM', 'S-1-5-80-1409084391-1870647740-2731517552-2815089321-2189562539': 'BTHPORT', 'S-1-5-80-2586557155-168560303-1373426920-983201488-1499765686': 'bthserv', 'S-1-5-80-3223837281-1527595016-2901219760-1358189227-808820507': 'cdfs', 'S-1-5-80-364680967-1232085744-2960737863-915504889-2752576923': 'cdrom', 'S-1-5-80-3256172449-2363790065-3617575471-4144056108-756904704': 'CertPropSvc', 'S-1-5-80-4066704878-4231214995-2335031091-3527122690-1574766183': 'circlass', 'S-1-5-80-1506673549-1532669541-769420574-1605323189-863873827': 'CLFS', 'S-1-5-80-776041216-1751974135-1557427478-1892253070-796752000': 'clr_optimization_v2.0.50727_32', 'S-1-5-80-452204072-1743664639-1560983493-2640850116-597529692': 'CmBatt', 'S-1-5-80-979911607-31916023-2827320217-2656655436-259985251': 'cmdide', 'S-1-5-80-3573738861-3694853854-361022443-2442358023-2743921644': 'CNG', 'S-1-5-80-3960644792-2999129865-644014482-29643289-3842828219': 'Compbatt', 'S-1-5-80-832194277-1022982267-2217674263-2896671990-3011983110': 'CompositeBus', 'S-1-5-80-593875016-1044814911-1112741138-2143646632-2690613739': 'COMSysApp', 'S-1-5-80-3158764370-1001901224-1854525633-1718604346-2756706540': 'crcdisk', 'S-1-5-80-3747264324-1669729390-1715156009-1010652712-2439569381': 'Crusoe', 'S-1-5-80-3020380856-1381845346-309829523-1810616773-418643442': 'crypt32', 'S-1-5-80-242729624-280608522-2219052887-3187409060-2225943459': 'CryptSvc', 'S-1-5-80-3601020880-2087999432-167179594-730776211-2997520967': 'CSC', 'S-1-5-80-1987853863-1639573247-1110726908-1137832616-3599624523': 'CscService', 'S-1-5-80-1564160128-141119064-743480990-78466790-746535033': 'DCLocator', 'S-1-5-80-1601830629-990752416-3372939810-977361409-3075122917': 'DcomLaunch', 'S-1-5-80-654447679-1163530548-981569129-3608673666-3128964045': 'defragsvc', 'S-1-5-80-3837255464-839197112-3211601036-3795322556-2690640524': 'DfsC', 'S-1-5-80-1267473060-1890374259-1137250836-544356534-2546457154': 'DFSR', 'S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582': 'Dhcp', 'S-1-5-80-2142581517-3954605861-2373846864-2138305209-1019737370': 'discache', 'S-1-5-80-1827140278-1118305254-4004251663-1512899043-4081885502': 'Disk', 'S-1-5-80-859482183-879914841-863379149-1145462774-2388618682': 'Dnscache', 'S-1-5-80-3787436395-2174616005-3003730137-1094982900-1570567328': 'dot3svc', 'S-1-5-80-2970612574-78537857-698502321-558674196-1451644582': 'DPS', 'S-1-5-80-338020179-181244551-1629881386-919369987-4169324252': 'drmkaud', 'S-1-5-80-3820654016-1545322283-1804062181-1022271772-3696306321': 'DXGKrnl', 'S-1-5-80-2212058837-3965059022-779215765-3282659977-917192320': 'E1G60', 'S-1-5-80-3578261754-285310837-913589462-2834155770-667502746': 'EapHost', 'S-1-5-80-2437473203-2648204866-3612751994-635271166-3967841232': 'Ecache', 'S-1-5-80-1191957972-1903257272-3657591267-1787121440-2523964525': 'ebdrv', 'S-1-5-80-730263862-4055390735-403826019-1175694336-1277635259': 'EFS', 'S-1-5-80-567955335-3455378119-3305749985-2554534624-1867504835': 'ehRecvr', 'S-1-5-80-3864065939-1897331054-469427076-3133256761-1570309435': 'ehSched', 'S-1-5-80-2913099195-3001839937-1914692661-1563395363-459793767': 'ehstart', 'S-1-5-80-3118383011-3159412168-3368304685-4081854189-1392756948': 'elxstor', 'S-1-5-80-1436322865-2295268783-31549072-3549518694-69512146': 'EmdCache', 'S-1-5-80-557382581-4103702789-1349398007-826115979-1301810884': 'EMDMgmt', 'S-1-5-80-1580004045-3657569029-3054886754-3760858607-1347140441': 'ErrDev', 'S-1-5-80-1163726475-4032819940-2637749356-1655080563-3495319901': 'ESENT', 'S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122': 'eventlog', 'S-1-5-80-1772571935-1555666882-3369284645-1675012128-2386634627': 'EventSystem', 'S-1-5-80-339744372-1785209941-194342311-2969164887-2874010346': 'exfat', 'S-1-5-80-3825849991-4144931059-247537738-1429287757-2349637904': 'fastfat', 'S-1-5-80-2117685068-4011115449-2646761356-2137676340-222423812': 'Fax', 'S-1-5-80-678085088-615808128-1967178352-3804608619-208504977': 'fdc', 'S-1-5-80-364023826-931424190-487969545-1024119571-74567675': 'fdPHost', 'S-1-5-80-3215268152-2863950836-530904203-4246843131-2183915461': 'FDResPub', 'S-1-5-80-3048209083-3162952562-941345871-1437532549-835501875': 'FileInfo', 'S-1-5-80-1352441077-2188484239-1994186818-620473926-3758853310': 'Filetrace', 'S-1-5-80-2678475722-3718149211-1393662077-3558562392-2203603517': 'flpydisk', 'S-1-5-80-916285479-1714977700-1732101595-331036679-1735462769': 'FltMgr', 'S-1-5-80-3655275221-2954682349-3644260495-855223267-1438849333': 'FontCache', 'S-1-5-80-3782458156-2098404076-3767342964-3617937256-1389734963': 'FontCache3.0.0.0', 'S-1-5-80-4244156434-496195918-1908400060-3754471672-3389379472': 'FsDepends', 'S-1-5-80-1638897150-273717933-3197303335-567190659-606579740': 'Fs_Rec', 'S-1-5-80-221025945-1494805562-2841517651-3196795133-192498206': 'fvevol', 'S-1-5-80-1150850083-1108777032-2236282716-3985597815-2701820264': 'gagp30kx', 'S-1-5-80-2024188204-2445810227-898691311-2942020084-762398166': 'gpsvc', 'S-1-5-80-2384017851-2441776339-3346382083-2430645704-3475981877': 'hcw85cir', 'S-1-5-80-2193151998-1100362924-2192368770-2985476713-896696503': 'HDAudBus', 'S-1-5-80-1648434057-4219984261-1802816958-334501717-1769477291': 'HidBatt', 'S-1-5-80-191977210-1053814073-2805336524-1775407748-120039257': 'HidBth', 'S-1-5-80-498696395-104441048-3395182230-3082814586-1375447691': 'HidIr', 'S-1-5-80-89818136-74175777-88572358-3912780041-2421659406': 'hidserv', 'S-1-5-80-1586586559-167648910-1414982260-3863830924-1724542190': 'HidUsb', 'S-1-5-80-1373701630-3910968185-3388013410-2492353-937432973': 'hkmsvc', 'S-1-5-80-2291748755-1591405548-1905550586-2340871825-1258388485': 'HpCISSs', 'S-1-5-80-4028305664-2774326660-44957573-2454826285-2129126537': 'HomeGroupListener', 'S-1-5-80-2620923248-4247863784-3378508180-2659151310-2535246811': 'HomeGroupProvider', 'S-1-5-80-3952044490-1864224763-1322162546-396143671-1619397437': 'HpSAMD', 'S-1-5-80-3734987283-965611577-2130035942-3636592211-2616856863': 'HTTP', 'S-1-5-80-970016657-3034632851-3048190821-4182690298-3323420226': 'i2omp', 'S-1-5-80-3096896632-2411553352-2084109408-2930423838-4282791216': 'hwpolicy', 'S-1-5-80-738727139-3255065492-2264176241-1836141076-1899426695': 'i8042prt', 'S-1-5-80-1156567179-1019273932-444819734-1772733284-2107707318': 'iaStorV', 'S-1-5-80-2984992224-2588614340-2167448307-2303456600-125847566': 'idsvc', 'S-1-5-80-3218395955-317132717-2440444880-267201483-2700625476': 'iirsp', 'S-1-5-80-698886940-375981264-2691324669-2937073286-3841916615': 'IKEEXT', 'S-1-5-80-3217419572-1740605331-1127140686-2317006352-2064317000': 'inetaccs', 'S-1-5-80-3664101217-2276051299-423734030-2746486177-2766044424': 'intelide', 'S-1-5-80-817570274-767070440-2629795609-3336305482-1678804590': 'intelppm', 'S-1-5-80-2506443892-94066030-1663014834-2885971264-4189966690': 'IPBusEnum', 'S-1-5-80-2750735467-3008441591-3989401642-3215998983-1344927289': 'IpFilterDriver', 'S-1-5-80-62724632-2456781206-3863850748-1496050881-1042387526': 'iphlpsvc', 'S-1-5-80-1361160473-1867727628-1338406996-3302040194-2851723982': 'IpInIp', 'S-1-5-80-2771164118-4094026282-2266286801-3306161409-3436440840': 'IPMIDRV', 'S-1-5-80-2368102602-26431353-856636621-1497418614-482242802': 'IPNAT', 'S-1-5-80-433158070-3235422099-1317741036-1922328546-1834106188': 'IRENUM', 'S-1-5-80-1308614567-1511795785-2741360970-8197000-3264788676': 'isapnp', 'S-1-5-80-1446792217-3918178545-2165441202-3760590537-1875255596': 'iScsiPrt', 'S-1-5-80-2249099846-2157059493-1994460756-1924820827-2369096692': 'iteatapi', 'S-1-5-80-750512324-770881543-4197932906-3645560491-3779161573': 'iteraid', 'S-1-5-80-1974511938-2400693546-1685170019-203554928-1466978163': 'kbdclass', 'S-1-5-80-3058542000-3285469617-40650340-3734485625-1920508542': 'kbdhid', 'S-1-5-80-1206118541-1677721718-2423781911-3372378849-3903984073': 'KeyIso', 'S-1-5-80-3810688523-3855579666-1860693470-2666993558-46302070': 'KSecDD', 'S-1-5-80-638937566-1168471176-3064579757-2631269312-170126454': 'KSecPkg', 'S-1-5-80-2818357584-3387065753-4000393942-342927828-138088443': 'KtmRm', 'S-1-5-80-879696042-2351668846-370232824-2524288904-4023536711': 'LanmanServer', 'S-1-5-80-719998295-2833700043-1566817583-4093942769-1414026312': 'LanmanWorkstation', 'S-1-5-80-3356507721-3148410333-1453554623-2317622189-363686743': 'ldap', 'S-1-5-80-1339741203-2503426401-303705627-250156843-1210515524': 'lltdio', 'S-1-5-80-940647296-341435850-43817331-158078607-2483727905': 'lltdsvc', 'S-1-5-80-172094073-716411664-54255058-185476446-2329512179': 'lmhosts', 'S-1-5-80-1037107160-813189200-1860894220-2610408748-1807657940': 'Lsa', 'S-1-5-80-973905250-3368826558-2408393701-2645888229-3042295110': 'LSI_FC', 'S-1-5-80-3066312493-2787136058-3895654580-111488809-2262703568': 'LSI_SAS', 'S-1-5-80-935126585-3333887566-2369146147-2658756633-3860083864': 'LSI_SAS2', 'S-1-5-80-702453548-2563122194-4165184037-877730421-2039909086': 'LSI_SCSI', 'S-1-5-80-381203785-1552481550-3565819581-4159540168-38965703': 'luafv', 'S-1-5-80-3770938798-2726624435-2075025292-3280341113-3618470894': 'Mcx2Svc', 'S-1-5-80-1503963800-3543347063-2443146678-2767313893-605308357': 'megasas', 'S-1-5-80-4024713676-1017792628-381990976-3540878265-1306153904': 'MegaSR', 'S-1-5-80-2799810402-4136494038-1094338311-2889966999-3154753985': 'MMCSS', 'S-1-5-80-2005225957-2795451222-469338742-3947262705-2044891099': 'Modem', 'S-1-5-80-4207690787-1085901060-2295361997-2227230598-1253819078': 'monitor', 'S-1-5-80-675551267-1826535266-117093185-28668227-296166608': 'mouclass', 'S-1-5-80-3854853272-3832246511-1244659077-3165440039-2262758429': 'mouhid', 'S-1-5-80-3601998905-441174471-4117363912-32772110-2632366064': 'mountmgr', 'S-1-5-80-4261667920-1220466518-1749771309-2316901739-273317064': 'mpio', 'S-1-5-80-3142377179-3443479297-2149323391-1756545698-484011292': 'mpsdrv', 'S-1-5-80-3088073201-1464728630-1879813800-1107566885-823218052': 'MpsSvc', 'S-1-5-80-2250298043-1491746124-3447101336-2334414474-2555807208': 'Mraid35x', 'S-1-5-80-2688027615-1506195528-3802338144-777155390-618458321': 'MRxDAV', 'S-1-5-80-2162099894-1456621096-2119874347-3743340265-2368304946': 'mrxsmb', 'S-1-5-80-2676550360-252586896-1701879715-2742386574-1171030092': 'mrxsmb10', 'S-1-5-80-3970894941-767821303-4047113619-2738918178-2351404876': 'mrxsmb20', 'S-1-5-80-276420989-3971400029-4249224515-3588854300-972083571': 'msahci', 'S-1-5-80-827450036-3359053657-3286484322-221598818-2985401197': 'msdsm', 'S-1-5-80-3960419045-2460139048-4046793004-1809597027-2250574426': 'MSDTC', 'S-1-5-80-1515650939-3601430262-2496924429-640160050-3998290523': 'MSDTC Bridge 3.0.0.0', 'S-1-5-80-3825916667-3375043415-3384654478-3177665693-2200644784': 'Msfs', 'S-1-5-80-4064639957-1408283007-2091294018-2122350837-1986927883': 'mshidkmdf', 'S-1-5-80-537088188-2896597613-2307397767-3752262660-2081934664': 'msisadrv', 'S-1-5-80-917953661-2020045820-2727011118-2260243830-4032185929': 'MSiSCSI', 'S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966': 'msiserver', 'S-1-5-80-1314579368-1827054856-3801607513-4137797117-3785845944': 'MSKSSRV', 'S-1-5-80-3515336427-2373706795-1189292716-3451446183-2383180522': 'MSPCLOCK', 'S-1-5-80-2550581486-1497628998-1973453189-3108482975-2816921478': 'MSPQM', 'S-1-5-80-4273119239-1126992662-2069961181-78804100-786965295': 'MsRPC', 'S-1-5-80-2731410647-2404537004-1422510964-3385838496-1398925663': 'MSSCNTRS', 'S-1-5-80-2379877105-2122874852-2028670630-1350450415-3977667049': 'mssmbios', 'S-1-5-80-294111013-494549581-4136661504-3518049416-761106507': 'MSTEE', 'S-1-5-80-772196467-3194495650-2141286422-1986870660-3602995159': 'MTConfig', 'S-1-5-80-2851636321-923882121-3805946377-1773657562-2703951580': 'Mup', 'S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779': 'napagent', 'S-1-5-80-3451137062-797777108-3464068327-231871278-2024511519': 'NativeWifiP', 'S-1-5-80-2183409222-222800135-1539000935-3109909370-1207982808': 'NDIS', 'S-1-5-80-1310191460-362243386-72972191-123604350-1188038626': 'NdisCap', 'S-1-5-80-3307576507-4040802919-832577921-47721884-821370673': 'NdisTapi', 'S-1-5-80-2426641292-1095310648-1538795067-2456674997-547968854': 'Ndisuio', 'S-1-5-80-3137956796-3050520361-1309400342-955303752-3583020413': 'NdisWan', 'S-1-5-80-3999445478-1493703614-491198216-2250085872-3662815299': 'NDProxy', 'S-1-5-80-298519744-3326885196-200884095-1345730765-1206919721': 'NetBIOS', 'S-1-5-80-3481163626-3922336224-2171110286-845444925-873416656': 'NetBT', 'S-1-5-80-1589317753-1926951874-3424712441-2302911845-2572860984': 'Netlogon', 'S-1-5-80-2898649604-2335086160-1904548223-3761738420-3855444835': 'Netman', 'S-1-5-80-3635958274-2059881490-2225992882-984577281-633327304': 'netprofm', 'S-1-5-80-1773860938-1487242074-882566118-4272343956-2175834232': 'NetTcpPortSharing', 'S-1-5-80-3739586395-593861784-2557645679-4197025642-341497066': 'nfrd960', 'S-1-5-80-3141615172-2057878085-1754447212-2405740020-3916490453': 'NlaSvc', 'S-1-5-80-1093399993-2276725296-2148262981-2274078422-4284582767': 'Npfs', 'S-1-5-80-2310782386-4237065203-3688974353-390202159-3511571085': 'nsi', 'S-1-5-80-4100249314-4086313984-28913695-873679419-2144728263': 'nsiproxy', 'S-1-5-80-1664281202-2302623734-631624840-3461998672-2259661997': 'NTDS', 'S-1-5-80-1256884789-1691082103-446998474-1367286246-1639025938': 'Ntfs', 'S-1-5-80-2470698091-2858014709-2643764839-982706939-3434751516': 'ntrigdigi', 'S-1-5-80-2407861648-785230825-3529290450-2326204529-1810679516': 'Null', 'S-1-5-80-3495072887-919096479-2204902451-1048921326-800355041': 'nvraid', 'S-1-5-80-3611874924-3178792031-3565391826-286563291-3680247785': 'nvstor', 'S-1-5-80-2661219475-1923594960-1294537542-2454943126-82436970': 'nv_agp', 'S-1-5-80-4169196349-563482612-2169411968-43761830-802868667': 'NwlnkFlt', 'S-1-5-80-1643415749-1981533051-3884744798-2669202348-601031005': 'NwlnkFwd', 'S-1-5-80-1196941233-2569882653-2923823926-962244991-4277418': 'ohci1394', 'S-1-5-80-967499406-1694984581-2959056265-2481940682-939264259': 'p2pimsvc', 'S-1-5-80-1971585524-2528565899-3324366483-1300752743-2325226580': 'p2psvc', 'S-1-5-80-3473791808-4104434288-1928902041-1743473672-1277326840': 'Parport', 'S-1-5-80-156989346-1343554423-902067029-1673992682-1866693543': 'partmgr', 'S-1-5-80-4196153372-502005009-1971508045-3354250645-3015555128': 'Parvdm', 'S-1-5-80-1948712186-1330865447-943413596-1669284603-1648638051': 'PcaSvc', 'S-1-5-80-2069178898-4023461412-1711560041-390887617-271771820': 'pci', 'S-1-5-80-4052642423-944120264-588619640-546327341-1110646568': 'pciide', 'S-1-5-80-2795309555-3957969320-2916397881-2593713121-382316838': 'pcmcia', 'S-1-5-80-59707871-3298565586-1716270302-948228651-1074156479': 'pcw', 'S-1-5-80-1570874813-103103538-3327933986-104584388-2119773521': 'PEAUTH', 'S-1-5-80-3124040864-3101396827-3094488734-3028845762-1939139329': 'PeerDistSvc', 'S-1-5-80-4023986828-1464965280-3211893748-414212150-4115790068': 'PerfDisk', 'S-1-5-80-2413971036-1590988147-3808667159-2204172745-1373631640': 'PerfNet', 'S-1-5-80-3515570427-2977692895-3762163048-1504969852-99088878': 'PerfOS', 'S-1-5-80-3544016446-4087985546-3773506770-1472693371-3235341583': 'PerfProc', 'S-1-5-80-2661322625-712705077-2999183737-3043590567-590698655': 'pla', 'S-1-5-80-1981970923-922788642-3535304421-2999920573-318732269': 'PlugPlay', 'S-1-5-80-3141781312-1794533130-3616533224-2008760771-2116720301': 'PNRPAutoReg', 'S-1-5-80-372467825-374176116-1198570892-3192490889-1232022613': 'PNRPsvc', 'S-1-5-80-3044542841-3639452079-4096941652-1606687743-1256249853': 'PolicyAgent', 'S-1-5-80-4126081702-1836807445-3803306975-1029803806-2479180530': 'PortProxy', 'S-1-5-80-2343416411-2961288913-598565901-392633850-2111459193': 'Power', 'S-1-5-80-3735226416-1729687437-1959510470-190511368-398645692': 'PptpMiniport', 'S-1-5-80-3367479018-119754134-174380200-3035551807-2744700953': 'Processor', 'S-1-5-80-2422153244-111630262-1029994140-3645224535-4078427153': 'PROCEXP', 'S-1-5-80-3816717743-33564931-1112267079-3548917561-928358339': 'ProfSvc', 'S-1-5-80-656433041-336319937-100815201-2263438610-4002557366': 'ProtectedStorage', 'S-1-5-80-133730547-3458667493-930392497-3658715967-3359215708': 'Psched', 'S-1-5-80-1010784341-3590640432-2144716203-2371202623-2111191834': 'ql2300', 'S-1-5-80-3680784227-2138494325-1045417256-846249285-1494284974': 'ql40xx', 'S-1-5-80-1659118645-3148100556-861291880-3953320898-4045657812': 'QWAVE', 'S-1-5-80-3324762131-3390532780-137711907-1761928331-1932425801': 'QWAVEdrv', 'S-1-5-80-951069737-1097907447-3199478753-2018050253-2083677786': 'RasAcd', 'S-1-5-80-4022575210-2284560452-710265691-3594820739-387418549': 'RasAgileVpn', 'S-1-5-80-1802467488-1541022566-2033325545-854566965-652742428': 'RasAuto', 'S-1-5-80-1290287420-3502600185-382990664-1700026297-1337626153': 'Rasl2tp', 'S-1-5-80-4176366874-305252471-2256717057-2714189771-3552532790': 'RasMan', 'S-1-5-80-4122454071-3550668693-4211410744-1298358403-2272725717': 'RasPppoe', 'S-1-5-80-1331337031-2474836174-2661672254-391271513-2096420174': 'RasSstp', 'S-1-5-80-2489667-2470848582-3865645512-452901963-4178804252': 'rdbss', 'S-1-5-80-3687944073-3313860148-3136628839-3387249243-1709534714': 'rdpbus', 'S-1-5-80-2431288241-149984296-2543083935-4067350611-1975817884': 'RDPCDD', 'S-1-5-80-981872547-3861006530-3984275202-4085961120-2027028908': 'RDPDD', 'S-1-5-80-23661045-4033652049-3526044993-1401805078-1749661838': 'RDPDR', 'S-1-5-80-3464459778-79086046-1894495498-3954672505-2750168721': 'RDPENCDD', 'S-1-5-80-191927475-3325244020-2133763035-2511185485-3827563125': 'RDPNP', 'S-1-5-80-1432111213-2818786930-2152807080-3377190559-901933699': 'RDPREFMP', 'S-1-5-80-1857653372-1313752195-3783661666-502273730-1171188227': 'RDPWD', 'S-1-5-80-3474873350-2412947251-3085823233-2315640422-3546857610': 'rdyboost', 'S-1-5-80-1954729425-4294152082-187165618-318331177-3831297489': 'RemoteAccess', 'S-1-5-80-2822507136-3601578665-1013168651-121944544-1825232178': 'RemoteRegistry', 'S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162': 'RpcEptMapper', 'S-1-5-80-4056015446-1496461683-1723632270-3351149576-1119802320': 'RpcLocator', 'S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080': 'RpcSs', 'S-1-5-80-25112808-303066962-2306571906-3820953744-554449017': 'rspndr', 'S-1-5-80-3189092957-1825937568-2097962828-592273195-15751640': 's3cap', 'S-1-5-80-3453257571-682267348-3447719424-2810041157-893746920': 'SamSs', 'S-1-5-80-2172748946-1139208647-3745649895-1734051075-2323558886': 'sbp2port', 'S-1-5-80-1209419826-1829913269-3824447628-1153237837-3789837839': 'SCardSvr', 'S-1-5-80-3145502940-3408664484-1477142494-2517801300-3177717725': 'scfilter', 'S-1-5-80-4125092361-1567024937-842823819-2091237918-836075745': 'Schedule', 'S-1-5-80-1691538513-4084330536-1620899472-1113280783-3554754292': 'SCPolicySvc', 'S-1-5-80-2983134835-1185273323-1712700529-1489848661-2325612824': 'SDRSVC', 'S-1-5-80-1722176216-3611007545-3657005850-3814612847-1080390000': 'secdrv', 'S-1-5-80-1399994486-219206332-302438500-304602034-1537790326': 'seclogon', 'S-1-5-80-4259241309-1822918763-1176128033-1339750638-3428293995': 'SENS', 'S-1-5-80-3168472476-176724102-2968832672-2340942973-2241613192': 'SensrSvc', 'S-1-5-80-1658387481-2925800327-3198882180-3147662777-2274689045': 'Serenum', 'S-1-5-80-3562253942-857828347-2712713407-944836455-3636585461': 'Serial', 'S-1-5-80-3369720968-4228855631-3683183521-2094993598-1022421131': 'sermouse', 'S-1-5-80-675414407-775065359-1035864904-999747831-2072146957': 'ServiceModelEndpoint 3.0.0.0', 'S-1-5-80-1904953591-2738210791-1061154185-3936071259-221446881': 'ServiceModelOperation 3.0.0.0', 'S-1-5-80-297390187-2405189348-2222284465-2989988878-4218767654': 'ServiceModelService 3.0.0.0', 'S-1-5-80-4022436659-1090538466-1613889075-870485073-3428993833': 'SessionEnv', 'S-1-5-80-1220365695-3871163487-2301282001-885120026-718998505': 'sffdisk', 'S-1-5-80-1593449009-2408870187-1077724223-1518188577-3728252823': 'sffp_mmc', 'S-1-5-80-1659054941-531967795-1983128084-3748020815-2241757750': 'sffp_sd', 'S-1-5-80-1407380289-3518059920-3931497022-2754447733-2222417609': 'sfloppy', 'S-1-5-80-2009329905-444645132-2728249442-922493431-93864177': 'SharedAccess', 'S-1-5-80-1690854464-3758363787-3981977099-3843555589-1401248062': 'ShellHWDetection', 'S-1-5-80-2037654479-150732571-4235160932-1988269395-3027078133': 'sisagp', 'S-1-5-80-2290943609-1211775869-3660739483-1432647055-1639441565': 'SiSRaid2', 'S-1-5-80-1016766434-4163349990-2054491751-1265000292-413406215': 'SiSRaid4', 'S-1-5-80-2119565420-4155874467-2934723793-509086461-374458824': 'slsvc', 'S-1-5-80-429025866-4105586292-427562881-1309981334-1060966148': 'SLUINotify', 'S-1-5-80-97513841-1071082959-3069755588-526311685-2961431215': 'Smb', 'S-1-5-80-2400470686-1781479961-2091307112-2920730856-2901594176': 'SMSvcHost 3.0.0.0', 'S-1-5-80-3964583643-2633443559-2834438935-3739664028-1580655619': 'SNMPTRAP', 'S-1-5-80-2246094146-3761615012-3991572358-959820157-1291755210': 'spldr', 'S-1-5-80-3951239711-1671533544-1416304335-3763227691-3930497994': 'Spooler', 'S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628': 'sppsvc', 'S-1-5-80-2105443381-1869407242-828286827-1344996006-2512971347': 'sppuinotify', 'S-1-5-80-3318989984-2647182497-3022510041-1919214433-3551303480': 'srv', 'S-1-5-80-1034188721-156321652-2901307485-3049929104-2850741453': 'srv2', 'S-1-5-80-385674269-2427993094-4248660116-187565782-2803330530': 'srvnet', 'S-1-5-80-486568272-975562994-1883531608-2732234258-332540751': 'SSDPSRV', 'S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314': 'SstpSvc', 'S-1-5-80-2502136977-515215333-1091199184-4078967732-698071891': 'stexstor', 'S-1-5-80-3182985763-1431228038-2757062859-428472846-3914011746': 'StiSvc', 'S-1-5-80-3877927215-2009774003-1789373229-1350139498-1490546062': 'storflt', 'S-1-5-80-3355894222-2288616474-3163838539-1515771758-43395969': 'StorSvc', 'S-1-5-80-2227193670-1472088527-4216801891-1255609005-3742950393': 'storvsc', 'S-1-5-80-2499453150-1816575225-2698105218-861119070-2299588587': 'swenum', 'S-1-5-80-1614360071-3471039648-1078047007-3707138327-1664821506': 'swprv', 'S-1-5-80-3277458932-3608563558-2424252742-1006353051-3439664691': 'Symc8xx', 'S-1-5-80-714262929-1152213303-426872964-3738532716-4000887735': 'Sym_hi', 'S-1-5-80-73616012-2741736120-1450548080-3749295283-3869351969': 'Sym_u3', 'S-1-5-80-2590341223-3996088049-3993122417-23640849-324535191': 'SysMain', 'S-1-5-80-949921180-3923668869-394927020-528789358-3592448931': 'TabletInputService', 'S-1-5-80-4230913304-2206818457-801678004-120036174-1892434133': 'TapiSrv', 'S-1-5-80-4167276341-681140529-2035857140-584847688-708058301': 'TBS', 'S-1-5-80-2869215396-3426808149-752611693-425565463-2833823703': 'Tcpip', 'S-1-5-80-842221325-3630721446-2015653073-424833842-1069621030': 'TCPIP6', 'S-1-5-80-1243767512-207181711-1639953288-846964026-179032965': 'TCPIP6TUNNEL', 'S-1-5-80-183440435-3873164873-1814133288-2746138770-1127128543': 'tcpipreg', 'S-1-5-80-517380867-1805075581-15937331-3649701458-2279870393': 'TCPIPTUNNEL', 'S-1-5-80-1205525636-1316560639-1871536985-2915653626-3847227622': 'TDPIPE', 'S-1-5-80-2653571336-860310240-1707811817-3246300807-2032786575': 'TDTCP', 'S-1-5-80-1811008277-2130293716-2312968959-3698054739-726352487': 'tdx', 'S-1-5-80-600900383-3940208308-3622757659-1160125390-3717916961': 'TermDD', 'S-1-5-80-446051430-1559341753-4161941529-1950928533-810483104': 'TermService', 'S-1-5-80-1189432293-2777010110-2640223427-1344437502-1956879817': 'Themes', 'S-1-5-80-56840347-690487168-3179794702-1332568925-762031181': 'THREADORDER', 'S-1-5-80-537470750-3688389562-3749243086-269898693-579266445': 'TPAutoConnSvc', 'S-1-5-80-1495131930-2676463755-2136540566-1190107536-2533052015': 'TPVCGateway', 'S-1-5-80-768763963-4214222998-2156221936-2953597973-713500239': 'TrkWks', 'S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464': 'TrustedInstaller', 'S-1-5-80-602153688-1728218534-2156437410-2444491971-1703742505': 'TSDDD', 'S-1-5-80-3250179172-3414919659-2784612865-1947102831-1832745880': 'tssecsrv', 'S-1-5-80-3666930311-739912689-1101093007-1147922636-412121971': 'tunmp', 'S-1-5-80-3579196564-3960183121-2393617881-1570124860-2153905208': 'tunnel', 'S-1-5-80-3249175164-480052304-527258952-251146422-1017202920': 'uagp35', 'S-1-5-80-4290168682-2694755981-2883756118-2205499398-4079537721': 'udfs', 'S-1-5-80-2413584400-2834772909-3391057178-2993126719-4094614649': 'UGatherer', 'S-1-5-80-900581847-2069635957-4095211819-2149323943-1216697729': 'UGTHRSVC', 'S-1-5-80-997887591-2350776071-3817597635-4146973621-2526406719': 'UI0Detect', 'S-1-5-80-4194149548-235381792-2829184477-3934495640-667433095': 'uliagpkx', 'S-1-5-80-2051301031-3598501189-881763489-2611917303-2352103085': 'uliahci', 'S-1-5-80-4294381996-3573690956-4084941264-2318251564-135754816': 'UlSata', 'S-1-5-80-2849548708-3602852847-3953931013-1110249439-3333230880': 'ulsata2', 'S-1-5-80-3018007626-163191633-622627787-1206491734-2917835273': 'umbus', 'S-1-5-80-2029728201-2796881031-2302868875-2454600822-1203790938': 'UmPass', 'S-1-5-80-2014626298-1656748749-3847481816-918933055-2469338456': 'UmRdpService', 'S-1-5-80-448846144-1414373772-1578130625-718576682-2306699751': 'upnphost', 'S-1-5-80-3724553804-53543757-2557641770-141295351-1687883918': 'usb', 'S-1-5-80-4022141922-741376770-3260236731-1675477288-3792235576': 'usbccgp', 'S-1-5-80-2601879200-4032607390-2815923362-3101623786-2213233685': 'usbcir', 'S-1-5-80-1032545752-2203350250-1701939687-317337126-3231707909': 'usbehci', 'S-1-5-80-676136802-2607101929-335774531-4135730467-913299484': 'usbhub', 'S-1-5-80-3434778094-456680973-2488395463-338906152-1015349184': 'usbohci', 'S-1-5-80-3620574345-1163766744-4010839292-3531329841-768311061': 'usbprint', 'S-1-5-80-376233901-499118290-773318279-1925188704-297947815': 'USBSTOR', 'S-1-5-80-2717376493-4290053016-2054941639-3048903775-1780974753': 'usbuhci', 'S-1-5-80-2815190569-4075358141-1041947382-2198045348-980246365': 'UxSms', 'S-1-5-80-2901324718-895851292-2096622302-170690027-1637913602': 'VaultSvc', 'S-1-5-80-2236596344-777810374-464678914-301799185-133794676': 'vdrvroot', 'S-1-5-80-2196396108-1448510645-203779624-3888580976-3789157697': 'vds', 'S-1-5-80-1636345116-1749775499-167646407-1402041886-784684825': 'vga', 'S-1-5-80-1604054522-1120073184-2766342441-3740248177-2194771659': 'VgaSave', 'S-1-5-80-2349230263-3936233330-585165183-483748113-2063106807': 'vhdmp', 'S-1-5-80-269018121-2628019534-3958128902-1689023713-3977233287': 'viaagp', 'S-1-5-80-702914695-4281403409-954615538-3988029004-192649218': 'ViaC7', 'S-1-5-80-3488702259-1115883433-1783531185-1350626685-2323838072': 'viaide', 'S-1-5-80-3414199520-1924951526-579304523-1555932441-262361574': 'vm3dmp', 'S-1-5-80-3316781363-2712907428-2579548995-1296955556-57435734': 'VMAUDIO', 'S-1-5-80-394042835-174396444-3357755573-789530950-2357907384': 'vmbus', 'S-1-5-80-3485585108-3288609388-3381644673-894183282-3425970148': 'VMBusHID', 'S-1-5-80-2053731399-3564616636-592537298-4187980385-3071434599': 'vmci', 'S-1-5-80-4081816966-3135276745-2345987325-2511854693-3099376874': 'vmdebug', 'S-1-5-80-2844247271-1920892496-2185725435-2733799570-1491885128': 'vmhgfs', 'S-1-5-80-2713566713-2012099321-1704287870-164250842-2950185051': 'VMMEMCTL', 'S-1-5-80-616456234-2657522756-2692773202-1293725715-2143369223': 'vmmouse', 'S-1-5-80-470576323-3739623512-411527224-1524486745-930631467': 'vmrawdsk', 'S-1-5-80-994229404-1081919929-268374983-1858992150-4232923339': 'VMTools', 'S-1-5-80-3615470141-4057994987-1930054357-1444440834-2714780835': 'VMUpgradeHelper', 'S-1-5-80-3972256235-858188783-2536722634-3029314587-3393749697': 'vmvss', 'S-1-5-80-1570634675-3893565091-22195573-2267868061-2898682217': 'volmgr', 'S-1-5-80-2228288927-839465256-4097931996-4258784654-3424789253': 'volmgrx', 'S-1-5-80-2161309226-1540144261-2901834345-3792977468-1183436922': 'volsnap', 'S-1-5-80-1269120828-58111527-683397690-4062780901-3407528550': 'vsmraid', 'S-1-5-80-3195062495-2862850656-3724129271-1847284719-4038691091': 'VSS', 'S-1-5-80-4271242282-3170619077-2600330701-1558677754-1139114601': 'vwifibus', 'S-1-5-80-4267341169-2882910712-659946508-2704364837-2204554466': 'W32Time', 'S-1-5-80-989796750-4090848350-2040919084-978865222-2182970707': 'W3SVC', 'S-1-5-80-1272828037-3321607953-1682131387-4084423848-3273467238': 'WacomPen', 'S-1-5-80-145391760-3682396335-1395736941-2543690743-1822485816': 'WANARP', 'S-1-5-80-3957613141-1606606214-622769385-3049525404-2510868034': 'Wanarpv6', 'S-1-5-80-1549550529-11381693-4027442525-4081535042-2424139505': 'wbengine', 'S-1-5-80-1577343513-2244782562-3500840712-2807016722-4230555396': 'WbioSrvc', 'S-1-5-80-1555863574-1012459212-3842453055-37978308-1142448422': 'wcncsvc', 'S-1-5-80-4064017820-1559943312-846267769-2219870576-1957141527': 'WcsPlugInService', 'S-1-5-80-3405261312-3324525412-773550320-3159108954-1126011555': 'Wd', 'S-1-5-80-2731089040-2526960094-3333867314-868407530-1311763772': 'Wdf01000', 'S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420': 'WdiServiceHost', 'S-1-5-80-3524758515-3090971750-345616940-2322499744-3530715838': 'WdiSystemHost', 'S-1-5-80-324959683-3395802011-921526492-919036580-1730255754': 'WebClient', 'S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517': 'Wecsvc', 'S-1-5-80-3594706986-2537596223-181334840-1741483385-1351671666': 'wercplsupport', 'S-1-5-80-3299868208-4286319593-1091140620-3583751967-1732444380': 'WerSvc', 'S-1-5-80-2019001281-2253379323-945087313-3738653069-3773415333': 'WfpLwf', 'S-1-5-80-4016954646-3779912912-520790876-2627662839-2216516612': 'WIMMount', 'S-1-5-80-1367312344-4235937835-3348187091-2947416599-1643272376': 'win32dd', 'S-1-5-80-1913148863-3492339771-4165695881-2087618961-4109116736': 'WinDefend', 'S-1-5-80-3760743496-293058752-544796799-945139227-648175845': 'Windows Workflow Foundation 3.0.0.0', 'S-1-5-80-2455429942-3131183193-3617688776-595395669-3772047725': 'WinHttpAutoProxySvc', 'S-1-5-80-3750560858-172214265-3889451188-1914796615-4100997547': 'Winmgmt', 'S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970': 'WinRM', 'S-1-5-80-3758380775-581010763-2947690711-3499621892-3054972477': 'Winsock', 'S-1-5-80-197470898-1564017914-2276667423-138762734-2890991316': 'WinSock2', 'S-1-5-80-1428027539-3309602793-2678353003-1498846795-3763184142': 'Wlansvc', 'S-1-5-80-404760553-4074834012-3606039051-2170089041-3496108291': 'WmiAcpi', 'S-1-5-80-1672893355-2301755825-1450106782-2724904875-1401714515': 'WmiApRpl', 'S-1-5-80-1851371743-411767070-3743290205-1090512353-603110601': 'wmiApSrv', 'S-1-5-80-2375682873-768044350-3534595160-1005545032-2873800392': 'WMPNetworkSvc', 'S-1-5-80-2153317275-3787551921-2333987345-3394040919-509713777': 'WPCSvc', 'S-1-5-80-113310567-2163499630-2787090463-221477905-209227094': 'WPDBusEnum', 'S-1-5-80-1339864866-2803517768-580965624-1158720225-1206284216': 'ws2ifsl', 'S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297': 'wscsvc', 'S-1-5-80-117416528-2204451360-1913602512-1355018040-1234992034': 'WSearch', 'S-1-5-80-1961591210-2878639619-2091680054-2529124376-3572759234': 'WSearchIdxPi', 'S-1-5-80-1014140700-3308905587-3330345912-272242898-93311788': 'wuauserv', 'S-1-5-80-69171120-2364612362-2758615892-3595098197-2063739924': 'WudfPf', 'S-1-5-80-1839061227-813336325-324579571-4216704371-1399658985': 'WUDFRd', 'S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709': 'wudfsvc', 'S-1-5-80-3981856537-581775623-1136376035-2066872258-409572886': 'WwanSvc', 'S-1-5-80-2933569122-2468899862-1495779727-289297006-142656920': 'xmlprov', } def createservicesid(svc): """ Calculate the Service SID """ uni = ''.join([c + '\x00' for c in svc]) sha = hashlib.sha1(uni.upper()).digest() # pylint: disable-msg=E1101 dec = list() for i in range(5): ## The use of struct here is OK. It doesn't make much sense ## to leverage obj.Object inside this loop. dec.append(struct.unpack(' # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods class Envars(taskmods.DllList): "Display process environment variables" def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "20"), ("Block", "[addrpad]"), ("Variable", "30"), ("Value", ""), ]) for task in data: for var, val in task.environment_variables(): self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, task.Peb.ProcessParameters.Environment, var, val ) volatility-2.3.1/volatility/plugins/dumpfiles.py0000644000175000017500000015046212227253532022047 0ustar mikemike00000000000000# Volatility # Copyright (C) 2012-13 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Notwithstanding any rights to use the Software granted by the foregoing, # if entities or individuals have received a Cease & Desist letter from # the Volatility Project, the Volatility Foundation, or its copyright holders # for violating the terms of the GPL version 2, those entities (their employees, # subcontractors, independent contractors, and affiliates) and / or persons # are granted no such rights and any use by any one or more of them is # expressly prohibited, in accordance with Section 4 of the GPL version 2. # Any rights granted to such entities and / or persons by earlier license # agreements have been previously terminated as to them. #pylint: disable-msg=C0111 import os import re import math import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import volatility.win32.tasks as tasks_mod import volatility.win32.modules as modules import volatility.plugins.common as common import volatility.plugins.taskmods as taskmods import json #-------------------------------------------------------------------------------- # Constants #-------------------------------------------------------------------------------- PAGE_SIZE = 0x1000 PAGE_MASK = PAGE_SIZE - 1 IMAGE_EXT = "img" DATA_EXT = "dat" FILEOFFSET_MASK = 0xFFFFFFFFFFFF0000 VACB_BLOCK = 0x40000 VACB_ARRAY = 0x80 VACB_OFFSET_SHIFT = 18 VACB_LEVEL_SHIFT = 7 VACB_SIZE_OF_FIRST_LEVEL = 1 << (VACB_OFFSET_SHIFT + VACB_LEVEL_SHIFT) class _CONTROL_AREA(obj.CType): def extract_ca_file(self, unsafe = False): """ Extracts a file from a specified CONTROL_AREA Attempts to extract the memory resident pages pertaining to a particular CONTROL_AREA object. Args: control_area: Instance of a CONTROL_AREA object unsafe: Relax safety constraints for more data Returns: mdata: List of pages, (physoffset, fileoffset, size) tuples, that are memory resident zpad: List of pages, (offset, size) tuples, that not memory resident Raises: """ zpad = [] mdata = [] # Depending on the particular address space being used we need to # determine if the MMPTE will be either 4 or 8 bytes. The x64 # and IA32_PAE both use 8 byte PTEs. Whereas, IA32 uses 4 byte # PTE entries. memory_model = self.obj_vm.profile.metadata.get('memory_model', '32bit') pae = self.obj_vm.pae if pae: mmpte_size = self.obj_vm.profile.get_obj_size("_MMPTEPA") else: mmpte_size = self.obj_vm.profile.get_obj_size("_MMPTE") # Calculate the size of the _CONTROL_AREA object. It is used to find # the correct offset for the SUBSECTION object and the size of the # CONTROL_AREA can differ between versions of Windows. control_area_size = self.size() # The segment is used to describe the physical view of the # file. We also use this as a semantic check to see if # the processing should continue. If the Segment address # is invalid, then we return. Segment = self.Segment if not Segment.is_valid(): return mdata, zpad # The next semantic check validates that the _SEGMENT object # points back to the appropriate _CONTROL_AREA object. If the # check is invalid, then we return. if (self.obj_offset != Segment.ControlArea): return mdata, zpad # This is a semantic check added to make sure the Segment.SizeOfSegment value # is consistant with the Segment.TotalNumberOfPtes. This occurs fequently # when traversing through CONTROL_AREA Objects (~5%), often leading to # impossible values. Thus, to be conservative we do not proceed if the # Segment does not seem sound. if Segment.SizeOfSegment != (Segment.TotalNumberOfPtes * PAGE_SIZE): return mdata, zpad # The _SUBSECTION object is typically found immediately following # the CONTROL_AREA object. For Image Section Objects, the SUBSECTIONS # typically correspond with the sections found in the PE. On the otherhand, # for Data Section Objects, there is typically only a single valid SUBSECTION. subsection_offset = self.obj_offset + control_area_size #subsection = obj.Object("_SUBSECTION", subsection_offset, self.kaddr_space) subsection = obj.Object("_SUBSECTION", subsection_offset, self.obj_vm) # This was another check which was inspired by Ruud's code. It # verifies that the first SubsectionBaase (Mmst) never starts # at the beginning of a page. The UNSAFE option allows us to # ignore this constraint. This was necessary for dumping file data # for file objects found with filescan (ie $Mft) SubsectionBase = subsection.SubsectionBase if (SubsectionBase & PAGE_MASK == 0x0) and not unsafe: return mdata, zpad # We obtain the Subsections associated with this file # by traversing the singly linked list. Ideally, this # list should be null (0) terminated. Upon occasion we # we have seen instances where the link pointers are # undefined (XXX). If we hit an invalid pointer, the we # we exit the traversal. while subsection.is_valid() and subsection.v() != 0x0: if not subsection: break # This constraint makes sure that the _SUBSECTION object # points back to the associated CONTROL_AREA object. Otherwise, # we exit the traversal. if (self.obj_offset != subsection.ControlArea): break # Extract subsection meta-data into local variables # this helps with performance and not having to do # repetitive lookups. PtesInSubsection = subsection.PtesInSubsection SubsectionBase = subsection.SubsectionBase NextSubsection = subsection.NextSubsection # The offset into the file is stored implicitely # based on the PTE's location within the Subsection. StartingSector = subsection.StartingSector SubsectionOffset = StartingSector * 0x200 # This was another check based on something Ruud # had done. We also so instances where DataSectionObjects # would hit a SubsectionBase that was paged aligned # and hit strange data. In those instances, the # MMPTE SubsectionAddress would not point to the associated # Subsection. (XXX) if (SubsectionBase & PAGE_MASK == 0x0) and not unsafe: break ptecount = 0 while (ptecount < PtesInSubsection): pteoffset = SubsectionBase + (mmpte_size * ptecount) FileOffset = SubsectionOffset + ptecount * 0x1000 # The size of MMPTE changes depending on if it is IA32 (4 bytes) # or IA32_PAE/AMD64 (8 bytes). objname = "_MMPTE" if pae: objname = "_MMPTEPA" mmpte = obj.Object(objname, offset = pteoffset, vm = \ subsection.obj_vm) if not mmpte: ptecount += 1 continue # First we check if the entry is valid. If the entry is valid # then we get the physical offset. The valid entries are actually # handled by the hardware. if mmpte.u.Hard.Valid == 0x1: # There are some valid Page Table entries where bit 63 # is used to specify if the page is executable. This is # maintained by the processor. If it is not executable, # then the bit is set. Within the Intel documentation, # this is known as the Execute-disable (XD) flag. Regardless, # we will use the get_phys_addr method from the address space # to obtain the physical address. ### Should we check the size of the PAGE? Haven't seen # a hit for LargePage. #if mmpte.u.Hard.LargePage == 0x1: # print "LargePage" physoffset = mmpte.u.Hard.PageFrameNumber << 12 mdata.append([physoffset, FileOffset, PAGE_SIZE]) ptecount += 1 continue elif mmpte.u.Soft.Prototype == 0x1: # If the entry is not a valid physical address then # we check if it contains a pointer back to the SUBSECTION # object. If so, the page is in the backing file and we will # need to pad to maintain spacial integrity of the file. This # check needs to be performed for looking for the transition flag. # The prototype PTEs are initialized as MMPTE_SUBSECTION with the # SubsectionAddress. # On x86 systems that use 4 byte MMPTE , the MMPTE_SUBSECTION # stores an "encoded" version of the SUBSECTION object address. # The data is relative to global variable (MmSubsectionBase or # MmNonPagedPoolEnd) depending on the WhichPool member of # _SUBSECTION. This applies to x86 systems running ntoskrnl.exe. # If bit 10 is set then it is prototype/subsection if (memory_model == "32bit") and not pae: SubsectionOffset = \ ((mmpte.u.Subsect.SubsectionAddressHigh << 7) | (mmpte.u.Subsect.SubsectionAddressLow << 3)) #WhichPool = mmpte.u.Subsect.WhichPool #print "mmpte 0x%x ptecount 0x%x sub-32 0x%x pteoffset 0x%x which 0x%x subdelta 0x%x"%(mmpte.u.Long,ptecount,subsection_offset,pteoffset,WhichPool,SubsectionOffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue if memory_model == "64bit" or pae: SubsectionAddress = mmpte.u.Subsect.SubsectionAddress else: SubsectionAddress = mmpte.u.Long if SubsectionAddress == subsection.obj_offset: # sub proto/prot 4c0 420 #print "mmpte 0x%x ptecount 0x%x sub 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue elif (SubsectionAddress == (subsection.obj_offset + 4)): # This was a special case seen on IA32_PAE systems where # the SubsectionAddress pointed to subsection.obj_offset+4 # (0x420, 0x460, 0x4a0) #print "mmpte 0x%x ptecount 0x%x sub+4 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue else: #print "mmpte 0x%x ptecount 0x%x sub_unk 0x%x offset 0x%x suboffset 0x%x"%(mmpte.u.Long,ptecount,SubsectionAddress,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 continue # Check if the entry is a DemandZero entry. elif (mmpte.u.Soft.Transition == 0x0): if ((mmpte.u.Soft.PageFileLow == 0x0) and (mmpte.u.Soft.PageFileHigh == 0x0)): # Example entries include: a0,e0 #print "mmpte 0x%x ptecount 0x%x zero offset 0x%x subsec 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 else: #print "mmpte 0x%x ptecount 0x%x paged offset 0x%x subsec 0x%x file 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset,mmpte.u.Soft.PageFileLow,mmpte.u.Soft.PageFileHigh) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 # If the entry is not a valid physical address then # we also check to see if it is in transition. elif mmpte.u.Trans.Transition == 0x1: physoffset = mmpte.u.Trans.PageFrameNumber << 12 #print "mmpte 0x%x ptecount 0x%x transition 0x%x offset 0x%x"%(mmpte.u.Long,ptecount,physoffset,pteoffset) mdata.append([physoffset, FileOffset, PAGE_SIZE]) ptecount += 1 continue else: # This is a catch all for all the other entry types. # sub proto/pro 420,4e0,460,4a0 (x64 +0x28)(x32 +4) # other a0,e0,0, (20,60) # 0x80000000 #print "mmpte 0x%x ptecount 0x%x other offset 0x%x subsec 0x%x"%(mmpte.u.Long,ptecount,pteoffset,subsection.obj_offset) zpad.append([FileOffset, PAGE_SIZE]) ptecount += 1 # Traverse the singly linked list to its next member. subsection = NextSubsection return (mdata, zpad) class _SHARED_CACHE_MAP(obj.CType): def is_valid(self): if not obj.CType.is_valid(self): return False # Added a semantic check to make sure the data is in a sound state. It's better # to catch it early. FileSize = self.FileSize.QuadPart ValidDataLength = self.ValidDataLength.QuadPart SectionSize = self.SectionSize.QuadPart #print "SectionSize 0x%x < 0 or FileSize < 0x%x ValidDataLength 0x%x"%(SectionSize,FileSize,ValidDataLength) #if SectionSize < 0 or (FileSize < ValidDataLength): if SectionSize < 0 or ((FileSize < ValidDataLength) and (ValidDataLength != 0x7fffffffffffffff)): return False return True def process_index_array(self, array_pointer, level, limit, vacbary = None): """ Recursively process the sparse multilevel VACB index array Args: array_pointer: The address of a possible index array shared_cache_map: The associated SHARED_CACHE_MAP object level: The current level limit: The level where we abandon all hope. Ideally this is 7 vacbary: An array of collected VACBs Returns: vacbary: Collected VACBs """ if vacbary is None: vacbary = [] if level > limit: return [] # Create an array of VACB entries VacbArray = obj.Object("Array", offset = array_pointer, \ vm = self.obj_vm, count = VACB_ARRAY, \ targetType = "address", parent = self) # Iterate through the entries for _i in range(0, VACB_ARRAY): # Check if the VACB entry is in use if VacbArray[_i] == 0x0: continue Vacbs = obj.Object("_VACB", offset = int(VacbArray[_i]), vm = self.obj_vm) # Check if this is a valid VACB entry by verifying # the SharedCacheMap member. if Vacbs.SharedCacheMap == self.obj_offset: # This is a VACB associated with this cache map vacbinfo = self.extract_vacb(Vacbs, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) else: #Process the next level of the multi-level array vacbary = self.process_index_array(VacbArray[_i], level + 1, limit, vacbary) #vacbary = vacbary + _vacbary return vacbary def extract_vacb(self, vacbs, size): """ Extracts data from a specified VACB Attempts to extract the memory resident data from a specified VACB. Args: vacbs: The VACB object size: How much data should be read from the VACB shared_cache_map: The associated SHARED_CACHE_MAP object Returns: vacbinfo: Extracted VACB meta-information """ # This is used to collect summary information. We will eventually leverage this # when creating the externally exposed APIs. vacbinfo = {} # Check if the Overlay member of _VACB is resident # The Overlay member stores information about the FileOffset # and the ActiveCount. This is just another proactive check # to make sure the objects are seemingly sound. if not vacbs.Overlay: return vacbinfo # We should add another check to make sure that # the SharedCacheMap member of the VACB points back # to the corresponding SHARED_CACHE_MAP if vacbs.SharedCacheMap != self.v(): return vacbinfo # The FileOffset member of VACB is used to denote the # offset within the file where the view begins. Since all # views are 256 KB in size, the bottom 16 bits are used to # store the number of references to the view. FileOffset = vacbs.Overlay.FileOffset.QuadPart if not FileOffset: return vacbinfo ActiveCount = vacbs.Overlay.ActiveCount FileOffset = FileOffset & FILEOFFSET_MASK BaseAddress = vacbs.BaseAddress.v() vacbinfo['foffset'] = int(FileOffset) vacbinfo['acount'] = int(ActiveCount) vacbinfo['voffset'] = int(vacbs.obj_offset) vacbinfo['baseaddr'] = int(BaseAddress) vacbinfo['size'] = int(size) return vacbinfo def extract_scm_file(self): """ Extracts a file from a specified _SHARED_CACHE_MAP Attempts to extract the memory resident pages pertaining to a particular _SHARED_CACHE_MAP object. Args: shared_cache_map: Instance of a _SHARED_CACHE_MAP object Returns: vacbary: List of collected VACB meta information. Raises: """ vacbary = [] if self.obj_offset == 0x0: return # Added a semantic check to make sure the data is in a sound state. #FileSize = shared_cache_map.FileSize.QuadPart #ValidDataLength = shared_cache_map.ValidDataLength.QuadPart SectionSize = self.SectionSize.QuadPart # Let's begin by determining the number of Virtual Address Control # Blocks (VACB) that are stored within the cache (nonpaged). A VACB # represents one 256-KB view in the system cache. There a are a couple # options to use for the data size: ValidDataLength, FileSize, # and SectionSize. full_blocks = SectionSize / VACB_BLOCK left_over = SectionSize % VACB_BLOCK # As an optimization, the shared cache map object contains a VACB index # array of four entries. The VACB index arrays are arrays of pointers # to VACBs, that track which views of a given file are mapped in the cache. # For example, the first entry in the VACB index array refers to the first # 256 KB of the file. The InitialVacbs can describe a file up to 1 MB (4xVACB). iterval = 0 while (iterval < full_blocks) and (full_blocks <= 4): Vacbs = self.InitialVacbs[iterval] vacbinfo = self.extract_vacb(Vacbs, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) iterval += 1 # We also have to account for the spill over data # that is not found in the full blocks. The first case to # consider is when the spill over is still in InitialVacbs. if (left_over > 0) and (full_blocks < 4): Vacbs = self.InitialVacbs[iterval] vacbinfo = self.extract_vacb(Vacbs, left_over) if vacbinfo: vacbary.append(vacbinfo) # If the file is larger than 1 MB, a seperate VACB index array # needs to be allocated. This is based on how many 256 KB blocks # would be required for the size of the file. This newly allocated # VACB index array is found through the Vacbs member of # SHARED_CACHE_MAP. Vacbs = self.Vacbs if not Vacbs or (Vacbs.v() == 0): return vacbary # There are a number of instances where the initial value in # InitialVacb will also be the fist entry in Vacbs. Thus we # ignore, since it was already processed. It is possible to just # process again as the file offset is specified for each VACB. if self.InitialVacbs[0].obj_offset == Vacbs.v(): return vacbary # If the file is less than 32 MB than it can be found in # a single level VACB index array. size_of_pointer = self.obj_vm.profile.get_obj_size("address") if not SectionSize > VACB_SIZE_OF_FIRST_LEVEL: ArrayHead = Vacbs.v() _i = 0 for _i in range(0, full_blocks): vacb_addr = ArrayHead + (_i * size_of_pointer) vacb_entry = obj.Object("address", offset = vacb_addr, vm = Vacbs.obj_vm) # If we find a zero entry, then we proceed to the next one. # If the entry is zero, then the view is not mapped and we # skip. We do not pad because we use the FileOffset to seek # to the correct offset in the file. if not vacb_entry or (vacb_entry.v() == 0x0): continue Vacb = obj.Object("_VACB", offset = vacb_entry.v(), vm = self.obj_vm) vacbinfo = self.extract_vacb(Vacb, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) if left_over > 0: vacb_addr = ArrayHead + ((_i + 1) * size_of_pointer) vacb_entry = obj.Object("address", offset = vacb_addr, vm = Vacbs.obj_vm) if not vacb_entry or (vacb_entry.v() == 0x0): return vacbary Vacb = obj.Object("_VACB", offset = vacb_entry.v(), vm = self.obj_vm) vacbinfo = self.extract_vacb(Vacb, left_over) if vacbinfo: vacbary.append(vacbinfo) # The file is less than 32 MB, so we can # stop processing. return vacbary # If we get to this point, then we know that the SectionSize is greator than # VACB_SIZE_OF_FIRST_LEVEL (32 MB). Then we have a "sparse multilevel index # array where each VACB index array is made up of 128 entries. We no # longer assume the data is sequential. (Log2 (32 MB) - 18)/7 #tree_depth = math.ceil((math.ceil(math.log(file_size, 2)) - 18)/7) level_depth = math.ceil(math.log(SectionSize, 2)) level_depth = (level_depth - VACB_OFFSET_SHIFT) / VACB_LEVEL_SHIFT level_depth = math.ceil(level_depth) limit_depth = level_depth if SectionSize > VACB_SIZE_OF_FIRST_LEVEL: # Create an array of 128 entries for the VACB index array VacbArray = obj.Object("Array", offset = Vacbs.v(), \ vm = self.obj_vm, count = VACB_ARRAY, \ targetType = "address", parent = self) # We use a bit of a brute force method. We walk the # array and if any entry points to the shared cache map # object then we extract it. Otherwise, if it is non-zero # we attempt to traverse to the next level. for _i in range(0, VACB_ARRAY): if VacbArray[_i] == 0x0: continue Vacb = obj.Object("_VACB", offset = int(VacbArray[_i]), vm = self.obj_vm) if Vacb.SharedCacheMap == self.obj_offset: vacbinfo = self.extract_vacb(Vacb, VACB_BLOCK) if vacbinfo: vacbary.append(vacbinfo) else: # The Index is a pointer #Process the next level of the multi-level array # We set the limit_depth to be the depth of the tree # as determined from the size and we initialize the # current level to 2. vacbary = self.process_index_array(VacbArray[_i], 2, limit_depth, vacbary) #vacbary = vacbary + _vacbary return vacbary class ControlAreaModification(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_CONTROL_AREA': _CONTROL_AREA, '_SHARED_CACHE_MAP': _SHARED_CACHE_MAP, }) #-------------------------------------------------------------------------------- # VTypes #-------------------------------------------------------------------------------- # Windows x86 symbols for ntkrnlpa ntkrnlpa_types_x86 = { '__ntkrnlpa' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE_64']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE_64']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION_64']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION_64']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTEPA' : [ 0x8, { 'u' : [ 0x0, ['__ntkrnlpa']], } ], '_MMPTE_SUBSECTION_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type = 'unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type = 'long long')]], } ], '_MMPTE_TRANSITION_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type = 'unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type = 'unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type = 'unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type = 'unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type = 'unsigned long long')]], }], '_MMPTE_HARDWARE_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type = 'unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type = 'unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type = 'unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type = 'unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type = 'unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type = 'unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type = 'unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type = 'unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type = 'unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type = 'unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type = 'unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type = 'unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type = 'unsigned long long')]], } ], '_MMPTE_SOFTWARE_64' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type = 'unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type = 'unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type = 'unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type = 'unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type = 'unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type = 'unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type = 'unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type = 'unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type = 'unsigned long long')]], } ], } class DumpFilesVTypesx86(obj.ProfileModification): """This modification applies the vtypes for all versions of 32bit Windows.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.vtypes.update(ntkrnlpa_types_x86) class DumpFiles(common.AbstractWindowsCommand): """Extract memory mapped and cached files""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) self.kaddr_space = None self.filters = [] config.add_option('REGEX', short_option = 'r', help = 'Dump files matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('OFFSET', short_option = 'o', default = None, help = 'Dump files for Process with physical address OFFSET', action = 'store', type = 'int') config.add_option('PHYSOFFSET', short_option = 'Q', default = None, help = 'Dump File Object at physical address PHYSOFFSET', action = 'store', type = 'int') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump extracted files') config.add_option('SUMMARY-FILE', short_option = 'S', default = None, cache_invalidator = False, help = 'File where to store summary information') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') config.add_option('NAME', short_option = 'n', help = 'Include extracted filename in output file path', action = 'store_true', default = False) config.add_option('UNSAFE', short_option = 'u', help = 'Relax safety constraints for more data', action = 'store_true', default = False) # Possible filters include: # SharedCacheMap,DataSectionObject,ImageSectionObject,HandleTable,VAD config.add_option("FILTER", short_option = 'F', default = None, help = 'Filters to apply (comma-separated)') def filter_tasks(self, tasks): """ Reduce the tasks based on the user selectable PIDS parameter. Returns a reduced list or the full list if config.PIDS not specified. """ if self._config.PID is None: return tasks try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) return [t for t in tasks if t.UniqueProcessId in pidlist] def audited_read_bytes(self, vm, vaddr, length, pad): """ This function provides an audited zread capability It performs a similar function to zread, in that it will pad "invalid" pages. The main difference is that it allows us to collect auditing information about which pages were actually present and which ones were padded. Args: vm: The address space to read the data from. vaddr: The virtual address to start reading the data from. length: How many bytes to read pad: This argument controls if the unavailable bytes are padded. Returns: ret: Data that was read mdata: List of pages that are memory resident zpad: List of pages that not memory resident Raises: """ zpad = [] mdata = [] vaddr, length = int(vaddr), int(length) ret = '' while length > 0: chunk_len = min(length, PAGE_SIZE - (vaddr % PAGE_SIZE)) buf = vm.read(vaddr, chunk_len) if vm.vtop(vaddr) is None: zpad.append([vaddr, chunk_len]) if pad: buf = '\x00' * chunk_len else: buf = '' else: mdata.append([vaddr, chunk_len]) ret += buf vaddr += chunk_len length -= chunk_len return ret, mdata, zpad def calculate(self): """ Finds all the requested FILE_OBJECTS Traverses the VAD and HandleTable to find all requested FILE_OBJECTS """ # Initialize containers for collecting artifacts. control_area_list = [] shared_maps = [] procfiles = [] # These lists are used for object collecting files from # both the VAD and handle tables vadfiles = [] handlefiles = [] # Determine which filters the user wants to see self.filters = [] if self._config.FILTER: self.filters = self._config.FILTER.split(',') # Instantiate the kernel address space self.kaddr_space = utils.load_as(self._config) # Check to see if the physical address offset was passed for a # particular process. Otherwise, use the whole task list. if self._config.OFFSET != None: tasks_list = [taskmods.DllList.virtual_process_from_physical_offset( self.kaddr_space, self._config.OFFSET)] else: # Filter for the specified processes tasks_list = self.filter_tasks(tasks_mod.pslist(self.kaddr_space)) # If a regex is specified, build it. if self._config.REGEX: try: if self._config.IGNORE_CASE: file_re = re.compile(self._config.REGEX, re.I) else: file_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0:s}'.format(e)) # Check to see if a specific physical address was specified for a # FILE_OBJECT. In particular, this is useful for FILE_OBJECTS that # are found with filescan that are not associated with a process # For example, $Mft. if self._config.PHYSOFFSET: file_obj = obj.Object("_FILE_OBJECT", self._config.PHYSOFFSET, self.kaddr_space.base, native_vm = self.kaddr_space) procfiles.append((None, [file_obj])) #return # Iterate through the process list and collect all references to # FILE_OBJECTS from both the VAD and HandleTable. Each open handle to a file # has a corresponding FILE_OBJECT. if not self._config.PHYSOFFSET: for task in tasks_list: pid = task.UniqueProcessId # Extract FILE_OBJECTS from the VAD if not self.filters or "VAD" in self.filters: for vad in task.VadRoot.traverse(): if vad != None: try: control_area = vad.ControlArea if not control_area: continue file_object = vad.FileObject if file_object: # Filter for specific FILE_OBJECTS based on user defined # regular expression. (Performance optimization) if self._config.REGEX: name = None if file_object.FileName: name = str(file_object.file_name_with_device()) if not name: continue if not file_re.search(name): continue vadfiles.append(file_object) except AttributeError: pass if not self.filters or "HandleTable" in self.filters: # Extract the FILE_OBJECTS from the handle table if task.ObjectTable.HandleTableList: for handle in task.ObjectTable.handles(): otype = handle.get_object_type() if otype == "File": file_obj = handle.dereference_as("_FILE_OBJECT") if file_obj: # Filter for specific FILE_OBJECTS based on user defined # regular expression. (Performance Optimization) if self._config.REGEX: name = None if file_obj.FileName: name = str(file_obj.file_name_with_device()) if not name: continue if not file_re.search(name): continue handlefiles.append(file_obj) # Append the lists of file objects #allfiles = handlefiles + vadfiles procfiles.append((pid, handlefiles + vadfiles)) for pid, allfiles in procfiles: for file_obj in allfiles: if not self._config.PHYSOFFSET: offset = file_obj.obj_offset else: offset = self._config.PHYSOFFSET name = None if file_obj.FileName: name = str(file_obj.file_name_with_device()) # The SECTION_OBJECT_POINTERS structure is used by the memory # manager and cache manager to store file-mapping and cache information # for a particular file stream. We will use it to determine what type # of FILE_OBJECT we have and how it should be parsed. if file_obj.SectionObjectPointer: DataSectionObject = \ file_obj.SectionObjectPointer.DataSectionObject SharedCacheMap = \ file_obj.SectionObjectPointer.SharedCacheMap ImageSectionObject = \ file_obj.SectionObjectPointer.ImageSectionObject # The ImageSectionObject is used to track state information for # an executable file stream. We will use it to extract memory # mapped binaries. if not self.filters or "ImageSectionObject" in self.filters: if ImageSectionObject and ImageSectionObject != 0: summaryinfo = {} # It points to a image section object( CONTROL_AREA ) control_area = \ ImageSectionObject.dereference_as('_CONTROL_AREA') if not control_area in control_area_list: control_area_list.append(control_area) # The format of the filenames: file...[img|dat] ca_offset_string = "0x{0:x}".format(control_area.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") ca_offset_string += "." + fname[-1] file_string = ".".join(["file", str(pid), ca_offset_string, IMAGE_EXT]) of_path = os.path.join(self._config.DUMP_DIR, file_string) (mdata, zpad) = control_area.extract_ca_file(self._config.UNSAFE) summaryinfo['name'] = name summaryinfo['type'] = "ImageSectionObject" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['present'] = mdata summaryinfo['pad'] = zpad summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path yield summaryinfo # The DataSectionObject is used to track state information for # a data file stream. We will use it to extract artifacts of # memory mapped data files. if not self.filters or "DataSectionObject" in self.filters: if DataSectionObject and DataSectionObject != 0: summaryinfo = {} # It points to a data section object (CONTROL_AREA) control_area = DataSectionObject.dereference_as('_CONTROL_AREA') if not control_area in control_area_list: control_area_list.append(control_area) # The format of the filenames: file...[img|dat] ca_offset_string = "0x{0:x}".format(control_area.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") ca_offset_string += "." + fname[-1] file_string = ".".join(["file", str(pid), ca_offset_string, DATA_EXT]) of_path = os.path.join(self._config.DUMP_DIR, file_string) (mdata, zpad) = control_area.extract_ca_file(self._config.UNSAFE) summaryinfo['name'] = name summaryinfo['type'] = "DataSectionObject" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['present'] = mdata summaryinfo['pad'] = zpad summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path yield summaryinfo # The SharedCacheMap is used to track views that are mapped to the # data file stream. Each cached file has a single SHARED_CACHE_MAP object, # which has pointers to slots in the system cache which contain views of the file. # The shared cache map is used to describe the state of the cached file. if self.filters and "SharedCacheMap" not in self.filters: continue if SharedCacheMap: vacbary = [] summaryinfo = {} #The SharedCacheMap member points to a SHARED_CACHE_MAP object. shared_cache_map = SharedCacheMap.dereference_as('_SHARED_CACHE_MAP') if shared_cache_map.obj_offset == 0x0: continue # Added a semantic check to make sure the data is in a sound state. It's better # to catch it early. if not shared_cache_map.is_valid(): continue if not shared_cache_map.obj_offset in shared_maps: shared_maps.append(shared_cache_map.obj_offset) else: continue shared_cache_map_string = ".0x{0:x}".format(shared_cache_map.obj_offset) if self._config.NAME and name != None: fname = name.split("\\") shared_cache_map_string = shared_cache_map_string + "." + fname[-1] of_path = os.path.join(self._config.DUMP_DIR, "file." + str(pid) + shared_cache_map_string + ".vacb") vacbary = shared_cache_map.extract_scm_file() summaryinfo['name'] = name summaryinfo['type'] = "SharedCacheMap" if pid: summaryinfo['pid'] = int(pid) else: summaryinfo['pid'] = None summaryinfo['fobj'] = int(offset) summaryinfo['ofpath'] = of_path summaryinfo['vacbary'] = vacbary yield summaryinfo def render_text(self, outfd, data): """Renders output for the dumpfiles plugin. This includes extracting the file artifacts from memory to the specified dump directory. Args: outfd: The file descriptor to write the text to. data: (summaryinfo) """ # Summary file object summaryfo = None summaryinfo = data if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") if self._config.SUMMARY_FILE: summaryfo = open(self._config.SUMMARY_FILE, 'wb') for summaryinfo in data: if summaryinfo['type'] == "DataSectionObject": outfd.write("DataSectionObject {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) if len(summaryinfo['present']) == 0: continue of = open(summaryinfo['ofpath'], 'wb') for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) of.close() elif summaryinfo['type'] == "ImageSectionObject": outfd.write("ImageSectionObject {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) if len(summaryinfo['present']) == 0: continue of = open(summaryinfo['ofpath'], 'wb') for mdata in summaryinfo['present']: rdata = None if not mdata[0]: continue try: rdata = self.kaddr_space.base.read(mdata[0], mdata[2]) except (IOError, OverflowError): debug.debug("IOError: Pid: {0} File: {1} PhysAddr: {2} Size: {3}".format(summaryinfo['pid'], summaryinfo['name'], mdata[0], mdata[2])) if not rdata: continue of.seek(mdata[1]) of.write(rdata) continue # XXX Verify FileOffsets #for zpad in summaryinfo['pad']: # print "ZPAD 0x%x"%(zpad[0]) # of.seek(zpad[0]) # of.write("\0" * zpad[1]) if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) of.close() elif summaryinfo['type'] == "SharedCacheMap": outfd.write("SharedCacheMap {0:#010x} {1:<6} {2}\n".format(summaryinfo['fobj'], summaryinfo['pid'], summaryinfo['name'])) of = open(summaryinfo['ofpath'], 'wb') for vacb in summaryinfo['vacbary']: if not vacb: continue (rdata, mdata, zpad) = self.audited_read_bytes(self.kaddr_space, vacb['baseaddr'], vacb['size'], True) ### We need to update the mdata,zpad if rdata: try: of.seek(vacb['foffset']) of.write(rdata) except IOError: # TODO: Handle things like write errors (not enough disk space, etc) continue vacb['present'] = mdata vacb['pad'] = zpad if self._config.SUMMARY_FILE: json.dump(summaryinfo, summaryfo) of.close() else: return if self._config.SUMMARY_FILE: summaryfo.close() volatility-2.3.1/volatility/plugins/common.py0000644000175000017500000000752212227253532021345 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This plugin contains CORE classes used by lots of other plugins """ import volatility.scan as scan import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.commands as commands #pylint: disable-msg=C0111 class AbstractWindowsCommand(commands.Command): @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'unknown') == 'windows' def pool_align(vm, object_name, align): """Returns the size of the object accounting for pool alignment.""" size_of_obj = vm.profile.get_obj_size(object_name) # Size is rounded to pool alignment extra = size_of_obj % align if extra: size_of_obj += align - extra return size_of_obj ## The following are checks for pool scanners. class PoolTagCheck(scan.ScannerCheck): """ This scanner checks for the occurance of a pool tag """ def __init__(self, address_space, tag = None, **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.tag = tag def skip(self, data, offset): try: nextval = data.index(self.tag, offset + 1) return nextval - offset except ValueError: ## Substring is not found - skip to the end of this data buffer return len(data) - offset def check(self, offset): data = self.address_space.read(offset, len(self.tag)) return data == self.tag class CheckPoolSize(scan.ScannerCheck): """ Check pool block size """ def __init__(self, address_space, condition = (lambda x: x == 8), **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.condition = condition def check(self, offset): pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space, offset = offset - 4) block_size = pool_hdr.BlockSize.v() pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() return self.condition(block_size * pool_alignment) class CheckPoolType(scan.ScannerCheck): """ Check the pool type """ def __init__(self, address_space, paged = False, non_paged = False, free = False, **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.non_paged = non_paged self.paged = paged self.free = free def check(self, offset): pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space, offset = offset - 4) return ((self.non_paged and pool_hdr.NonPagedPool) or (self.free and pool_hdr.FreePool) or (self.paged and pool_hdr.PagedPool)) class CheckPoolIndex(scan.ScannerCheck): """ Checks the pool index """ def __init__(self, address_space, value = 0, **kwargs): scan.ScannerCheck.__init__(self, address_space, **kwargs) self.value = value def check(self, offset): pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space, offset = offset - 4) return pool_hdr.PoolIndex == self.value volatility-2.3.1/volatility/plugins/kpcrscan.py0000644000175000017500000001636612227253532021667 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Bradley Schatz @license: GNU General Public License 2.0 @contact: bradley@schatzforensic.com.au @organization: Schatz Forensic """ import struct import volatility.utils as utils import volatility.scan as scan import volatility.cache as cache import volatility.plugins.common as common import volatility.obj as obj import volatility.plugins.addrspaces.intel as intel import volatility.plugins.addrspaces.amd64 as amd64 class KPCRScan(common.AbstractWindowsCommand): """Search for and dump potential KPCR values""" meta_info = dict( author = 'Bradley Schatz', copyright = 'Copyright (c) 2010 Bradley Schatz', contact = 'bradley@schatzforensic.com.au', license = 'GNU General Public License 2.0', url = 'http://www.schatzforensic.com.au/', os = 'WIN_32_VISTA_SP0', version = '1.0', ) @staticmethod def register_options(config): config.add_option('KPCR', short_option = 'k', default = None, type = 'int', help = "Specify a specific KPCR address") @cache.CacheDecorator("tests/kpcrscan") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config, astype = 'any') scanner = KPCRScanner() for offset in scanner.scan(addr_space): kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space) yield kpcr def render_text(self, outfd, data): """Renders the KPCR values as text""" for kpcr in data: outfd.write("*" * 50 + "\n") if hasattr(kpcr.obj_vm, 'vtop'): outfd.write("{0:<30}: {1:#x}\n".format("Offset (V)", kpcr.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kpcr.obj_vm.vtop(kpcr.obj_offset))) else: outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kpcr.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("KdVersionBlock", kpcr.KdVersionBlock)) outfd.write("{0:<30}: {1:#x}\n".format("IDT", kpcr.IDT)) outfd.write("{0:<30}: {1:#x}\n".format("GDT", kpcr.GDT)) current_thread = kpcr.ProcessorBlock.CurrentThread.dereference_as("_ETHREAD") idle_thread = kpcr.ProcessorBlock.IdleThread.dereference_as("_ETHREAD") next_thread = kpcr.ProcessorBlock.NextThread.dereference_as("_ETHREAD") if current_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "CurrentThread", current_thread.obj_offset, current_thread.Cid.UniqueThread, current_thread.owning_process().ImageFileName, current_thread.Cid.UniqueProcess, )) if idle_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "IdleThread", idle_thread.obj_offset, idle_thread.Cid.UniqueThread, idle_thread.owning_process().ImageFileName, idle_thread.Cid.UniqueProcess, )) if next_thread: outfd.write("{0:<30}: {1:#x} TID {2} ({3}:{4})\n".format( "NextThread", next_thread.obj_offset, next_thread.Cid.UniqueThread, next_thread.owning_process().ImageFileName, next_thread.Cid.UniqueProcess, )) outfd.write("{0:<30}: CPU {1} ({2} @ {3} MHz)\n".format("Details", kpcr.ProcessorBlock.Number, kpcr.ProcessorBlock.VendorString, kpcr.ProcessorBlock.MHz)) outfd.write("{0:<30}: {1:#x}\n".format("CR3/DTB", kpcr.ProcessorBlock.ProcessorState.SpecialRegisters.Cr3)) class KPCRScannerCheck(scan.ScannerCheck): """Checks the self referential pointers to find KPCRs""" def __init__(self, address_space): scan.ScannerCheck.__init__(self, address_space) kpcr = obj.Object("_KPCR", vm = self.address_space, offset = 0) if address_space.profile.metadata.get('memory_model', '') == '32bit': self.SelfPcr_offset = kpcr.SelfPcr.obj_offset self.Prcb_offset = kpcr.Prcb.obj_offset self.PrcbData_offset = kpcr.PrcbData.obj_offset # In the check() routine, we need to compare masked virtual # addresses, but self.address_space is a BufferAddressSpace. self.address_equality = amd64.AMD64PagedMemory.address_equality else: # The self-referencing member of _KPCR is Self on x64 self.SelfPcr_offset = kpcr.Self.obj_offset # The pointer to _KPRCB is CurrentPrcb on x64 self.Prcb_offset = kpcr.CurrentPrcb.obj_offset # The nested _KPRCB in Prcb on x64 self.PrcbData_offset = kpcr.Prcb.obj_offset self.address_equality = intel.IA32PagedMemory.address_equality self.KPCR = None def check(self, offset): """ We check that _KCPR.pSelfPCR points to the start of the _KCPR struct """ paKCPR = offset paPRCBDATA = offset + self.PrcbData_offset try: pSelfPCR = obj.Object('Pointer', offset = (offset + self.SelfPcr_offset), vm = self.address_space) pPrcb = obj.Object('Pointer', offset = (offset + self.Prcb_offset), vm = self.address_space) if self.address_equality(pSelfPCR, paKCPR) and self.address_equality(pPrcb, paPRCBDATA): self.KPCR = pSelfPCR return True except BaseException: return False return False # make the scan DWORD aligned def skip(self, data, offset): return 4 offset_string = struct.pack("I", offset) new_offset = offset ## A successful match will need to at least match the Most ## Significant 3 bytes while (new_offset + self.SelfPcr_offset) & 0xFF >= self.SelfPcr_offset: new_offset = data.find(offset_string[3], new_offset + 1) ## Its not there, skip the whole buffer if new_offset < 0: return len(data) - offset if (new_offset % 4) == 0: return new_offset - self.SelfPcr_offset - 1 return len(data) - offset class KPCRScanner(scan.BaseScanner): checks = [ ("KPCRScannerCheck", {}) ] def scan(self, address_space, offset = 0, maxlen = None): return scan.BaseScanner.scan(self, address_space, max(offset, 0x80000000), maxlen) volatility-2.3.1/volatility/plugins/linux/0000755000175000017500000000000012234427260020633 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/linux/netstat.py0000644000175000017500000001011612227253532022667 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import socket import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsof as linux_lsof import volatility.plugins.linux.pslist as linux_pslist class linux_netstat(linux_pslist.linux_pslist): """Lists open sockets""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('IGNORE_UNIX', short_option = 'U', default = None, help = 'ignore unix sockets', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) if not self.profile.has_type("inet_sock"): # ancient (2.6.9) centos kernels do not have inet_sock in debug info raise AttributeError, "Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11" openfiles = linux_lsof.linux_lsof(self._config).calculate() for (task, filp, i) in openfiles: # its a socket! if filp.f_op == self.addr_space.profile.get_symbol("socket_file_ops") or filp.dentry.d_op == self.addr_space.profile.get_symbol("sockfs_dentry_operations"): iaddr = filp.dentry.d_inode skt = self.SOCKET_I(iaddr) inet_sock = obj.Object("inet_sock", offset = skt.sk, vm = self.addr_space) yield task, i, inet_sock def render_text(self, outfd, data): for task, _fd, inet_sock in data: if inet_sock.protocol in ("TCP", "UDP", "IP", "HOPOPT"): #hopopt is where unix sockets end up on linux state = inet_sock.state if inet_sock.protocol == "TCP" else "" family = inet_sock.sk.__sk_common.skc_family #pylint: disable-msg=W0212 if family == socket.AF_UNIX: # the user choose to ignore unix sockets if self._config.IGNORE_UNIX: continue unix_sock = obj.Object("unix_sock", offset = inet_sock.sk.v(), vm = self.addr_space) if unix_sock.addr: name = obj.Object("sockaddr_un", offset = unix_sock.addr.name.obj_offset, vm = self.addr_space) # only print out sockets with paths if str(name.sun_path) != "": outfd.write("UNIX {0:s}\n".format(name.sun_path)) elif family in (socket.AF_INET, socket.AF_INET6): sport = inet_sock.src_port dport = inet_sock.dst_port saddr = inet_sock.src_addr daddr = inet_sock.dst_addr outfd.write("{0:8s} {1}:{2:<5} {3}:{4:<5} {5:s} {6:>17s}/{7:<5d}\n".format(inet_sock.protocol, saddr, sport, daddr, dport, state, task.comm, task.pid)) #else: # print "unknown family: %d" % family # has to get the struct socket given an inode (see SOCKET_I in sock.h) def SOCKET_I(self, inode): # if too many of these, write a container_of backsize = self.profile.get_obj_size("socket") addr = inode - backsize return obj.Object('socket', offset = addr, vm = self.addr_space) volatility-2.3.1/volatility/plugins/linux/psxview.py0000644000175000017500000000645612227253532022726 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.linux.pslist as linux_pslist import volatility.plugins.linux.pidhashtable as linux_pidhashtable import volatility.plugins.linux.pslist_cache as linux_pslist_cache import volatility.plugins.linux.common as linux_common #based off the windows version from mhl # #INFO: # 'pslist' does not get threads # 'pid_hash' does # 'kmem_cache' does # 'runqueue' does class linux_psxview(linux_common.AbstractLinuxCommand): "Find hidden processes with various process listings" def get_pslist(self): return [x.obj_offset for x in linux_pslist.linux_pslist(self._config).calculate()] def get_pid_hash(self): return [x.obj_offset for x in linux_pidhashtable.linux_pidhashtable(self._config).calculate()] def get_kmem_cache(self): return [x.obj_offset for x in linux_pslist_cache.linux_pslist_cache(self._config).calculate()] def calculate(self): linux_common.set_plugin_members(self) ps_sources = {} # The keys are names of process sources # The values are the virtual offset of the task_struct ps_sources['pslist'] = self.get_pslist() ps_sources['pid_hash'] = self.get_pid_hash() ps_sources['kmem_cache'] = self.get_kmem_cache() # FUTURE # ps_sources['run_queue'] = # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources: tasks = ps_sources[source] for offset in tasks: if offset not in seen_offsets: seen_offsets.append(offset) yield offset, obj.Object("task_struct", offset = offset, vm = self.addr_space), ps_sources def render_text(self, outfd, data): self.table_header(outfd, [('Offset(V)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('pid_hash', '5'), ('kmem_cache', '5'), ]) for offset, process, ps_sources in data: self.table_row(outfd, offset, process.comm, process.pid, str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['kmem_cache'].__contains__(offset)) ) volatility-2.3.1/volatility/plugins/linux/pidhashtable.py0000644000175000017500000001445612227253532023650 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist PIDTYPE_PID = 0 # determining the processing algorithm to use is based on crash from redhat class linux_pidhashtable(linux_pslist.linux_pslist): """Enumerates processes through the PID hash table""" def __init__(self, *args, **kwargs): self.seen_tasks = {} linux_pslist.linux_pslist.__init__(self, *args, **kwargs) def get_obj(self, ptr, sname, member): offset = self.profile.get_obj_offset(sname, member) addr = ptr - offset return obj.Object(sname, offset = addr, vm = self.addr_space) def _task_for_pid(self, upid, pid): chained = 0 pid_tasks_0 = pid.tasks[0].first if pid_tasks_0 == 0: chained = 1 pnext_addr = upid.obj_offset + self.profile.get_obj_offset("upid", "pid_chain") + self.profile.get_obj_offset("hlist_node", "next") pnext = obj.Object("unsigned long", offset = pnext_addr, vm = self.addr_space) upid = obj.Object("upid", offset = pnext - self.profile.get_obj_offset("upid", "pid_chain"), vm = self.addr_space) for task in self._walk_upid(upid): yield task if chained == 0: task = obj.Object("task_struct", offset = pid_tasks_0 - self.profile.get_obj_offset("task_struct", "pids"), vm = self.addr_space) if task.pid > 0: yield task def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain") def calculate_v3(self): self.seen_tasks = {} pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) for hlist in pidhash: # each entry in the hlist is a upid which is wrapped in a pid ent = hlist.first while ent.v(): upid = self.get_obj(ent.obj_offset, "upid", "pid_chain") for task in self._walk_upid(upid): if not task.obj_offset in self.seen_tasks: self.seen_tasks[task.obj_offset] = 1 if task.is_valid_task(): yield task ent = ent.m("next") # the following functions exist because crash has handlers for them # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again def profile_unsupported(self, func_name): debug.error("{0:s}: This profile is currently unsupported by this plugin. Please file a bug report on our issue tracker to have support added.".format(func_name)) def calculate_v2(self): self.profile_unsupported("calculate_v2") def calculate_v1(self): self.profile_unsupported("calculate_v1") def refresh_pid_hash_task_table(self): self.profile_unsupported("refresh_pid_hash_task_table") def get_both(self): has_pid_link = self.profile.has_type("pid_link") has_link_pid = self.profile.obj_has_member("pid_link", "pid") has_pid_hash = self.profile.has_type("pid_hash") has_upid = self.profile.has_type("upid") has_pid_numbers = self.profile.obj_has_member("pid", "numbers") if has_pid_hash: has_hash_chain = self.profile.obj_has_member("pid_hash", "chain") else: has_hash_chain = None if has_link_pid and has_hash_chain: func = self.refresh_pid_hash_task_table elif has_pid_link: if has_upid and has_pid_numbers: func = self.calculate_v3 # refresh_hlist_task_table_v3 else: func = self.calculate_v2 # refresh_hlist_task_table_v2 else: func = self.calculate_v1 return func def determine_func(self): pidhash = self.addr_space.profile.get_symbol("pidhash") pid_hash = self.addr_space.profile.get_symbol("pid_hash") pidhash_shift = self.addr_space.profile.get_symbol("pidhash_shift") if pid_hash and pidhash_shift: func = self.get_both() elif pid_hash: func = self.refresh_pid_hash_task_table elif pidhash: func = self.refresh_pid_hash_task_table return func def calculate(self): linux_common.set_plugin_members(self) func = self.determine_func() for task in func(): yield task volatility-2.3.1/volatility/plugins/linux/proc_maps.py0000644000175000017500000000557212227253532023202 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_proc_maps(linux_pslist.linux_pslist): """Gathers process maps for linux""" def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: if task.mm: for vma in task.get_proc_maps(): yield task, vma def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Start", "#018x"), ("End", "#018x"), ("Flags", "6"), ("Pgoff", "[addr]"), ("Major", "6"), ("Minor", "6"), ("Inode", "10"), ("File Path", "80"), ]) for task, vma in data: if vma.vm_file: inode = vma.vm_file.dentry.d_inode major, minor = inode.i_sb.major, inode.i_sb.minor ino = inode.i_ino pgoff = vma.vm_pgoff << 12 fname = linux_common.get_path(task, vma.vm_file) else: (major, minor, ino, pgoff) = [0] * 4 if vma.vm_start <= task.mm.start_brk and vma.vm_end >= task.mm.brk: fname = "[heap]" elif vma.vm_start <= task.mm.start_stack and vma.vm_end >= task.mm.start_stack: fname = "[stack]" else: fname = "" self.table_row(outfd, task.pid, vma.vm_start, vma.vm_end, str(vma.vm_flags), pgoff, major, minor, ino, fname) volatility-2.3.1/volatility/plugins/linux/keyboard_notifier.py0000644000175000017500000000436212227253532024712 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_keyboard_notifier(linux_common.AbstractLinuxCommand): """Parses the keyboard notifier call chain""" def calculate(self): linux_common.set_plugin_members(self) knl_addr = self.addr_space.profile.get_symbol("keyboard_notifier_list") if not knl_addr: debug.error("Symbol keyboard_notifier_list not found in kernel") knl = obj.Object("atomic_notifier_head", offset = knl_addr, vm = self.addr_space) symbol_cache = {} for callback in linux_common.walk_internal_list("notifier_block", "next", knl.head): if symbol_cache.has_key(callback): sym_name = symbol_cache[callback] hooked = 0 else: sym_name = self.profile.get_symbol_by_address("kernel", callback) if not sym_name: sym_name = "HOOKED" hooked = 1 symbol_cache[callback] = sym_name yield callback.notifier_call, sym_name, hooked def render_text(self, outfd, data): self.table_header(outfd, [("Address", "[addrpad]"), ("Symbol", "<30")]) for call_addr, sym_name, _ in data: self.table_row(outfd, call_addr, sym_name) volatility-2.3.1/volatility/plugins/linux/check_modules.py0000644000175000017500000000441712227253532024021 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.lsmod as linux_lsmod import volatility.plugins.linux.common as linux_common class linux_check_modules(linux_common.AbstractLinuxCommand): """Compares module list to sysfs info, if available""" def get_kset_modules(self): module_kset_addr = self.profile.get_symbol("module_kset") if not module_kset_addr: debug.error("This command is not supported by this profile.") ret = set() module_kset = obj.Object("kset", offset = module_kset_addr, vm = self.addr_space) for kobj in module_kset.list.list_of_type("kobject", "entry"): name = kobj.name.dereference_as("String", length = 32) if name.is_valid() and kobj.kref.refcount.counter > 2: ret.add(str(name)) return ret def calculate(self): linux_common.set_plugin_members(self) kset_modules = self.get_kset_modules() lsmod_modules = set([str(module.name) for (module, params, sects) in linux_lsmod.linux_lsmod(self._config).calculate()]) for mod_name in kset_modules.difference(lsmod_modules): yield mod_name def render_text(self, outfd, data): self.table_header(outfd, [("Module Name", "")]) for name in data: self.table_row(outfd, name) volatility-2.3.1/volatility/plugins/linux/cpuinfo.py0000644000175000017500000001014512227253532022652 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common import volatility.obj as obj class linux_cpuinfo(linux_common.AbstractLinuxIntelCommand): """Prints info about each active processor""" def calculate(self): linux_common.set_plugin_members(self) cpus = self.online_cpus() if len(cpus) > 1 and self.get_per_cpu_symbol("cpu_info"): func = self.get_info_smp elif self.get_per_cpu_symbol("boot_cpu_data"): func = self.get_info_single else: raise AttributeError, "Unable to get CPU info for memory capture" return func() def get_info_single(self): cpu = obj.Object("cpuinfo_x86", offset = self.addr_space.profile.get_symbol("boot_cpu_data"), vm = self.addr_space) yield 0, cpu def get_info_smp(self): """ pulls the per_cpu cpu info will break apart the per_cpu code if a future plugin needs it """ for i, cpu in self.walk_per_cpu_var("cpu_info", "cpuinfo_x86"): yield i, cpu def get_per_cpu_symbol(self, sym_name, module = "kernel"): """ In 2.6.3x, Linux changed how the symbols for per_cpu variables were named This handles both formats so plugins needing per-cpu vars are cleaner """ ret = self.addr_space.profile.get_symbol(sym_name, module = module) if not ret: ret = self.addr_space.profile.get_symbol("per_cpu__" + sym_name, module = module) return ret def online_cpus(self): """ returns a list of online cpus (the processor numbers) """ cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits") cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map") #later kernels.. if cpu_online_bits_addr: bmap = obj.Object("unsigned long", offset = cpu_online_bits_addr, vm = self.addr_space) elif cpu_present_map_addr: bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space) else: raise AttributeError, "Unable to determine number of online CPUs for memory capture" cpus = [] for i in range(8): if bmap & (1 << i): cpus.append(i) return cpus def walk_per_cpu_var(self, per_var, var_type): cpus = self.online_cpus() # get the highest numbered cpu max_cpu = cpus[-1] + 1 offset_var = self.addr_space.profile.get_symbol("__per_cpu_offset") per_offsets = obj.Object(theType = 'Array', targetType = 'unsigned long', count = max_cpu, offset = offset_var, vm = self.addr_space) for i in range(max_cpu): offset = per_offsets[i] cpu_var = self.get_per_cpu_symbol(per_var) addr = cpu_var + offset.v() var = obj.Object(var_type, offset = addr, vm = self.addr_space) yield i, var def render_text(self, outfd, data): self.table_header(outfd, [("Processor", "12"), ("Vendor", "16"), ("Model", "")]) for i, cpu in data: self.table_row(outfd, str(i), cpu.x86_vendor_id, cpu.x86_model_id) volatility-2.3.1/volatility/plugins/linux/ifconfig.py0000644000175000017500000000666712227253532023011 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common import volatility.debug as debug import volatility.obj as obj class linux_ifconfig(linux_common.AbstractLinuxCommand): """Gathers active interfaces""" def _get_devs_base(self): net_device_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dev_base"), vm = self.addr_space) net_device = net_device_ptr.dereference_as("net_device") for net_dev in linux_common.walk_internal_list("net_device", "next", net_device): yield net_dev def _get_devs_namespace(self): nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list") nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space) # walk each network namespace # http://www.linuxquestions.org/questions/linux-kernel-70/accessing-ip-address-from-kernel-ver-2-6-31-13-module-815578/ for net in nethead.list_of_type("net", "list"): # walk each device in the current namespace for net_dev in net.dev_base_head.list_of_type("net_device", "dev_list"): yield net_dev def _gather_net_dev_info(self, net_dev): mac_addr = net_dev.mac_addr promisc = str(net_dev.promisc) in_dev = obj.Object("in_device", offset = net_dev.ip_ptr, vm = self.addr_space) for dev in in_dev.devices(): ip_addr = dev.ifa_address.cast('IpAddress') name = dev.ifa_label yield (name, ip_addr, mac_addr, promisc) def calculate(self): linux_common.set_plugin_members(self) # newer kernels if self.addr_space.profile.get_symbol("net_namespace_list"): for net_dev in self._get_devs_namespace(): for ip_addr_info in self._gather_net_dev_info(net_dev): yield ip_addr_info elif self.addr_space.profile.get_symbol("dev_base"): for net_dev in self._get_devs_base(): for ip_addr_info in self._gather_net_dev_info(net_dev): yield ip_addr_info else: debug.error("Unable to determine ifconfig information") def render_text(self, outfd, data): self.table_header(outfd, [("Interface", "16"), ("IP Address", "20"), ("MAC Address", "18"), ("Promiscous Mode", "5")]) for (name, ip_addr, mac_addr, promisc) in data: self.table_row(outfd, name, ip_addr, mac_addr, promisc) volatility-2.3.1/volatility/plugins/linux/bash.py0000644000175000017500000001741012227253532022126 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import struct from operator import attrgetter import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist bash_vtypes_32 = { '_hist_entry': [ 0xc, { 'line': [0x0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [0x4, ['pointer', ['String', dict(length = 1024)]]], 'data': [0x8, ['pointer', ['void']]], }], } bash_vtypes_64 = { '_hist_entry': [ 24, { 'line': [0, ['pointer', ['String', dict(length = 1024)]]], 'timestamp': [8, ['pointer', ['String', dict(length = 1024)]]], 'data': [16, ['pointer', ['void']]], }], } class _hist_entry(obj.CType): """A class for history entries""" def is_valid(self): # Check the basic structure members if (not obj.CType.is_valid(self) or not self.line.is_valid() or len(self.line.dereference()) == 0 or not self.timestamp.is_valid()): return False # A pointer to the timestamp string ts = self.timestamp.dereference() # At this point in time, the epoc integer size will # never be less than 10 characters, and the stamp is # always preceded by a pound/hash character. if len(ts) < 10 or str(ts)[0] != "#": return False # The final check is to make sure the entire string # is composed of numbers. Try to convert to an int. try: int(str(ts)[1:]) except ValueError: return False return True @property def time_as_integer(self): # Get the string and remove the leading "#" from the timestamp time_string = str(self.timestamp.dereference())[1:] # Convert the string into an integer (number of seconds) return int(time_string) def time_object(self): nsecs = self.time_as_integer # Build a timestamp object from the integer time_val = struct.pack(". # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_dentry_cache(linux_common.AbstractLinuxCommand): """Gather files from the dentry cache""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def make_body(self, dentry): """Create a pipe-delimited bodyfile from a dentry structure. MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime """ path = dentry.get_partial_path() or "" i = dentry.d_inode if i: ret = [0, path, i.i_ino, 0, i.i_uid, i.i_gid, i.i_size, i.i_atime, i.i_mtime, 0, i.i_ctime] else: ret = [0, path] + [0] * 8 ret = "|".join([str(val) for val in ret]) return ret def calculate(self): linux_common.set_plugin_members(self) cache = linux_slabinfo(self._config).get_kmem_cache("dentry", self._config.UNALLOCATED) # support for old kernels if cache == []: cache = linux_slabinfo(self._config).get_kmem_cache("dentry_cache", self._config.UNALLOCATED, struct_name = "dentry") for dentry in cache: yield self.make_body(dentry) def render_text(self, outfd, data): for bodyline in data: outfd.write(bodyline + "\n") volatility-2.3.1/volatility/plugins/linux/common.py0000644000175000017500000001223212227253532022476 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.commands as commands import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj MAX_STRING_LENGTH = 256 nsecs_per = 1000000000 class vol_timespec: def __init__(self, secs, nsecs): self.tv_sec = secs self.tv_nsec = nsecs def set_plugin_members(obj_ref): obj_ref.addr_space = utils.load_as(obj_ref._config) if not obj_ref.is_valid_profile(obj_ref.addr_space.profile): debug.error("This command does not support the selected profile.") class AbstractLinuxCommand(commands.Command): def __init__(self, *args, **kwargs): self.addr_space = None self.known_addrs = {} commands.Command.__init__(self, *args, **kwargs) @property def profile(self): if self.addr_space: return self.addr_space.profile return None def execute(self, *args, **kwargs): commands.Command.execute(self, *args, **kwargs) @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def is_known_address(self, addr, modules): text = self.profile.get_symbol("_text") etext = self.profile.get_symbol("_etext") return (self.addr_space.address_compare(addr, text) != -1 and self.addr_space.address_compare(addr, etext) == -1) or self.address_in_module(addr, modules) def address_in_module(self, addr, modules): for (_, start, end) in modules: if self.addr_space.address_compare(addr, start) != -1 and self.addr_space.address_compare(addr, end) == -1: return True return False def verify_ops(self, ops, op_members, modules): for check in op_members: addr = ops.m(check) if addr and addr != 0: if addr in self.known_addrs: known = self.known_addrs[addr] else: known = self.is_known_address(addr, modules) self.known_addrs[addr] = known if known == 0: yield (check, addr) class AbstractLinuxIntelCommand(AbstractLinuxCommand): @staticmethod def is_valid_profile(profile): return AbstractLinuxCommand.is_valid_profile(profile) \ and (profile.metadata.get('arch').lower() == 'x86' \ or profile.metadata.get('arch').lower() == 'x64') class AbstractLinuxARMCommand(AbstractLinuxCommand): @staticmethod def is_valid_profile(profile): return AbstractLinuxCommand.is_valid_profile(profile) \ and (profile.metadata.get('arch').lower() == 'arm') def walk_internal_list(struct_name, list_member, list_start, addr_space = None): if not addr_space: addr_space = list_start.obj_vm while list_start: list_struct = obj.Object(struct_name, vm = addr_space, offset = list_start.v()) yield list_struct list_start = getattr(list_struct, list_member) # based on __d_path def do_get_path(rdentry, rmnt, dentry, vfsmnt): ret_path = [] inode = dentry.d_inode if not rdentry.is_valid() or not dentry.is_valid(): return [] while (dentry != rdentry or vfsmnt != rmnt) and dentry.d_name.name.is_valid(): dname = dentry.d_name.name.dereference_as("String", length = MAX_STRING_LENGTH) ret_path.append(dname.strip('/')) if dentry == vfsmnt.mnt_root or dentry == dentry.d_parent: if vfsmnt.mnt_parent == vfsmnt.v(): break dentry = vfsmnt.mnt_mountpoint vfsmnt = vfsmnt.mnt_parent continue parent = dentry.d_parent dentry = parent ret_path.reverse() if ret_path == []: return [] ret_val = '/'.join([str(p) for p in ret_path if p != ""]) if ret_val.startswith(("socket:", "pipe:")): if ret_val.find("]") == -1: ret_val = ret_val[:-1] + ":[{0}]".format(inode.i_ino) else: ret_val = ret_val.replace("/", "") elif ret_val != "inotify": ret_val = '/' + ret_val return ret_val def get_path(task, filp): rdentry = task.fs.get_root_dentry() rmnt = task.fs.get_root_mnt() dentry = filp.dentry vfsmnt = filp.vfsmnt return do_get_path(rdentry, rmnt, dentry, vfsmnt) volatility-2.3.1/volatility/plugins/linux/linux_yarascan.py0000644000175000017500000000750412227253532024234 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.malware.malfind as malfind import volatility.plugins.linux.pslist as pslist import volatility.plugins.linux.common as linux_common import volatility.utils as utils import volatility.debug as debug try: import yara has_yara = True except ImportError: has_yara = False class VmaYaraScanner(malfind.BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the VMAs. Args: task: The task_struct object for this task. """ self.task = task malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): for vma in self.task.get_proc_maps(): for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start): yield match class linux_yarascan(malfind.YaraScan): """A shell in the Linux memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces linux_common.set_plugin_members(self) if self._config.KERNEL: ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 else: kernel_start = 0xffffffff80000000 scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: for task in pslist.linux_pslist(self._config).calculate(): scanner = VmaYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64)) def render_text(self, outfd, data): for task, address, hit, buf in data: if task: outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format( task.comm, task.pid, hit.rule, address)) else: outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address)) outfd.write("".join(["{0:#010x} {1:<48} {2}\n".format( address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) volatility-2.3.1/volatility/plugins/linux/sk_buff_cache.py0000644000175000017500000000545512227253532023761 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.debug as debug import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_sk_buff_cache(linux_common.AbstractLinuxCommand): """Recovers packets from the sk_buff kmem_cache""" def __init__(self, config, *args, **kwargs): self.edir = None linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered packets', action = 'store', type = 'str') def write_sk_buff(self, s): pkt_len = s.len # keep sane sized packets if 0 < pkt_len < 0x6400000: start = s.data data = self.addr_space.zread(start, pkt_len) fname = "{0:x}".format(s.obj_offset) fd = open(os.path.join(self.edir, fname), "wb") fd.write(data) fd.close() yield "Wrote {0:d} bytes to {1:s}".format(pkt_len, fname) def walk_cache(self, cache_name): cache = linux_slabinfo(self._config).get_kmem_cache(cache_name, self._config.UNALLOCATED, struct_name = "sk_buff") if not cache: return for s in cache: for msg in self.write_sk_buff(s): yield msg def calculate(self): linux_common.set_plugin_members(self) self.edir = self._config.DUMP_DIR if not self.edir: debug.error("No output directory given.") for msg in self.walk_cache("skbuff_head_cache"): yield msg for msg in self.walk_cache("skbuff_fclone_cache"): yield msg def render_text(self, outfd, data): for msg in data: outfd.write("{0:s}\n".format(msg)) volatility-2.3.1/volatility/plugins/linux/flags.py0000644000175000017500000000353212227253532022305 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ # flags used throughout the plugins # these aren't going to change due to binary breakage if they would # Protocol strings should use volatility.protos tcp_states = ("", "ESTABLISHED", "SYN_SENT", "SYN_RECV", "FIN_WAIT1", "FIN_WAIT2", "TIME_WAIT", "CLOSE", "CLOSE_WAIT", "LAST_ACK", "LISTEN", "CLOSING") MNT_NOSUID = 0x01 MNT_NODEV = 0x02 MNT_NOEXEC = 0x04 MNT_NOATIME = 0x08 MNT_NODIRATIME = 0x10 MNT_RELATIME = 0x20 mnt_flags = { MNT_NOSUID: ",nosuid", MNT_NODEV: ",nodev", MNT_NOEXEC: ",noexec", MNT_NOATIME: ",noatime", MNT_NODIRATIME: ",nodiratime", MNT_RELATIME: ",relatime" } S_IFMT = 0170000 S_IFSOCK = 0140000 S_IFLNK = 0120000 S_IFREG = 0100000 S_IFBLK = 0060000 S_IFDIR = 0040000 S_IFCHR = 0020000 S_IFIFO = 0010000 S_ISUID = 0004000 S_ISGID = 0002000 volatility-2.3.1/volatility/plugins/linux/check_fops.py0000644000175000017500000001325112227253532023314 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsof as linux_lsof import volatility.plugins.linux.lsmod as linux_lsmod from volatility.plugins.linux.slab_info import linux_slabinfo class linux_check_fop(linux_common.AbstractLinuxCommand): """Check file operation structures for rootkit modifications""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('INODE', short_option = 'i', default = None, help = 'inode to check', action = 'store', type='int') def check_open_files_fop(self, f_op_members, modules): # get all the members in file_operations, they are all function pointers openfiles = linux_lsof.linux_lsof(self._config).calculate() for (task, filp, i) in openfiles: for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules): name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp)) yield (name, hooked_member, hook_address) def check_proc_fop(self, f_op_members, modules): proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt") if not proc_mnt_addr: return proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space) proc_mnt = proc_mnt_ptr.dereference_as("vfsmount") root = proc_mnt.mnt_root for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules): yield ("proc_mnt: root", hooked_member, hook_address) # only check the root directory for dentry in root.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules): yield("proc_mnt: {0}".format(name), hooked_member, hook_address) def walk_proc(self, cur, f_op_members, modules, parent = ""): while cur: if cur.obj_offset in self.seen_proc: cur = cur.next continue self.seen_proc[cur.obj_offset] = 1 name = cur.name.dereference_as("String", length = 255) fops = cur.proc_fops for (hooked_member, hook_address) in self.verify_ops(fops, f_op_members, modules): yield (name, hooked_member, hook_address) subdir = cur.subdir while subdir: for (name, hooked_member, hook_address) in self.walk_proc(subdir, f_op_members, modules): yield (name, hooked_member, hook_address) subdir = subdir.next cur = cur.next def check_proc_root_fops(self, f_op_members, modules): self.seen_proc = {} proc_root_addr = self.addr_space.profile.get_symbol("proc_root") proc_root = obj.Object("proc_dir_entry", offset = proc_root_addr, vm = self.addr_space) for (hooked_member, hook_address) in self.verify_ops(proc_root.proc_fops, f_op_members, modules): yield("proc_root", hooked_member, hook_address) for (name, hooked_member, hook_address) in self.walk_proc(proc_root, f_op_members, modules): yield (name, hooked_member, hook_address) def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() f_op_members = self.profile.types['file_operations'].keywords["members"].keys() f_op_members.remove('owner') if self._config.INODE: inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space) if not inode.is_valid(): debug.error("Invalid inode address given. Please use linux_find_file to determine valid inode addresses.") for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules): yield("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address) else: funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops] for func in funcs: for (name, member, address) in func(f_op_members, modules): yield (name, member, address) def render_text(self, outfd, data): self.table_header(outfd, [("Symbol Name", "42"), ("Member", "30"), ("Address", "[addr]")]) for (what, member, address) in data: self.table_row(outfd, what, member, address) volatility-2.3.1/volatility/plugins/linux/__init__.py0000644000175000017500000000000012033140535022724 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/linux/dmesg.py0000644000175000017500000000615712227253532022316 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_dmesg(linux_common.AbstractLinuxCommand): """Gather dmesg buffer""" def _get_log_info(self): ptr_addr = self.addr_space.profile.get_symbol("log_buf") log_buf_addr = obj.Object("unsigned long", offset = ptr_addr, vm = self.addr_space) log_buf_len = obj.Object("int", self.addr_space.profile.get_symbol("log_buf_len"), vm = self.addr_space) return (log_buf_addr, log_buf_len) # pre 3.x def _pre_3(self, buf_addr, buf_len): return obj.Object("String", offset = buf_addr, vm = self.addr_space, length = buf_len) def _ver_3(self, buf_addr, buf_len): ''' During 3.x, the kernel switched the kernel debug buffer from just a big char array to the variable now holding variable sized records tracked by inline 'log' structures We deal with this by walking all the logs and building the buffer up and then returning it This produces the same results as the old way ''' ret = "" size_of_log = self.profile.get_obj_size("log") cur_addr = buf_addr end_addr = buf_addr + buf_len log = obj.Object("log", offset = cur_addr, vm = self.addr_space) cur_len = log.len while cur_addr < end_addr and cur_len != 0: msg_len = log.text_len cur_ts = log.ts_nsec buf = obj.Object("String", offset = cur_addr + size_of_log, vm = self.addr_space, length = msg_len) ret = ret + "[{0}.{1}] {2}\n".format(cur_ts, cur_ts / 1000000000, buf) cur_addr = cur_addr + cur_len log = obj.Object("log", offset = cur_addr, vm = self.addr_space) cur_len = log.len return ret def calculate(self): linux_common.set_plugin_members(self) (log_buf_addr, log_buf_len) = self._get_log_info() if self.profile.has_type("log") and self.profile.obj_has_member("log", "ts_nsec"): yield self._ver_3(log_buf_addr, log_buf_len) else: yield self._pre_3(log_buf_addr, log_buf_len) def render_text(self, outfd, data): for buf in data: outfd.write("{0:s}\n".format(buf)) volatility-2.3.1/volatility/plugins/linux/iomem.py0000644000175000017500000000402612227253532022316 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_iomem(linux_common.AbstractLinuxCommand): """Provides output similar to /proc/iomem""" def yield_resource(self, io_ptr, depth = 0): if not io_ptr: #print "null" return [] io_res = obj.Object("resource", offset = io_ptr, vm = self.addr_space) name = io_res.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) start = io_res.start end = io_res.end output = [(depth, name, start, end)] output += self.yield_resource(io_res.child, depth + 1) output += self.yield_resource(io_res.sibling, depth) return output def calculate(self): linux_common.set_plugin_members(self) io_ptr = self.addr_space.profile.get_symbol("iomem_resource") for r in self.yield_resource(io_ptr): yield r def render_text(self, outfd, data): for output in data: depth, name, start, end = output outfd.write("{0:35s}\t0x{1:<16X}\t0x{2:<16X}\n".format((" " * depth) + name, start, end)) volatility-2.3.1/volatility/plugins/linux/check_syscall_arm.py0000644000175000017500000000706312227253532024662 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_check_syscall_arm(linux_common.AbstractLinuxARMCommand): """ Checks if the system call table has been altered """ def _get_syscall_table_size(self): """ Get size of syscall table from the vector_swi function """ vector_swi_addr = self.addr_space.profile.get_symbol("vector_swi") max_opcodes_to_check = 1024 while (max_opcodes_to_check): opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm = self.addr_space) if ((opcode & 0xffff0000) == 0xe3570000): shift = 0x10 - ((opcode & 0xff00) >> 8) size = (opcode & 0xff) << (2 * shift) return size break vector_swi_addr += 4 max_opcodes_to_check -= 1 debug.error("Syscall table size could not be determined.") def _get_syscall_table_address(self): """ returns the address of the syscall table """ syscall_table_address = self.addr_space.profile.get_symbol("sys_call_table") if syscall_table_address: return syscall_table_address #TODO: Handle event where this isn't exported (if needed) debug.error("Symbol sys_call_table not export. Please file a bug report.") def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) num_syscalls = self._get_syscall_table_size() syscall_addr = self._get_syscall_table_address() sym_addrs = self.profile.get_all_addresses() table = obj.Object("Array", offset = syscall_addr, vm = self.addr_space, targetType = "unsigned int", count = num_syscalls) for (i, call_addr) in enumerate(table): if not call_addr: continue # have to treat them as 'long' so need to mask call_addr = call_addr & 0xffffffff if not call_addr in sym_addrs: yield(i, call_addr, 1) else: yield(i, call_addr, 0) def render_text(self, outfd, data): self.table_header(outfd, [("Index", "[addr]"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (i, call_addr, hooked) in data: if hooked == 0: sym_name = self.profile.get_symbol_by_address("kernel", call_addr) else: sym_name = "HOOKED" self.table_row(outfd, i, call_addr, sym_name) volatility-2.3.1/volatility/plugins/linux/slab_info.py0000644000175000017500000001536612227253532023155 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class kmem_cache(obj.CType): def get_type(self): raise NotImplementedError def get_name(self): return str(self.name.dereference_as("String", length = 255)) class kmem_cache_slab(kmem_cache): def get_type(self): return "slab" # volatility does not support indexing pointers # and the definition of nodelists changes from array to pointer def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret def _get_free_list(self): slablist = self._get_nodelist().slabs_free for slab in slablist.list_of_type("slab", "list"): yield slab def _get_partial_list(self): slablist = self._get_nodelist().slabs_partial for slab in slablist.list_of_type("slab", "list"): yield slab def _get_full_list(self): slablist = self._get_nodelist().slabs_full for slab in slablist.list_of_type("slab", "list"): yield slab def _get_object(self, offset): return obj.Object(self.struct_type, offset = offset, vm = self.obj_vm, parent = self.obj_parent, name = self.struct_type) def __iter__(self): if not self.unalloc: for slab in self._get_full_list(): for i in range(self.num): yield self._get_object(slab.s_mem.v() + i * self.buffer_size) for slab in self._get_partial_list(): bufctl = obj.Object("Array", offset = slab.v() + slab.size(), vm = self.obj_vm, parent = self.obj_parent, targetType = "unsigned int", count = self.num) unallocated = [0] * self.num i = slab.free while i != 0xFFFFFFFF: unallocated[i] = 1 i = bufctl[i] for i in range(0, self.num): if unallocated[i] == self.unalloc: yield self._get_object(slab.s_mem.v() + i * self.buffer_size) if self.unalloc: for slab in self._get_free_list(): for i in range(self.num): yield self._get_object(slab.s_mem.v() + i * self.buffer_size) class LinuxKmemCacheOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'linux'} before = ['BasicObjectClasses'] # , 'LinuxVTypes'] def modification(self, profile): if profile.get_symbol("cache_chain"): profile.object_classes.update({'kmem_cache': kmem_cache_slab}) class linux_slabinfo(linux_common.AbstractLinuxCommand): """Mimics /proc/slabinfo on a running machine""" def get_all_kmem_caches(self): linux_common.set_plugin_members(self) cache_chain = self.addr_space.profile.get_symbol("cache_chain") slab_caches = self.addr_space.profile.get_symbol("slab_caches") if cache_chain: #slab caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space) listm = "next" ret = [cache for cache in caches.list_of_type("kmem_cache", listm)] elif slab_caches: #slub debug.info("SLUB is currently unsupported.") ret = [] else: debug.error("Unknown or unimplemented slab type.") return ret def get_kmem_cache(self, cache_name, unalloc, struct_name = ""): if struct_name == "": struct_name = cache_name for cache in self.get_all_kmem_caches(): if cache.get_name() == cache_name: cache.newattr("unalloc", unalloc) cache.newattr("struct_type", struct_name) return cache debug.debug("Invalid kmem_cache: {0}".format(cache_name)) return [] def calculate(self): linux_common.set_plugin_members(self) for cache in self.get_all_kmem_caches(): if cache.get_type() == "slab": active_objs = 0 active_slabs = 0 num_slabs = 0 # shared_avail = 0 for slab in cache._get_full_list(): active_objs += cache.num active_slabs += 1 for slab in cache._get_partial_list(): active_objs += slab.inuse active_slabs += 1 for slab in cache._get_free_list(): num_slabs += 1 num_slabs += active_slabs num_objs = num_slabs * cache.num yield [cache.get_name(), active_objs, num_objs, cache.buffer_size, cache.num, 1 << cache.gfporder, active_slabs, num_slabs] def render_text(self, outfd, data): self.table_header(outfd, [("", "<30"), ("", "<13"), ("", "<10"), ("", "<10"), ("", "<12"), ("", "<15"), ("", "<14"), ("", "<7"), ]) for info in data: self.table_row(outfd, info[0], info[1], info[2], info[3], info[4], info[5], info[6], info[7]) volatility-2.3.1/volatility/plugins/linux/psaux.py0000644000175000017500000000255012227253532022350 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.pslist as linux_pslist class linux_psaux(linux_pslist.linux_pslist): '''Gathers processes along with full command line and start time''' def render_text(self, outfd, data): outfd.write("{1:6s} {2:6s} {3:6s} {0:64s}\n".format("Arguments", "Pid", "Uid", "Gid")) for task in data: outfd.write("{1:6s} {2:6s} {3:6s} {0:64s}\n".format(task.get_commandline(), str(task.pid), str(task.uid), str(task.gid))) volatility-2.3.1/volatility/plugins/linux/check_creds.py0000644000175000017500000000437512227253532023454 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_check_creds(linux_pslist.linux_pslist): """Checks if any processes are sharing credential structures""" def calculate(self): linux_common.set_plugin_members(self) if not self.profile.obj_has_member("task_struct", "cred"): debug.error("This command is not supported in this profile.") creds = {} tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: cred_addr = task.cred.v() if not cred_addr in creds: creds[cred_addr] = [] creds[cred_addr].append(task.pid) yield creds def render_text(self, outfd, data): self.table_header(outfd, [("PIDs", "8")]) # print out processes that are sharing cred structures for htable in data: for (addr, pids) in htable.items(): if len(pids) > 1: pid_str = "" for pid in pids: pid_str = pid_str + "{0:d}, ".format(pid) pid_str = pid_str[:-2] self.table_row(outfd, pid_str) volatility-2.3.1/volatility/plugins/linux/mount.py0000644000175000017500000000701212227253532022350 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.flags as linux_flags import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_mount(linux_common.AbstractLinuxCommand): """Gather mounted fs/devices""" def calculate(self): linux_common.set_plugin_members(self) mntptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("mount_hashtable"), vm = self.addr_space) mnt_list = obj.Object(theType = "Array", offset = mntptr.v(), vm = self.addr_space, targetType = "list_head", count = 512) if self.profile.has_type("mount"): mnttype = "mount" for task in linux_pslist.linux_pslist(self._config).calculate(): if task.pid == 1: ns = task.nsproxy.mnt_ns break else: mnttype = "vfsmount" ns = None # get each list_head out of the array for outerlist in mnt_list: for mnt in outerlist.list_of_type(mnttype, "mnt_hash"): yield (mnt, ns) def parse_mnt(self, data): ''' We use seen for 3.x kernels with mount namespaces The same mount can be in multiple namespaces and we do not want to repeat output ''' for (mnt, ns) in data: dev_name = mnt.mnt_devname.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) if not dev_name.is_valid() or len(dev_name) == 0: continue fstype = mnt.mnt_sb.s_type.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) if not fstype.is_valid() or len(fstype) == 0: continue path = linux_common.do_get_path(mnt.mnt_sb.s_root, mnt.mnt_parent, mnt.mnt_root, mnt) if path == []: continue mnt_string = self.calc_mnt_string(mnt) if (mnt.mnt_flags & 0x40) or (mnt.mnt_sb.s_flags & 0x1): rr = "ro" else: rr = "rw" if not ns or ns == mnt.mnt_ns: yield mnt.mnt_sb, dev_name, path, fstype, rr, mnt_string def render_text(self, outfd, data): data = self.parse_mnt(data) for (_sb, dev_name, path, fstype, rr, mnt_string) in data: outfd.write("{0:25s} {1:35s} {2:12s} {3:2s}{4:64s}\n".format(dev_name, path, fstype, rr, mnt_string)) def calc_mnt_string(self, mnt): ret = "" for mflag in linux_flags.mnt_flags: if mflag & mnt.mnt_flags: ret = ret + linux_flags.mnt_flags[mflag] return ret volatility-2.3.1/volatility/plugins/linux/tty_check.py0000644000175000017500000000537612227253532023176 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_check_tty(linux_common.AbstractLinuxCommand): """Checks tty devices for hooks""" def calculate(self): linux_common.set_plugin_members(self) tty_addr = self.addr_space.profile.get_symbol("tty_drivers") if not tty_addr: debug.error("Symbol tty_drivers not found in kernel") drivers = obj.Object("list_head", offset = tty_addr, vm = self.addr_space) sym_cache = {} for tty in drivers.list_of_type("tty_driver", "tty_drivers"): name = tty.name.dereference_as("String", length = linux_common.MAX_STRING_LENGTH) ttys = obj.Object("Array", targetType = "Pointer", vm = self.addr_space, offset = tty.ttys, count = tty.num) for tty_dev in ttys: if tty_dev == 0: continue tty_dev = tty_dev.dereference_as("tty_struct") name = tty_dev.name recv_buf = tty_dev.ldisc.ops.receive_buf if recv_buf in sym_cache: sym_name = sym_cache[recv_buf] else: sym_name = self.profile.get_symbol_by_address("kernel", recv_buf) if not sym_name: sym_name = "HOOKED" hooked = 1 else: hooked = 0 sym_cache[recv_buf] = sym_name yield (name, recv_buf, sym_name, hooked) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "<16"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for name, call_addr, sym_name, _hooked in data: self.table_row(outfd, name, call_addr, sym_name) volatility-2.3.1/volatility/plugins/linux/pslist.py0000644000175000017500000001000112227253532022514 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_pslist(linux_common.AbstractLinuxCommand): """Gather active tasks by walking the task_struct->task list""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') def calculate(self): linux_common.set_plugin_members(self) init_task_addr = self.addr_space.profile.get_symbol("init_task") init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr) pidlist = self._config.PID if pidlist: pidlist = [int(p) for p in self._config.PID.split(',')] # walk the ->tasks list, note that this will *not* display "swapper" for task in init_task.tasks: if not pidlist or task.pid in pidlist: yield task def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "15"), ("Uid", "15"), ("Gid", "6"), ("DTB", "[addrpad]"), ("Start Time", "")]) for task in data: if task.mm.pgd == None: dtb = task.mm.pgd else: dtb = self.addr_space.vtop(task.mm.pgd) or task.mm.pgd self.table_row(outfd, task.obj_offset, task.comm, str(task.pid), str(task.uid) if task.uid else "-", str(task.gid) if task.gid else "-", dtb, task.get_task_start_time()) class linux_memmap(linux_pslist): """Dumps the memory map for linux tasks""" def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("Pid", "8"), ("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]")]) for task in data: task_space = task.get_process_address_space() pagedata = task_space.get_available_pages() if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1]) #else: # outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1])) else: outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid)) volatility-2.3.1/volatility/plugins/linux/lsof.py0000644000175000017500000000372512227253532022160 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_lsof(linux_pslist.linux_pslist): """Lists open files""" def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist.calculate(self) for task in tasks: fds = task.files.get_fds() max_fds = task.files.get_max_fds() fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.addr_space, targetType = 'Pointer', count = max_fds) for i in range(max_fds): if fds[i]: filp = obj.Object('file', offset = fds[i], vm = self.addr_space) yield (task, filp, i) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("FD", "8"), ("Path", "")]) for (task, filp, fd) in data: self.table_row(outfd, task.pid, fd, linux_common.get_path(task, filp)) volatility-2.3.1/volatility/plugins/linux/linux_volshell.py0000644000175000017500000000661512227253532024265 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.linux.pslist as pslist import volatility.plugins.linux.lsmod as lsmod import volatility.plugins.volshell as volshell import volatility.obj as obj class linux_volshell(volshell.volshell): """Shell in the memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'linux' def modules(self): mods = lsmod.linux_lsmod(self._config).calculate() for (module, _, __) in mods: print "{0:24} {1:d}".format(module.name, module.init_size + module.core_size) def getpidlist(self): return pslist.linux_pslist(self._config).calculate() def ps(self, procs = None): print "{0:16} {1:6} {2:8}".format("Name", "PID", "Offset") for proc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:#08x}".format(proc.comm, proc.pid, proc.obj_offset) def context_display(self): dtb = self.addrspace.vtop(self.proc.mm.pgd) or self.proc.mm.pgd print "Current context: process {0}, pid={1} DTB={2:#x}".format(self.proc.comm, self.proc.pid, dtb) def set_context(self, offset = None, pid = None, name = None): if pid is not None: offsets = [] for p in self.getpidlist(): if p.pid.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.comm.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self.proc = obj.Object("task_struct", offset = offset, vm = self.addrspace) self.context_display() volatility-2.3.1/volatility/plugins/linux/check_evt_arm.py0000644000175000017500000000636012227253532024005 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: 504ENSICS Labs """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_check_evt_arm(linux_common.AbstractLinuxARMCommand): ''' Checks the Exception Vector Table to look for syscall table hooking ''' VECTOR_BASE = 0xffff0000 SWI_BASE = VECTOR_BASE + 8 def calculate(self): linux_common.set_plugin_members(self) # Get instructions executed when an inturrupt exception occurs swi = obj.Object("unsigned int", offset = self.SWI_BASE, vm = self.addr_space) # Get offset of address to vector_swi offset = (swi & 0x0fff) + 8 # Verify that instruction hasn't been modified (should be: ldr pc, [pc, #???] (e59ff???)) if (swi & 0xfffff000) == 0xe59ff000: yield ("SWI Offset Instruction", "PASS", "Offset: {0}".format(offset)) else: yield ("SWI Offset Instruction", "FAIL", "{0:X}".format(swi)) return # Get vector_swi_addr from table vector_swi_addr = obj.Object("unsigned int", offset = self.SWI_BASE + (offset), vm = self.addr_space) # Check to see if vector_swi handler has been hooked if vector_swi_addr == self.addr_space.profile.get_symbol("vector_swi"): yield ("vector_swi address", "PASS", "0x{0:X}".format(vector_swi_addr)) else: yield ("vector_swi address", "FAIL", "0x{0:X}".format(vector_swi_addr)) return # Check for hooking of sys_call table pointer sc_opcode = None; max_opcodes_to_check = 1024 while (max_opcodes_to_check): opcode = obj.Object("unsigned int", offset= vector_swi_addr, vm = self.addr_space) if ((opcode & 0xffffff00) == 0xe28f8000): sc_opcode = opcode break vector_swi_addr += 4 max_opcodes_to_check -= 1 if sc_opcode: yield ("vector_swi code modification", "PASS", "{0:X}".format(sc_opcode)) else: yield ("vector_swi code modification", "FAIL", "Opcode E28F80?? not found") return def render_text(self, outfd, data): self.table_header(outfd, [("Check", "<30"), ("PASS/FAIL", "<5"), ("Info", "<30")]) for (check, result, info) in data: self.table_row(outfd, check, result, info) volatility-2.3.1/volatility/plugins/linux/pstree.py0000644000175000017500000000363012227253532022512 0ustar mikemike00000000000000# This file is part of Volatility. # Copyright (C) 2007-2013 Volatility Foundation # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.linux.pslist as linux_pslist class linux_pstree(linux_pslist.linux_pslist): '''Shows the parent/child relationship between processes''' def __init__(self, *args, **kwargs): self.procs = {} linux_pslist.linux_pslist.__init__(self, *args, **kwargs) def render_text(self, outfd, data): self.procs = {} outfd.write("{0:20s} {1:15s} {2:15s}\n".format("Name", "Pid", "Uid")) for task in data: self.recurse_task(outfd, task, 0) def recurse_task(self, outfd, task, level): if task.pid in self.procs: return if task.mm: proc_name = task.comm else: proc_name = "[" + task.comm + "]" proc_name = "." * level + proc_name outfd.write("{0:20s} {1:15s} {2:15s}\n".format(proc_name, str(task.pid), str(task.uid or ''))) self.procs[task.pid] = 1 for child in task.children.list_of_type("task_struct", "sibling"): self.recurse_task(outfd, child, level + 1) volatility-2.3.1/volatility/plugins/linux/banner.py0000644000175000017500000000347412227253532022463 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.flags as linux_flags import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.pslist as linux_pslist class linux_banner(linux_common.AbstractLinuxCommand): """ Prints the Linux banner information """ def calculate(self): linux_common.set_plugin_members(self) banner_addr = self.addr_space.profile.get_symbol("linux_banner") if banner_addr: banner = obj.Object("String", offset = banner_addr, vm = self.addr_space, length = 256) else: debug.error("linux_banner symbol not found. Please report this as a bug on the issue tracker: https://code.google.com/p/volatility/issues/list") yield banner.strip() def render_text(self, outfd, data): for banner in data: outfd.write("{0:s}\n".format(banner)) volatility-2.3.1/volatility/plugins/linux/dump_map.py0000644000175000017500000000622112227253532023011 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os.path import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.proc_maps as linux_proc_maps class linux_dump_map(linux_proc_maps.linux_proc_maps): """ Writes selected memory mappings to disk """ def __init__(self, config, *args, **kwargs): linux_proc_maps.linux_proc_maps.__init__(self, config, *args, **kwargs) self._config.add_option('VMA', short_option = 's', default = None, help = 'Filter by VMA starting address', action = 'store', type = 'long') self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Output directory', action = 'store', type = 'str') def read_addr_range(self, task, start, end): pagesize = 4096 # set the as with our new dtb so we can read from userland proc_as = task.get_process_address_space() # xrange doesn't support longs :( while start < end: page = proc_as.zread(start, pagesize) yield page start = start + pagesize def render_text(self, outfd, data): if (not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR)): debug.error("Please specify an existing output dir (--dump-dir)") self.table_header(outfd, [("Task", "10"), ("VM Start", "[addrpad]"), ("VM End", "[addrpad]"), ("Length", "[addr]"), ("Path", "")]) for (task, vma) in data: if not self._config.VMA or vma.vm_start == self._config.VMA: file_name = "task.{0}.{1:#x}.vma".format(task.pid, vma.vm_start) file_path = os.path.join(self._config.DUMP_DIR, file_name) outfile = open(file_path, "wb+") for page in self.read_addr_range(task, vma.vm_start, vma.vm_end): outfile.write(page) outfile.close() self.table_row(outfd, task.pid, vma.vm_start, vma.vm_end, vma.vm_end - vma.vm_start, file_path) volatility-2.3.1/volatility/plugins/linux/arp.py0000644000175000017500000000677012227253532022002 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import socket import volatility.plugins.linux.common as linux_common import volatility.obj as obj class a_ent(object): def __init__(self, ip, mac, devname): self.ip = ip self.mac = mac self.devname = devname # based off pykdump # not 100% this works, will need some testing to verify class linux_arp(linux_common.AbstractLinuxCommand): """Print the ARP table""" def calculate(self): linux_common.set_plugin_members(self) ntables_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("neigh_tables"), vm = self.addr_space) for ntable in linux_common.walk_internal_list("neigh_table", "next", ntables_ptr): yield self.handle_table(ntable) def handle_table(self, ntable): ret = [] # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(ntable, 'hash_mask'): hash_size = ntable.hash_mask hash_table = ntable.hash_buckets elif hasattr(ntable.nht, 'hash_mask'): hash_size = ntable.nht.hash_mask hash_table = ntable.nht.hash_buckets else: hash_size = (1 << ntable.nht.hash_shift) hash_table = ntable.nht.hash_buckets buckets = obj.Object(theType = 'Array', offset = hash_table, vm = self.addr_space, targetType = 'Pointer', count = hash_size) for i in range(hash_size): if buckets[i]: neighbor = obj.Object("neighbour", offset = buckets[i], vm = self.addr_space) ret.append(self.walk_neighbor(neighbor)) # collapse all lists into one return sum(ret, []) def walk_neighbor(self, neighbor): ret = [] for n in linux_common.walk_internal_list("neighbour", "next", neighbor): # get the family from each neighbour in order to work with ipv4 and 6 family = n.tbl.family if family == socket.AF_INET: ip = obj.Object("IpAddress", offset = n.primary_key.obj_offset, vm = self.addr_space).v() elif family == socket.AF_INET6: ip = obj.Object("Ipv6Address", offset = n.primary_key.obj_offset, vm = self.addr_space).v() else: ip = '?' mac = ":".join(["{0:02x}".format(x) for x in n.ha][:n.dev.addr_len]) devname = n.dev.name ret.append(a_ent(ip, mac, devname)) return ret def render_text(self, outfd, data): for arp_list in data: for ent in arp_list: outfd.write("[{0:42s}] at {1:20s} on {2:s}\n".format(ent.ip, ent.mac, ent.devname)) volatility-2.3.1/volatility/plugins/linux/pkt_queues.py0000644000175000017500000000622612227253532023401 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.netstat as linux_netstat import volatility.plugins.linux.common as linux_common class linux_pkt_queues(linux_netstat.linux_netstat): """Writes per-process packet queues out to disk""" def __init__(self, config, *args, **kwargs): linux_netstat.linux_netstat.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered packets', action = 'store', type = 'str') def process_queue(self, name, pid, fd_num, queue): if queue.qlen == 0: return wrote = 0 fname = "{0:s}.{1:d}.{2:d}".format(name, pid, fd_num) fd = None sk_buff = queue.m("next") while sk_buff and sk_buff != queue.v(): pkt_len = sk_buff.len if pkt_len > 0 and pkt_len != 0xffffffff: # only open once we have a packet with data # otherwise we get 0 sized files if fd == None: fd = open(os.path.join(self.edir, fname), "wb") start = sk_buff.data data = self.addr_space.zread(start, pkt_len) fd.write(data) wrote = wrote + pkt_len sk_buff = sk_buff.next if wrote: yield "Wrote {0:d} bytes to {1:s}".format(wrote, fname) if fd: fd.close() def calculate(self): linux_common.set_plugin_members(self) self.edir = self._config.DUMP_DIR if not self.edir: debug.error("No output directory given.") if not os.path.isdir(self.edir): debug.error(self.edir + " is not a directory") for (task, fd_num, inet_sock) in linux_netstat.linux_netstat(self._config).calculate(): sk = inet_sock.sk for msg in self.process_queue("receive", task.pid, fd_num, sk.sk_receive_queue): yield msg for msg in self.process_queue("write", task.pid, fd_num, sk.sk_write_queue): yield msg def render_text(self, outfd, data): for msg in data: outfd.write(msg + "\n") volatility-2.3.1/volatility/plugins/linux/pslist_cache.py0000644000175000017500000000354712227253532023660 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo import volatility.plugins.linux.pslist as linux_pslist class linux_pslist_cache(linux_pslist.linux_pslist): """Gather tasks from the kmem_cache""" def __init__(self, config, *args, **kwargs): linux_pslist.linux_pslist.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) pidlist = self._config.PID if pidlist: pidlist = [int(p) for p in self._config.PID.split(',')] cache = linux_slabinfo(self._config).get_kmem_cache("task_struct", self._config.UNALLOCATED) for task in cache: if not pidlist or task.pid in pidlist: yield task volatility-2.3.1/volatility/plugins/linux/mount_cache.py0000644000175000017500000000427212227253532023500 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Joe Sylve @license: GNU General Public License 2.0 @contact: joe.sylve@gmail.com @organization: Digital Forensics Solutions """ import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.pslist as linux_pslist from volatility.plugins.linux.slab_info import linux_slabinfo class linux_mount_cache(linux_mount.linux_mount): """Gather mounted fs/devices from kmem_cache""" def __init__(self, config, *args, **kwargs): linux_mount.linux_mount.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) # newer kernels if self.profile.has_type("mount"): mnttype = "mount" cache = linux_slabinfo(self._config).get_kmem_cache(mnttype, self._config.UNALLOCATED) for task in linux_pslist.linux_pslist(self._config).calculate(): if task.pid == 1: ns = task.nsproxy.mnt_ns break else: cache = linux_slabinfo(self._config).get_kmem_cache("mnt_cache", self._config.UNALLOCATED, struct_name = "vfsmount") ns = None for mnt in cache: yield (mnt, ns) volatility-2.3.1/volatility/plugins/linux/check_idt.py0000644000175000017500000000537212227253532023132 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common class linux_check_idt(linux_common.AbstractLinuxCommand): """ Checks if the IDT has been altered """ def calculate(self): """ This works by walking the IDT table for the entries that Linux uses and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) tblsz = 256 sym_addrs = self.profile.get_all_addresses() # hw handlers + system call check_idxs = list(range(0, 20)) + [128] if self.profile.metadata.get('memory_model', '32bit') == "32bit": idt_type = "desc_struct" else: idt_type = "gate_struct64" # this is written as a list b/c there are supposdly kernels with per-CPU IDTs # but I haven't found one yet... addrs = [self.addr_space.profile.get_symbol("idt_table")] for tableaddr in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = idt_type, count = tblsz) for i in check_idxs: ent = table[i] if not ent: continue idt_addr = ent.Address if idt_addr != 0: if not idt_addr in sym_addrs: hooked = 1 sym_name = "HOOKED" else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", idt_addr) yield(i, idt_addr, sym_name, hooked) def render_text(self, outfd, data): self.table_header(outfd, [("Index", "[addr]"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (i, idt_addr, sym_name, hooked) in data: self.table_row(outfd, i, idt_addr, sym_name) volatility-2.3.1/volatility/plugins/linux/check_afinfo.py0000644000175000017500000000675512227253532023622 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.lsof as linux_lsof import volatility.plugins.linux.lsmod as linux_lsmod class linux_check_afinfo(linux_common.AbstractLinuxCommand): """Verifies the operation function pointers of network protocols""" def check_members(self, var_ops, var_name, members, modules): for (hooked_member, hook_address) in self.verify_ops(var_ops, members, modules): yield (hooked_member, hook_address) def check_afinfo(self, var_name, var, op_members, seq_members, modules): for (hooked_member, hook_address) in self.check_members(var.seq_fops, var_name, op_members, modules): yield (var_name, hooked_member, hook_address) # newer kernels if hasattr(var, "seq_ops"): for (hooked_member, hook_address) in self.check_members(var.seq_ops, var_name, seq_members, modules): yield (var_name, hooked_member, hook_address) elif not self.is_known_address(var.seq_show, modules): yield (var_name, "show", var.seq_show) def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() op_members = self.profile.types['file_operations'].keywords["members"].keys() seq_members = self.profile.types['seq_operations'].keywords["members"].keys() tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"]) udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"]) protocols = [tcp, udp] for proto in protocols: struct_type = proto[0] for global_var_name in proto[1]: global_var_addr = self.addr_space.profile.get_symbol(global_var_name) if not global_var_addr: continue global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space) for (name, member, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): yield (name, member, address) def render_text(self, outfd, data): self.table_header(outfd, [("Symbol Name", "42"), ("Member", "30"), ("Address", "[addrpad]")]) for (what, member, address) in data: self.table_row(outfd, what, member, address) volatility-2.3.1/volatility/plugins/linux/vma_cache.py0000644000175000017500000000532712227253532023123 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.linux.common as linux_common from volatility.plugins.linux.slab_info import linux_slabinfo class linux_vma_cache(linux_common.AbstractLinuxCommand): """Gather VMAs from the vm_area_struct cache""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('UNALLOCATED', short_option = 'u', default = False, help = 'Show unallocated', action = 'store_true') def calculate(self): linux_common.set_plugin_members(self) has_owner = self.profile.obj_has_member("mm_struct", "owner") cache = linux_slabinfo(self._config).get_kmem_cache("vm_area_struct", self._config.UNALLOCATED) for vm in cache: start = vm.vm_start end = vm.vm_end if has_owner and vm.vm_mm and vm.vm_mm.is_valid(): task = vm.vm_mm.owner (task_name, pid) = (task.comm, task.pid) else: (task_name, pid) = ("", "") if vm.vm_file and vm.vm_file.is_valid(): path = vm.vm_file.dentry.get_partial_path() else: path = "" yield task_name, pid, start, end, path def render_text(self, outfd, data): self.table_header(outfd, [("Process", "16"), ("PID", "6"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Path", "")]) for task_name, pid, start, end, path in data: self.table_row(outfd, task_name, pid, start, end, path) volatility-2.3.1/volatility/plugins/linux/route_cache.py0000644000175000017500000000567712227253532023506 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_route_cache(linux_common.AbstractLinuxCommand): """ Recovers the routing cache from memory """ def calculate(self): linux_common.set_plugin_members(self) mask_addr = self.addr_space.profile.get_symbol("rt_hash_mask") if mask_addr == None: debug.error("This plugin does not support this profile. The Linux routing cache was deleted in 3.6.x. See: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=89aef8921bfbac22f00e04f8450f6e447db13e42") mask = obj.Object("unsigned int", offset = mask_addr, vm = self.addr_space) rt_pointer = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("rt_hash_table"), vm = self.addr_space) rt_hash_table = obj.Object(theType = "Array", offset = rt_pointer, vm = self.addr_space, targetType = "rt_hash_bucket", count = mask) # rt_do_flush / rt_cache_seq_show for i in range(mask): rth = rt_hash_table[i].chain if not rth: continue while rth: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(rth, 'u'): dst = rth.u.dst nxt = rth.u.dst.rt_next else: dst = rth.dst nxt = rth.dst.rt_next if dst.dev: name = dst.dev.name else: name = "*" dest = rth.rt_dst gw = rth.rt_gateway yield (name, dest, gw) rth = nxt def render_text(self, outfd, data): self.table_header(outfd, [("Interface", "16"), ("Destination", "20"), ("Gateway", "")]) for (name, dest, gw) in data: self.table_row(outfd, name, dest.cast("IpAddress"), gw.cast("IpAddress")) volatility-2.3.1/volatility/plugins/linux/check_syscall.py0000644000175000017500000001300612227253532024015 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common try: import distorm3 has_distorm = True except ImportError: has_distorm = False class linux_check_syscall(linux_common.AbstractLinuxCommand): """ Checks if the system call table has been altered """ def _get_table_size(self, table_addr, table_name): """ Returns the size of the table based on the next symbol """ # take this from the size of an address in the profile divisor = self.profile.get_obj_size("address") next_sym_addr = self.profile.get_next_symbol_address(table_name) return (next_sym_addr - table_addr) / divisor def _get_table_size_meta(self): """ returns the number of symbols that start with __syscall_meta this is a fast way to determine the number of system calls """ return len([n for n in self.profile.get_all_symbol_names() if n.startswith("__syscall_meta__")]) def _get_table_info_other(self, table_addr, table_name): table_size_meta = self._get_table_size_meta() table_size_syms = self._get_table_size(table_addr, table_name) sizes = [size for size in [table_size_meta, table_size_syms] if size > 0] table_size = min(sizes) return table_size def _get_table_info_distorm(self): """ Find the size of the system call table by disassembling functions that immediately reference it in their first isntruction This is in the form 'cmp reg,NR_syscalls' """ table_size = 0 if not has_distorm: return table_size memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': mode = distorm3.Decode32Bits func = "sysenter_do_call" else: mode = distorm3.Decode64Bits func = "system_call_fastpath" func_addr = self.addr_space.profile.get_symbol(func) if func_addr: data = self.addr_space.read(func_addr, 6) for op in distorm3.Decompose(func_addr, data, mode): if not op.valid: continue if op.mnemonic == 'CMP': table_size = (op.operands[1].value) & 0xffffffff break return table_size def _get_table_info(self, table_name): table_addr = self.addr_space.profile.get_symbol(table_name) table_size = self._get_table_info_distorm() if table_size == 0: table_size = self._get_table_info_other(table_addr, table_name) if table_size == 0: debug.error("Unable to get system call table size") return [table_addr, table_size] def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) if not has_distorm: debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.") table_name = self.addr_space.profile.metadata.get('memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = "HOOKED" else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", call_addr) yield(tableaddr, table_name, i, call_addr, sym_name, hooked) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "6"), ("Index", "[addr]"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (tableaddr, table_name, i, call_addr, sym_name, hooked) in data: self.table_row(outfd, table_name, i, call_addr, sym_name) volatility-2.3.1/volatility/plugins/linux/find_file.py0000644000175000017500000001654112227253532023134 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import sys, os import volatility.obj as obj import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.flags as linux_flags import volatility.debug as debug import volatility.utils as utils class linux_find_file(linux_common.AbstractLinuxCommand): '''Recovers tmpfs filesystems from memory''' def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('FIND', short_option = 'F', default = None, help = 'file (path) to find', action = 'store', type = 'str') self._config.add_option('INODE', short_option = 'i', default = None, help = 'inode to write to disk', action = 'store', type = 'int') self._config.add_option('OUTFILE', short_option = 'O', default = None, help = 'output file path', action = 'store', type = 'str') def _walk_sb(self, dentry_param, last_dentry, parent): if last_dentry == None or last_dentry != dentry_param.v(): last_dentry = dentry_param else: return ret = None for dentry in dentry_param.d_subdirs.list_of_type("dentry", "d_u"): if not dentry.d_name.name.is_valid(): continue inode = dentry.d_inode name = dentry.d_name.name.dereference_as("String", length = 255) # do not use os.path.join # this allows us to have consistent paths from the user new_file = parent + "/" + name yield new_file, dentry if inode and inode.is_dir(): for new_file, dentry in self._walk_sb(dentry, last_dentry, new_file): yield new_file, dentry def _get_sbs(self): ret = [] mnts = linux_mount.linux_mount(self._config).calculate() for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): ret.append((sb, path)) return ret def walk_sbs(self): ret = None sbs = self._get_sbs() for (sb, sb_path) in sbs: if sb_path != "/": parent = sb_path else: parent = "" for vals in self._walk_sb(sb.s_root, None, parent): if vals: (file_path, file_dentry) = vals yield (sb, sb_path, file_path, file_dentry) def calculate(self): linux_common.set_plugin_members(self) find_file = self._config.FIND inode_addr = self._config.inode outfile = self._config.outfile if find_file and len(find_file): for (_, _, file_path, file_dentry) in self.walk_sbs(): if file_path == find_file: yield file_dentry break elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0: inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space) contents = self.get_file_contents(inode) f = open(outfile, "wb") f.write(contents) f.close() else: debug.error("Incorrect command line parameters given.") def render_text(self, outfd, data): shown_header = 0 for dentry in data: if not shown_header: self.table_header(outfd, [("Inode Number", "16"), ("Inode", "[addr]")]) shown_header = 1 inode = dentry.d_inode inode_num = inode.i_ino self.table_row(outfd, inode_num, inode) # from here down is code to walk the page cache and mem_map / mem_section page structs# def radix_tree_is_indirect_ptr(self, ptr): return ptr & 1 def radix_tree_indirect_to_ptr(self, ptr): return obj.Object("radix_tree_node", offset = ptr & ~1, vm = self.addr_space) def radix_tree_lookup_slot(self, root, index): self.RADIX_TREE_MAP_SHIFT = 6 self.RADIX_TREE_MAP_SIZE = 1 << self.RADIX_TREE_MAP_SHIFT self.RADIX_TREE_MAP_MASK = self.RADIX_TREE_MAP_SIZE - 1 node = root.rnode if self.radix_tree_is_indirect_ptr(node) == 0: if index > 0: return None off = root.obj_offset + self.profile.get_obj_offset("radix_tree_root", "rnode") page = obj.Object("Pointer", offset = off, vm = self.addr_space) return page node = self.radix_tree_indirect_to_ptr(node) height = node.height shift = (height - 1) * self.RADIX_TREE_MAP_SHIFT slot = -1 while 1: idx = (index >> shift) & self.RADIX_TREE_MAP_MASK slot = node.slots[idx] shift = shift - self.RADIX_TREE_MAP_SHIFT height = height - 1 if height <= 0: break if slot == -1: return None return slot def SHMEM_I(self, inode): offset = self.profile.get_obj_offset("shmem_inode_info", "vfs_inode") return obj.Object("shmem_inode_info", offset = inode.obj_offset - offset, vm = self.addr_space) def find_get_page(self, inode, offset): page = self.radix_tree_lookup_slot(inode.i_mapping.page_tree, offset) #if not page: # FUTURE swapper_space support # print "no page" return page def get_page_contents(self, inode, idx): page_addr = self.find_get_page(inode, idx) if page_addr: page = obj.Object("page", offset = page_addr, vm = self.addr_space) phys_offset = page.to_paddr() phys_as = utils.load_as(self._config, astype = 'physical') data = phys_as.zread(phys_offset, 4096) else: data = "\x00" * 4096 return data # main function to be called, handles getting all the pages of an inode # and handles the last page not being page_size aligned def get_file_contents(self, inode): linux_common.set_plugin_members(self) data = "" file_size = inode.i_size extra = file_size % 4096 idxs = file_size / 4096 if extra != 0: extra = 4096 - extra idxs = idxs + 1 for idx in range(0, idxs): data = data + self.get_page_contents(inode, idx) # this is chop off any extra data on the last page if extra != 0: extra = extra * -1 data = data[:extra] return data volatility-2.3.1/volatility/plugins/linux/tmpfs.py0000644000175000017500000001317712227253532022350 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.debug as debug import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.mount as linux_mount import volatility.plugins.linux.find_file as linux_find_file class linux_tmpfs(linux_common.AbstractLinuxCommand): '''Recovers tmpfs filesystems from memory''' def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered files', action = 'store', type = 'str') self._config.add_option('SB', short_option = 'S', default = None, help = 'superblock to process, see -l', action = 'store', type = 'int') self._config.add_option('LIST_SBS', short_option = 'L', default = None, help = 'list avaiable tmpfs superblocks', action = 'store_true') # used to keep correct time for directories self.dir_times = {} def fix_md(self, new_file, perms, atime, mtime, isdir = 0): """Fix metadata for new files""" atime = atime.as_timestamp().v() mtime = mtime.as_timestamp().v() if isdir: self.dir_times[new_file] = (atime, mtime) else: os.utime(new_file, (atime, mtime)) os.chmod(new_file, perms) def process_directory(self, dentry, _recursive = 0, parent = ""): for dentry in dentry.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) inode = dentry.d_inode if inode: new_file = os.path.join(parent, str(name)) (perms, atime, mtime) = (inode.i_mode, inode.i_atime, inode.i_mtime) if inode.is_dir(): # since the directory may already exist try: os.mkdir(new_file) except OSError: pass self.fix_md(new_file, perms, atime, mtime, 1) self.process_directory(dentry, 1, new_file) elif inode.is_reg(): contents = linux_find_file.linux_find_file(self._config).get_file_contents(inode) f = open(new_file, "wb") f.write(contents) f.close() self.fix_md(new_file, perms, atime, mtime) # FUTURE add support for symlinks else: #print "skipped: %s" % name pass else: #print "no inode for %s" % name pass def walk_sb(self, root_dentry): cur_dir = os.path.join(self._config.DUMP_DIR) self.process_directory(root_dentry, parent = cur_dir) # post processing for new_file in self.dir_times: (atime, mtime) = self.dir_times[new_file] os.utime(new_file, (atime, mtime)) def get_tmpfs_sbs(self): ''' we need this b/c we have a bunch of 'super_block' structs but no method that I could find maps a super_block to its vfs_mnt which is needed to figure out where the super_block is mounted This function returns a hash table of hash[sb] = path ''' ret = [] mnts = linux_mount.linux_mount(self._config).calculate() for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): if str(fstype) == "tmpfs": ret.append((sb, path)) return ret def calculate(self): linux_common.set_plugin_members(self) # a list of root directory entries if self._config.DUMP_DIR and self._config.SB: if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") # this path never 'yield's, just writes the filesystem to disk tmpfs_sbs = self.get_tmpfs_sbs() sb_idx = self._config.SB - 1 if sb_idx >= len(tmpfs_sbs): debug.error("Invalid superblock number given. Please use the -L option to determine valid numbers.") root_dentry = tmpfs_sbs[sb_idx][0].s_root self.walk_sb(root_dentry) elif self._config.LIST_SBS: # vfsmnt.mnt_sb.s_root tmpfs_sbs = self.get_tmpfs_sbs() for (i, (_sb, path)) in enumerate(tmpfs_sbs): yield (i + 1, path) else: debug.error("No sb number/output directory combination given and list superblocks not given") # we only render the -L option def render_text(self, outfd, data): for (i, path) in data: outfd.write("{0:d} -> {1}\n".format(i, path)) volatility-2.3.1/volatility/plugins/linux/lsmod.py0000644000175000017500000002266212227253532022334 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import re, os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.linux.common as linux_common class linux_lsmod(linux_common.AbstractLinuxCommand): """Gather loaded kernel modules""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) self._config.add_option('SECTIONS', short_option = 'S', default = None, help = 'show section addresses', action = 'store_true') self._config.add_option('PARAMS', short_option = 'P', default = None, help = 'show module parameters', action = 'store_true') def get_param_val(self, param, _over = 0): ints = { self.addr_space.profile.get_symbol("param_get_invbool") : "int", self.addr_space.profile.get_symbol("param_get_bool") : "int", self.addr_space.profile.get_symbol("param_get_int") : "int", self.addr_space.profile.get_symbol("param_get_ulong") : "unsigned long", self.addr_space.profile.get_symbol("param_get_long") : "long", self.addr_space.profile.get_symbol("param_get_uint") : "unsigned int", self.addr_space.profile.get_symbol("param_get_ushort") : "unsigned short", self.addr_space.profile.get_symbol("param_get_short") : "short", self.addr_space.profile.get_symbol("param_get_byte") : "char", } getfn = param.get if getfn == 0: val = "" elif getfn == self.addr_space.profile.get_symbol("param_array_get"): val = "" arr = param.arr overwrite = param.arr if arr.num: maxi = arr.num.dereference() else: maxi = arr.max for i in range(maxi): if i > 0: val = val + "," arg = arr.elem + arr.elemsize * i overwrite.arg = arg mret = self.get_param_val(overwrite) val = val + str(mret or '') elif getfn == self.addr_space.profile.get_symbol("param_get_string"): val = param.str.dereference_as("String", length = param.str.maxlen) elif getfn == self.addr_space.profile.get_symbol("param_get_charp"): addr = obj.Object("Pointer", offset = param.arg, vm = self.addr_space) if addr == 0: val = "(null)" else: val = addr.dereference_as("String", length = 256) elif getfn.v() in ints: val = obj.Object(ints[getfn.v()], offset = param.arg, vm = self.addr_space) if getfn == self.addr_space.profile.get_symbol("param_get_bool"): if val: val = 'Y' else: val = 'N' if getfn == self.addr_space.profile.get_symbol("param_get_invbool"): if val: val = 'N' else: val = 'Y' else: print "Unknown get_fn: {0:#x}".format(getfn) return None return val def get_params(self, module): param_array = obj.Object(theType = 'Array', offset = module.kp, vm = self.addr_space, targetType = 'kernel_param', count = module.num_kp) params = "" for param in param_array: val = self.get_param_val(param) params = params + "{0}={1} ".format(param.name.dereference_as("String", length = 255), val) return params def get_sect_count(self, grp): idx = 0 arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.addr_space, targetType = 'Pointer', count = 25) while arr[idx]: idx = idx + 1 return idx def get_sections(self, module): if hasattr(module.sect_attrs, "nsections"): num_sects = module.sect_attrs.nsections else: num_sects = self.get_sect_count(module.sect_attrs.grp) attrs = obj.Object(theType = 'Array', offset = module.sect_attrs.attrs.obj_offset, vm = self.addr_space, targetType = 'module_sect_attr', count = num_sects) sects = [] for attr in attrs: name = attr.get_name() sects.append((name, attr.address)) return sects def calculate(self): linux_common.set_plugin_members(self) modules_addr = self.addr_space.profile.get_symbol("modules") modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr) # walk the modules list for module in modules.list_of_type("module", "list"): #if str(module.name) == "rootkit": # continue if self._config.PARAMS: if not hasattr(module, "kp"): debug.error("Gathering module parameters is not supported in this profile.") params = self.get_params(module) else: params = "" if self._config.SECTIONS: sections = self.get_sections(module) else: sections = [] yield (module, sections, params) def render_text(self, outfd, data): for (module, sections, params) in data: outfd.write("{0:s} {1:d}\n".format(module.name, module.init_size + module.core_size)) # will be empty list if not set on command line for sect in sections: (name, address) = sect outfd.write("\t{0:30s} {1:#x}\n".format(name, address)) # will be "" if not set, otherwise will be space seperated if params != "": for param in params.split(): outfd.write("\t{0:100s}\n".format(param)) # returns a list of tuples of (name, .text start, .text end) for each module # include_list can contain a list of only the modules wanted by a plugin def get_modules(self, include_list = None): if not include_list: include_list = [] ret = [] for (module, _sections, _params) in self.calculate(): if len(include_list) == 0 or str(module.name) in include_list: start = module.module_core end = start + module.core_size ret.append(("%s" % module.name, start, end)) return ret class linux_moddump(linux_common.AbstractLinuxCommand): """Extract loaded kernel modules""" def __init__(self, config, *args, **kwargs): linux_common.AbstractLinuxCommand.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the files', action = 'store', type = 'string') config.add_option('REGEX', short_option = 'r', help = 'Dump modules matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) def calculate(self): linux_common.set_plugin_members(self) modules_addr = self.addr_space.profile.get_symbol("modules") modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0}'.format(e)) # walk the modules list for module in modules.list_of_type("module", "list"): if self._config.REGEX: if not mod_re.search(str(module.name)): continue yield module def render_text(self, outfd, data): if not self._config.DUMP_DIR: debug.error("You must supply a --dump-dir output directory") for module in data: ## TODO: pass module.name through a char sanitizer file_name = "{0}.{1:#x}.lkm".format(module.name, module.module_core) mod_file = open(os.path.join(self._config.DUMP_DIR, file_name), 'wb') mod_data = self.addr_space.zread(module.module_core, module.core_size) mod_file.write(mod_data) mod_file.close() outfd.write("Wrote {0} bytes to {1}\n".format(module.core_size, file_name)) volatility-2.3.1/volatility/plugins/machoinfo.py0000644000175000017500000000302112227253532022006 0ustar mikemike00000000000000# Volatility # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.crashinfo as crashinfo class MachOInfo(crashinfo.CrashInfo): """Dump Mach-O file format information""" target_as = ['MachOAddressSpace'] def render_text(self, outfd, data): header = data.get_header() outfd.write("Magic: {0:#x}\n".format(header.magic)) outfd.write("Architecture: {0}-bit\n".format(data.bits)) self.table_header(outfd, [("File Offset", "[addrpad]"), ("Memory Offset", "[addrpad]"), ("Size", "[addrpad]"), ("Name", "")]) for seg in data.segs: self.table_row(outfd, seg.fileoff, seg.vmaddr, seg.vmsize, seg.segname) volatility-2.3.1/volatility/plugins/evtlogs.py0000644000175000017500000003003412227253532021532 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.plugins.getsids as getsids import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.getservicesids as getservicesids import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import os, datetime, ntpath # for more information on Event Log structures see WFA 2E pg 260-263 by Harlan Carvey evt_log_types = { 'EVTLogHeader' : [ 0x30, { 'HeaderSize' : [ 0x0, ['unsigned int']], 'Magic' : [ 0x4, ['int']], #LfLe 'OffsetOldest' : [ 0x10, ['unsigned int']], #offset of oldest record 'OffsetNextToWrite' : [ 0x14, ['unsigned int']], #offset of next record to be written 'NextID' : [ 0x18, ['int']], #next event record ID 'OldestID' : [ 0x1c, ['int']], #oldest event record ID 'MaxSize' : [ 0x20, ['unsigned int']], #maximum size of event record (from registry) 'RetentionTime' : [ 0x28, ['int']], #retention time of records (from registry) 'RecordSize' : [ 0x2c, ['unsigned int']], #size of the record (repeat of DWORD at offset 0) } ], 'EVTRecordStruct' : [ 0x38, { 'RecordLength' : [ 0x0, ['unsigned int']], 'Magic' : [ 0x4, ['int']], #LfLe 'RecordNumber' : [ 0x8, ['int']], 'TimeGenerated' : [ 0xc, ['UnixTimeStamp', dict(is_utc = True)]], 'TimeWritten' : [ 0x10, ['UnixTimeStamp', dict(is_utc = True)]], 'EventID' : [ 0x14, ['unsigned short']], #specific to event source and uniquely identifies the event 'EventType' : [ 0x18, ['Enumeration', dict(target = 'unsigned short', choices = {0x01: "Error", 0x02: "Warning", 0x04: "Info", 0x08: "Success", 0x10: "Failure"})]], 'NumStrings' : [ 0x1a, ['unsigned short']], #number of description strings in even message 'EventCategory' : [ 0x1c, ['unsigned short']], 'ReservedFlags' : [ 0x1e, ['unsigned short']], 'ClosingRecordNum' : [ 0x20, ['int']], 'StringOffset' : [ 0x24, ['unsigned int']], #offset w/in record of description strings 'SidLength' : [ 0x28, ['unsigned int']], #length of SID: if 0 no SID is present 'SidOffset' : [ 0x2c, ['unsigned int']], #offset w/in record to start of SID (if present) 'DataLength' : [ 0x30, ['unsigned int']], #length of binary data of record 'DataOffset' : [ 0x34, ['unsigned int']], #offset of data w/in record } ], } class EVTObjectTypes(obj.ProfileModification): before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x >= 1} def modification(self, profile): profile.vtypes.update(evt_log_types) class EvtLogs(common.AbstractWindowsCommand): """Extract Windows Event Logs (XP/2003 only)""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('SAVE-EVT', short_option = 'S', default = False, action = 'store_true', help = 'Save the raw .evt files also') config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump executable files') self.extrasids = {} @staticmethod def is_valid_profile(profile): """This plugin is valid on XP and 2003""" return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def load_user_sids(self): """Load the user SIDs from the registry""" regapi = registryapi.RegistryApi(self._config) regapi.set_current("SOFTWARE") for k1 in regapi.reg_enum_key('SOFTWARE', 'Microsoft\\Windows NT\\CurrentVersion\\ProfileList'): val = regapi.reg_get_value('SOFTWARE', k1, 'ProfileImagePath') sid = k1.split("\\")[-1] if val != None: ## Strip NULLs in the value self.extrasids[sid] = " (User: " + val.split("\\")[-1].replace("\x00", "") + ")" def get_sid_string(self, data): """Take a buffer of data from the event record and parse it as a SID. @param data: buffer of data from SidOffset of the event record to SidOffset + SidLength. @returns: sid string """ sid_name = "" bufferas = addrspace.BufferAddressSpace(self._config, data = data) sid = obj.Object("_SID", offset = 0, vm = bufferas) for i in sid.IdentifierAuthority.Value: id_auth = i sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority)) if sid_string in getsids.well_known_sids: sid_name = " ({0})".format(getsids.well_known_sids[sid_string]) else: sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re) if sid_name_re: sid_name = " ({0})".format(sid_name_re) else: sid_name = self.extrasids.get(sid_string, "") sid_string += sid_name return sid_string def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This plugin only works on XP and 2003") ## When verbose is specified, we recalculate the list of SIDs for ## services in the registry. Otherwise, we take the list from the ## pre-populated dictionary in getservicesids.py if self._config.VERBOSE: ssids = getservicesids.GetServiceSids(self._config).calculate() for sid, service in ssids: self.extrasids[sid] = " (Service: " + service + ")" else: for sid, service in getservicesids.servicesids.items(): self.extrasids[sid] = " (Service: " + service + ")" ## Get the user's SIDs from the registry self.load_user_sids() for proc in tasks.pslist(addr_space): if str(proc.ImageFileName).lower() == "services.exe": for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter): if vad.FileObject.FileName: name = str(vad.FileObject.FileName).lower() if name.endswith(".evt"): ## Maybe check the length is reasonable, though probably there won't ## ever be event logs that are multiple GB or TB in size. data = process_space.zread(vad.Start, vad.Length) yield name, data def remove_unprintable(self, str): return ''.join([c for c in str if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) def parse_evt_info(self, name, buf, rawtime = False): loc = buf.find("LfLe") ## Skip the EVTLogHeader at offset 4. Here you can also parse ## and print the header values if you like. if loc == 4: loc = buf.find("LfLe", loc + 1) while loc != -1: ## This record's data (and potentially the data for records ## that follow it, so we'll be careful to chop it in the right ## places before future uses). rec = buf[loc - 4:] ## Use a buffer AS to instantiate the object bufferas = addrspace.BufferAddressSpace(self._config, data = rec) evtlog = obj.Object("EVTRecordStruct", offset = 0, vm = bufferas) rec_size = bufferas.profile.get_obj_size("EVTRecordStruct") ## Calculate the SID string. If the SidLength is zero, the next ## field (list of strings) starts at StringOffset. If the SidLength ## is non-zero, use the data of length SidLength to determine the ## SID string and the next field starts at SidOffet. if evtlog.SidLength == 0: end = evtlog.StringOffset sid_string = "N/A" else: ## detect manged records based on invalid SID length if evtlog.SidLength > 68: loc = buf.find("LfLe", loc + 1) continue ## these should be appropriately sized SIDs end = evtlog.SidOffset sid_string = self.get_sid_string(rec[end:end + evtlog.SidLength]) computer_name = "" source = "" items = rec[rec_size:end].split("\x00\x00") source = self.remove_unprintable(items[0]) if len(items) > 1: computer_name = self.remove_unprintable(items[1]) strings = rec[evtlog.StringOffset:].split("\x00\x00", evtlog.NumStrings) messages = [] for s in range(min(len(strings), evtlog.NumStrings)): messages.append(self.remove_unprintable(strings[s])) # We'll just say N/A if there are no messages, otherwise join them # together with semi-colons. if messages: msg = ";".join(messages) msg = msg.replace("|", "%7c") else: msg = "N/A" # Records with an invalid timestamp are ignored entirely if evtlog.TimeWritten != None: fields = [ str(evtlog.TimeWritten) if not rawtime else evtlog.TimeWritten, ntpath.basename(name), computer_name, sid_string, source, str(evtlog.EventID), str(evtlog.EventType), msg] yield fields ## Scan to the next record signature loc = buf.find("LfLe", loc + 1) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for name, buf in data: ## We can use the ntpath module instead of manually replacing the slashes ofname = ntpath.basename(name) ## Dump the raw event log so it can be parsed with other tools if self._config.SAVE_EVT: fh = open(os.path.join(self._config.DUMP_DIR, ofname), 'wb') fh.write(buf) fh.close() outfd.write('Saved raw .evt file to {0}\n'.format(ofname)) ## Now dump the parsed, pipe-delimited event records to a file ofname = ofname.replace(".evt", ".txt") fh = open(os.path.join(self._config.DUMP_DIR, ofname), 'wb') for fields in self.parse_evt_info(name, buf): fh.write('|'.join(fields) + "\n") fh.close() outfd.write('Parsed data sent to {0}\n'.format(ofname)) volatility-2.3.1/volatility/plugins/connscan.py0000644000175000017500000000750012227253532021653 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast connection scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.scan as scan import volatility.plugins.common as common import volatility.cache as cache import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 class PoolScanConnFast(scan.PoolScanner): def object_offset(self, found, address_space): """ Return the offset of _TCPT_OBJECT """ return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) checks = [ ('PoolTagCheck', dict(tag = "TCPT")), ('CheckPoolSize', dict(condition = lambda x: x >= 0x198)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class ConnScan(common.AbstractWindowsCommand): """ Scan Physical memory for _TCPT_OBJECT objects (tcp connections) """ meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) @cache.CacheDecorator("scans/connscan2") def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') if not self.is_valid_profile(address_space.profile): debug.error("This command does not support the selected profile.") scanner = PoolScanConnFast() for offset in scanner.scan(address_space): ## This yields the pool offsets - we want the actual object tcp_obj = obj.Object('_TCPT_OBJECT', vm = address_space, offset = offset) yield tcp_obj def render_text(self, outfd, data): self.table_header(outfd, [("Offset(P)", "[addrpad]"), ("Local Address", "25"), ("Remote Address", "25"), ("Pid", "") ]) for tcp_obj in data: local = "{0}:{1}".format(tcp_obj.LocalIpAddress, tcp_obj.LocalPort) remote = "{0}:{1}".format(tcp_obj.RemoteIpAddress, tcp_obj.RemotePort) self.table_row(outfd, tcp_obj.obj_offset, local, remote, tcp_obj.Pid) volatility-2.3.1/volatility/plugins/kdbgscan.py0000644000175000017500000002210512227253532021623 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.scan as scan import volatility.cache as cache import volatility.plugins.common as common import volatility.addrspace as addrspace import volatility.registry as registry import volatility.utils as utils import volatility.exceptions as exceptions class MultiStringFinderCheck(scan.ScannerCheck): """ Checks for multiple strings per page """ def __init__(self, address_space, needles = None): scan.ScannerCheck.__init__(self, address_space) if not needles: needles = [] self.needles = needles self.maxlen = 0 for needle in needles: self.maxlen = max(self.maxlen, len(needle)) if not self.maxlen: raise RuntimeError("No needles of any length were found for the " + self.__class__.__name__) def check(self, offset): verify = self.address_space.read(offset, self.maxlen) for match in self.needles: if verify[:len(match)] == match: return True return False def skip(self, data, offset): nextval = len(data) for needle in self.needles: dindex = data.find(needle, offset + 1) if dindex > -1: nextval = min(nextval, dindex) return nextval - offset class MultiPrefixFinderCheck(MultiStringFinderCheck): """ Checks for multiple strings per page, finishing at the offset """ def check(self, offset): verify = self.address_space.read(offset - self.maxlen, self.maxlen) for match in self.needles: if verify.endswith(match): return True return False class KDBGScanner(scan.BaseScanner): checks = [ ] def __init__(self, window_size = 8, needles = None): oses = set() arches = set() for needle in needles: header = str(needle).split('KDBG') arches.add(header[0]) oses.add('KDBG' + header[1]) self.checks = [ ("PoolTagCheck", {'tag': "KDBG"}), ("MultiPrefixFinderCheck", {'needles':arches}), ("MultiStringFinderCheck", {'needles':oses})] scan.BaseScanner.__init__(self, window_size) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): # Compensate for KDBG appearing within the searched for structure # (0x10 should really be the offset of OwnerTag from with the structure, # however we don't know which profile to read it from, so it's hardwired) # NOTE: this will not work correctly for _KDDEBUGGER_DATA32 structures # however they're only necessary for NT or older offset = offset - 0x10 yield offset class KDBGScan(common.AbstractWindowsCommand): """Search for and dump potential KDBG values""" @staticmethod def register_options(config): config.add_option('KDBG', short_option = 'g', default = None, type = 'int', help = "Specify a specific KDBG virtual address") @cache.CacheDecorator(lambda self: "tests/kdbgscan/kdbg={0}".format(self._config.KDBG)) def calculate(self): """Determines the address space""" profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] proflens = {} maxlen = 0 origprofile = self._config.PROFILE for p in profilelist: self._config.update('PROFILE', p) buf = addrspace.BufferAddressSpace(self._config) if buf.profile.metadata.get('os', 'unknown') == 'windows': proflens[p] = str(obj.VolMagic(buf).KDBGHeader) maxlen = max(maxlen, len(proflens[p])) self._config.update('PROFILE', origprofile) scanner = KDBGScanner(needles = proflens.values()) aspace = utils.load_as(self._config, astype = 'any') for offset in scanner.scan(aspace): val = aspace.read(offset, maxlen + 0x10) for l in proflens: if val.find(proflens[l]) >= 0: kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace) yield l, kdbg def render_text(self, outfd, data): """Renders the KPCR values as text""" for profile, kdbg in data: outfd.write("*" * 50 + "\n") outfd.write("Instantiating KDBG using: {0} {1} ({2}.{3}.{4} {5})\n".format( kdbg.obj_vm.name, kdbg.obj_vm.profile.__class__.__name__, kdbg.obj_vm.profile.metadata.get('major', 0), kdbg.obj_vm.profile.metadata.get('minor', 0), kdbg.obj_vm.profile.metadata.get('build', 0), kdbg.obj_vm.profile.metadata.get('memory_model', '32bit'), )) # Will spaces with vtop always have a dtb also? has_vtop = hasattr(kdbg.obj_vm, 'vtop') # Always start out with the virtual and physical offsets if has_vtop: outfd.write("{0:<30}: {1:#x}\n".format("Offset (V)", kdbg.obj_offset)) outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kdbg.obj_vm.vtop(kdbg.obj_offset))) else: outfd.write("{0:<30}: {1:#x}\n".format("Offset (P)", kdbg.obj_offset)) # These fields can be gathered without dereferencing # any pointers, thus they're available always outfd.write("{0:<30}: {1}\n".format("KDBG owner tag check", str(kdbg.is_valid()))) outfd.write("{0:<30}: {1}\n".format("Profile suggestion (KDBGHeader)", profile)) verinfo = kdbg.dbgkd_version64() if verinfo: outfd.write("{0:<30}: {1:#x} (Major: {2}, Minor: {3})\n".format( "Version64", verinfo.obj_offset, verinfo.MajorVersion, verinfo.MinorVersion)) # Print details only available when a DTB can be found # and we have an AS with vtop. if has_vtop: outfd.write("{0:<30}: {1}\n".format("Service Pack (CmNtCSDVersion)", kdbg.ServicePack)) outfd.write("{0:<30}: {1}\n".format("Build string (NtBuildLab)", kdbg.NtBuildLab.dereference())) try: num_tasks = len(list(kdbg.processes())) except AttributeError: num_tasks = 0 try: num_modules = len(list(kdbg.modules())) except AttributeError: num_modules = 0 cpu_blocks = list(kdbg.kpcrs()) outfd.write("{0:<30}: {1:#x} ({2} processes)\n".format( "PsActiveProcessHead", kdbg.PsActiveProcessHead, num_tasks)) outfd.write("{0:<30}: {1:#x} ({2} modules)\n".format( "PsLoadedModuleList", kdbg.PsLoadedModuleList, num_modules)) outfd.write("{0:<30}: {1:#x} (Matches MZ: {2})\n".format( "KernelBase", kdbg.KernBase, str(kdbg.obj_vm.read(kdbg.KernBase, 2) == "MZ"))) try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = kdbg.KernBase, vm = kdbg.obj_vm) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException): pass else: outfd.write("{0:<30}: {1}\n".format( "Major (OptionalHeader)", nt_header.OptionalHeader.MajorOperatingSystemVersion)) outfd.write("{0:<30}: {1}\n".format( "Minor (OptionalHeader)", nt_header.OptionalHeader.MinorOperatingSystemVersion)) for kpcr in cpu_blocks: outfd.write("{0:<30}: {1:#x} (CPU {2})\n".format( "KPCR", kpcr.obj_offset, kpcr.ProcessorBlock.Number)) else: outfd.write("{0:<30}: {1:#x}\n".format("PsActiveProcessHead", kdbg.PsActiveProcessHead)) outfd.write("{0:<30}: {1:#x}\n".format("PsLoadedModuleList", kdbg.PsLoadedModuleList)) outfd.write("{0:<30}: {1:#x}\n".format("KernelBase", kdbg.KernBase)) outfd.write("\n") volatility-2.3.1/volatility/plugins/__init__.py0000644000175000017500000000205312125563244021607 0ustar mikemike00000000000000import volatility.conf as conf import volatility.constants as constants import os import sys config = conf.ConfObject() help_prefix = "" plugin_separator = ":" # Make a platform-dependent decision on plugin path separators # The separator is now in keeping with the PATH environment variable if sys.platform.startswith('win'): help_prefix = "semi-" plugin_separator = ";" config.add_option("PLUGINS", default = "", cache_invalidator = False, help = "Additional plugin directories to use (" + help_prefix + "colon separated)") # Add the PLUGINPATH, in case we're frozen __path__ = [constants.PLUGINPATH] + [ e for e in __path__ if not constants.PLUGINPATH.startswith(e) ] # This causes the config.PLUGINS paths to be treated as extensions of the volatility.plugins package # Meaning that each directory is search for module when import volatility.plugins.module is requested if config.PLUGINS: plugin_paths = [ os.path.abspath(x) for x in config.PLUGINS.split(plugin_separator)] __path__.extend(plugin_paths) volatility-2.3.1/volatility/plugins/sockets.py0000644000175000017500000000535212227253532021527 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import volatility.plugins.common as common import volatility.debug as debug import volatility.win32 as win32 import volatility.utils as utils import volatility.protos as protos class Sockets(common.AbstractWindowsCommand): """Print list of open sockets""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("PID", ">8"), ("Port", ">6"), ("Proto", ">6"), ("Protocol", "15"), ("Address", "15"), ("Create Time", "") ]) for sock in data: if not self._config.PHYSICAL_OFFSET: offset = sock.obj_offset else: offset = sock.obj_vm.vtop(sock.obj_offset) self.table_row(outfd, offset, sock.Pid, sock.LocalPort, sock.Protocol, protos.protos.get(sock.Protocol.v(), "-"), sock.LocalIpAddress, sock.CreateTime) def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") return win32.network.determine_sockets(addr_space) volatility-2.3.1/volatility/plugins/filescan.py0000644000175000017500000004644512227253532021650 0ustar mikemike00000000000000# fileobjscan.py # Copyright 2009 Andreas Schuster # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andreas Schuster @license: GNU General Public License 2.0 @contact: a.schuster@forensikblog.de @organization: http://computer.forensikblog.de/en/ """ import volatility.scan as scan import volatility.plugins.common as common import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.utils as utils import volatility.obj as obj class PoolScanFile(scan.PoolScanner): """PoolScanner for File objects""" checks = [ ('PoolTagCheck', dict(tag = "Fil\xe5")), ('CheckPoolSize', dict(condition = lambda x: x >= 0x98)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class FileScan(common.AbstractWindowsCommand): """ Scan Physical memory for _FILE_OBJECT pool allocations """ # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Andreas Schuster' meta_info['copyright'] = 'Copyright (c) 2009 Andreas Schuster' meta_info['contact'] = 'a.schuster@forensikblog.de' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://computer.forensikblog.de/en/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '0.1' # Can't be cached until self.kernel_address_space is moved entirely within calculate def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') ## Will need the kernel AS for later: kernel_as = utils.load_as(self._config) for offset in PoolScanFile().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## We work out the _FILE_OBJECT from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() file_obj = obj.Object("_FILE_OBJECT", vm = address_space, offset = (offset + pool_obj.BlockSize * pool_alignment - common.pool_align(kernel_as, "_FILE_OBJECT", pool_alignment)), native_vm = kernel_as ) ## The _OBJECT_HEADER is immediately below the _FILE_OBJECT object_obj = obj.Object("_OBJECT_HEADER", vm = address_space, offset = file_obj.obj_offset - address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = kernel_as ) if object_obj.get_object_type() != "File": continue ## If the string is not reachable we skip it if not file_obj.FileName.v(): continue yield (object_obj, file_obj) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('#Ptr', '>6'), ('#Hnd', '>6'), ('Access', '>6'), ('Name', '') ]) for object_obj, file_obj in data: self.table_row(outfd, file_obj.obj_offset, object_obj.PointerCount, object_obj.HandleCount, file_obj.access_string(), str(file_obj.file_name_with_device() or '')) class PoolScanDriver(PoolScanFile): """ Scanner for _DRIVER_OBJECT """ checks = [ ('PoolTagCheck', dict(tag = "Dri\xf6")), ('CheckPoolSize', dict(condition = lambda x: x >= 0xf8)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class DriverScan(FileScan): "Scan for driver objects _DRIVER_OBJECT " def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') ## Will need the kernel AS for later: kernel_as = utils.load_as(self._config) for offset in PoolScanDriver().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## We work out the _DRIVER_OBJECT from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() extension_obj = obj.Object( "_DRIVER_EXTENSION", vm = address_space, offset = (offset + pool_obj.BlockSize * pool_alignment - common.pool_align(kernel_as, "_DRIVER_EXTENSION", pool_alignment)), native_vm = kernel_as) ## The _DRIVER_OBJECT is immediately below the _DRIVER_EXTENSION driver_obj = obj.Object( "_DRIVER_OBJECT", vm = address_space, offset = extension_obj.obj_offset - common.pool_align(kernel_as, "_DRIVER_OBJECT", pool_alignment), native_vm = kernel_as ) ## The _OBJECT_HEADER is immediately below the _DRIVER_OBJECT object_obj = obj.Object( "_OBJECT_HEADER", vm = address_space, offset = driver_obj.obj_offset - address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = kernel_as ) ## Skip unallocated objects #if object_obj.Type == 0xbad0b0b0: # continue if object_obj.get_object_type() != "Driver": continue yield (object_obj, driver_obj, extension_obj) def render_text(self, outfd, data): """Renders the text-based output""" self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('#Ptr', '>4'), ('#Hnd', '>4'), ('Start', '[addrpad]'), ('Size', '[addr]'), ('Service Key', '20'), ('Name', '12'), ('Driver Name', '') ]) for object_obj, driver_obj, extension_obj in data: self.table_row(outfd, driver_obj.obj_offset, object_obj.PointerCount, object_obj.HandleCount, driver_obj.DriverStart, driver_obj.DriverSize, str(extension_obj.ServiceKeyName or ''), str(object_obj.NameInfo.Name or ''), str(driver_obj.DriverName or '')) class PoolScanSymlink(PoolScanFile): """ Scanner for symbolic link objects """ checks = [ ('PoolTagCheck', dict(tag = "Sym\xe2")), # We use 0x48 as the lower bounds instead of 0x50 as described by Andreas # http://computer.forensikblog.de/en/2009/04/symbolic_link_objects.html. # This is because the _OBJECT_SYMBOLIC_LINK structure size is 2 bytes smaller # on Windows 7 (a field was removed) than on all other OS versions. ('CheckPoolSize', dict(condition = lambda x: x >= 0x48)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ] class SymLinkScan(FileScan): "Scan for symbolic link objects " def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') ## Will need the kernel AS for later: kernel_as = utils.load_as(self._config) for offset in PoolScanSymlink().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## We work out the object from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() link_obj = obj.Object("_OBJECT_SYMBOLIC_LINK", vm = address_space, offset = (offset + pool_obj.BlockSize * pool_alignment - common.pool_align(kernel_as, "_OBJECT_SYMBOLIC_LINK", pool_alignment)), native_vm = kernel_as) ## The _OBJECT_HEADER is immediately below the _OBJECT_SYMBOLIC_LINK object_obj = obj.Object( "_OBJECT_HEADER", vm = address_space, offset = link_obj.obj_offset - address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = kernel_as ) if object_obj.get_object_type() != "SymbolicLink": continue yield object_obj, link_obj def render_text(self, outfd, data): """ Renders text-based output """ self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('#Ptr', '>6'), ('#Hnd', '>6'), ('Creation time', '30'), ('From', '<20'), ('To', '60'), ]) for objct, link in data: self.table_row(outfd, link.obj_offset, objct.PointerCount, objct.HandleCount, link.CreationTime or '', str(objct.NameInfo.Name or ''), str(link.LinkTarget or '')) class PoolScanMutant(PoolScanDriver): """ Scanner for Mutants _KMUTANT """ checks = [ ('PoolTagCheck', dict(tag = "Mut\xe1")), ('CheckPoolSize', dict(condition = lambda x: x >= 0x40)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class MutantScan(FileScan): "Scan for mutant objects _KMUTANT " def __init__(self, config, *args, **kwargs): FileScan.__init__(self, config, *args, **kwargs) config.add_option("SILENT", short_option = 's', default = False, action = 'store_true', help = 'Suppress less meaningful results') def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') ## Will need the kernel AS for later: kernel_as = utils.load_as(self._config) for offset in PoolScanMutant().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## We work out the _DRIVER_OBJECT from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() mutant = obj.Object( "_KMUTANT", vm = address_space, offset = (offset + pool_obj.BlockSize * pool_alignment - common.pool_align(kernel_as, "_KMUTANT", pool_alignment)), native_vm = kernel_as) ## The _OBJECT_HEADER is immediately below the _KMUTANT object_obj = obj.Object( "_OBJECT_HEADER", vm = address_space, offset = mutant.obj_offset - address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = kernel_as ) if object_obj.get_object_type() != "Mutant": continue ## Skip unallocated objects ##if object_obj.Type == 0xbad0b0b0: ## continue if self._config.SILENT: if len(object_obj.NameInfo.Name) == 0: continue yield (object_obj, mutant) def render_text(self, outfd, data): """Renders the output""" self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('#Ptr', '>4'), ('#Hnd', '>4'), ('Signal', '4'), ('Thread', '[addrpad]'), ('CID', '>9'), ('Name', '') ]) for object_obj, mutant in data: if mutant.OwnerThread > 0x80000000: thread = mutant.OwnerThread.dereference_as('_ETHREAD') CID = "{0}:{1}".format(thread.Cid.UniqueProcess, thread.Cid.UniqueThread) else: CID = "" self.table_row(outfd, mutant.obj_offset, object_obj.PointerCount, object_obj.HandleCount, mutant.Header.SignalState, mutant.OwnerThread, CID, str(object_obj.NameInfo.Name or '') ) class CheckProcess(scan.ScannerCheck): """ Check sanity of _EPROCESS """ kernel = 0x80000000 def check(self, found): ## The offset of the object is determined by subtracting the offset ## of the PoolTag member to get the start of Pool Object. This done ## because PoolScanners search for the PoolTag. pool_base = found - self.address_space.profile.get_obj_offset( '_POOL_HEADER', 'PoolTag') pool_obj = obj.Object("_POOL_HEADER", vm = self.address_space, offset = pool_base) ## We work out the _EPROCESS from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() eprocess = obj.Object("_EPROCESS", vm = self.address_space, offset = pool_base + pool_obj.BlockSize * pool_alignment - common.pool_align(self.address_space, '_EPROCESS', pool_alignment)) if (eprocess.Pcb.DirectoryTableBase == 0): return False if (eprocess.Pcb.DirectoryTableBase % 0x20 != 0): return False list_head = eprocess.ThreadListHead if (list_head.Flink < self.kernel) or (list_head.Blink < self.kernel): return False return True class PoolScanProcess(scan.PoolScanner): """PoolScanner for File objects""" def object_offset(self, found, address_space): """ This returns the offset of the object contained within this pool allocation. """ ## The offset of the object is determined by subtracting the offset ## of the PoolTag member to get the start of Pool Object and then ## walking backwards based on pool alignment and pool size. pool_base = found - self.buffer.profile.get_obj_offset( '_POOL_HEADER', 'PoolTag') pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = pool_base) ## We work out the _EPROCESS from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() object_base = (pool_base + pool_obj.BlockSize * pool_alignment - common.pool_align(address_space, '_EPROCESS', pool_alignment)) return object_base checks = [ ('PoolTagCheck', dict(tag = '\x50\x72\x6F\xe3')), ('CheckPoolSize', dict(condition = lambda x: x >= 0x1ae)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ('CheckProcess', {}), ] class PSScan(common.AbstractWindowsCommand): """ Scan Physical memory for _EPROCESS pool allocations """ # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'AAron Walters' meta_info['copyright'] = 'Copyright (c) 2011 Volatility Foundation' meta_info['contact'] = 'awalters@4tphi.net' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'https://www.volatilityfoundation.org/' meta_info['os'] = ['Win7SP0x86', 'WinXPSP3x86'] meta_info['version'] = '0.1' # Can't be cached until self.kernel_address_space is moved entirely # within calculate def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') kernel_as = utils.load_as(self._config) for offset in PoolScanProcess().scan(address_space): eprocess = obj.Object('_EPROCESS', vm = address_space, native_vm = kernel_as, offset = offset) yield eprocess def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('Name', '16'), ('PID', '>6'), ('PPID', '>6'), ('PDB', '[addrpad]'), ('Time created', '30'), ('Time exited', '30') ]) for eprocess in data: self.table_row(outfd, eprocess.obj_offset, eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, eprocess.Pcb.DirectoryTableBase, eprocess.CreateTime or '', eprocess.ExitTime or '') def render_dot(self, outfd, data): objects = set() links = set() for eprocess in data: label = "{0} | {1} |".format(eprocess.UniqueProcessId, eprocess.ImageFileName) if eprocess.ExitTime: label += "exited\\n{0}".format(eprocess.ExitTime) options = ' style = "filled" fillcolor = "lightgray" ' else: label += "running" options = '' objects.add('pid{0} [label="{1}" shape="record" {2}];\n'.format(eprocess.UniqueProcessId, label, options)) links.add("pid{0} -> pid{1} [];\n".format(eprocess.InheritedFromUniqueProcessId, eprocess.UniqueProcessId)) ## Now write the dot file outfd.write("digraph processtree { \ngraph [rankdir = \"TB\"];\n") for link in links: outfd.write(link) for item in objects: outfd.write(item) outfd.write("}") volatility-2.3.1/volatility/plugins/vboxinfo.py0000644000175000017500000000336012227253532021703 0ustar mikemike00000000000000# Volatility # Copyright (C) 2009-2012 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.crashinfo as crashinfo class VBoxInfo(crashinfo.CrashInfo): """Dump virtualbox information""" target_as = ['VirtualBoxCoreDumpElf64'] def render_text(self, outfd, data): header = data.get_header() outfd.write("Magic: {0:#x}\n".format(header.u32Magic)) outfd.write("Format: {0:#x}\n".format(header.u32FmtVersion)) outfd.write("VirtualBox {0}.{1}.{2} (revision {3})\n".format( header.Major, header.Minor, header.Build, header.u32VBoxRevision)) outfd.write("CPUs: {0}\n\n".format(header.cCpus)) self.table_header(outfd, [("File Offset", "[addrpad]"), ("Memory Offset", "[addrpad]"), ("Size", "[addrpad]")]) for memory_offset, file_offset, length in data.get_runs(): self.table_row(outfd, file_offset, memory_offset, length) volatility-2.3.1/volatility/plugins/connections.py0000644000175000017500000000603612227253532022376 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import volatility.plugins.common as common import volatility.win32.network as network import volatility.cache as cache import volatility.utils as utils import volatility.debug as debug class Connections(common.AbstractWindowsCommand): """ Print list of open connections [Windows XP and 2003 Only] --------------------------------------------- This module follows the handle table in tcpip.sys and prints current connections. Note that if you are using a hibernated image this might not work because Windows closes all connections before hibernating. You might find it more effective to do connscan instead. """ def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Local Address", "25"), ("Remote Address", "25"), ("Pid", "") ]) for conn in data: if not self._config.PHYSICAL_OFFSET: offset = conn.obj_offset else: offset = conn.obj_vm.vtop(conn.obj_offset) local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort) remote = "{0}:{1}".format(conn.RemoteIpAddress, conn.RemotePort) self.table_row(outfd, offset, local, remote, conn.Pid) @cache.CacheDecorator("tests/connections") def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") return network.determine_connections(addr_space) volatility-2.3.1/volatility/plugins/vmwareinfo.py0000644000175000017500000001150612227253532022227 0ustar mikemike00000000000000# Volatility # Copyright (C) 2009-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.crashinfo as crashinfo import volatility.utils as utils class VMwareInfo(crashinfo.CrashInfo): """Dump VMware VMSS/VMSN information""" target_as = ['VMWareSnapshotFile'] def __init__(self, config, *args, **kwargs): crashinfo.CrashInfo.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the screenshot (if available)') def render_text(self, outfd, data): header = data.get_header() ## First some of the version meta-data outfd.write("Magic: {0:#x} (Version {1})\n".format(header.Magic, header.Version)) outfd.write("Group count: {0:#x}\n".format(header.GroupCount)) ## Now let's print the runs self.table_header(outfd, [("File Offset", "#018x"), ("PhysMem Offset", "#018x"), ("Size", "#018x")]) for memory_offset, file_offset, length in data.get_runs(): self.table_row(outfd, file_offset, memory_offset, length) outfd.write("\n") ## Go through and print the groups and tags self.table_header(outfd, [("DataOffset", "#018x"), ("DataSize", "#018x"), ("Name", "50"), ("Value", "")]) for group in header.Groups: for tag in group.Tags: ## The indices should look like [0][1] indices = "" for i in tag.TagIndices: indices += "[{0}]".format(i) ## Attempt to format standard values if tag.DataMemSize == 0: value = "" elif tag.DataMemSize == 1: value = "{0}".format(tag.cast_as("unsigned char")) elif tag.DataMemSize == 2: value = "{0}".format(tag.cast_as("unsigned short")) elif tag.DataMemSize == 4: value = "{0:#x}".format(tag.cast_as("unsigned int")) elif tag.DataMemSize == 8: value = "{0:#x}".format(tag.cast_as("unsigned long long")) else: value = "" self.table_row(outfd, tag.RealDataOffset, tag.DataMemSize, "{0}/{1}{2}".format(group.Name, tag.Name, indices), value) ## In verbose mode, when we're *not* dealing with memory segments, ## print a hexdump of the data if (self._config.VERBOSE and tag.DataMemSize > 0 and str(group.Name) != "memory" and value == ""): ## When we read, it must be done via the AS base (FileAddressSpace) addr = tag.RealDataOffset data = tag.obj_vm.read(addr, tag.DataMemSize) outfd.write("".join(["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c)) for o, h, c in utils.Hexdump(data) ])) ## If an output directory was supplied, extract the ## snapshot thumbnail image using the code below. if (self._config.DUMP_DIR and str(group.Name) == "MKSVMX" and str(tag.Name) == "imageData"): full_path = os.path.join(self._config.DUMP_DIR, "screenshot.png") with open(full_path, "wb") as fh: fh.write(data) outfd.write("Wrote screenshot to: {0}\n".format(full_path)) volatility-2.3.1/volatility/plugins/vadinfo.py0000644000175000017500000003327112227253532021503 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Brendan Dolan-Gavitt # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # The source code in this file was inspired by the excellent work of # Brendan Dolan-Gavitt. Background information can be found in # the following reference: # "The VAD Tree: A Process-Eye View of Physical Memory," Brendan Dolan-Gavitt import os.path import volatility.plugins.taskmods as taskmods import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.constants as constants # Vad Protections. Also known as page protections. _MMVAD_FLAGS.Protection, # 3-bits, is an index into nt!MmProtectToValue (the following list). PROTECT_FLAGS = dict(enumerate([ 'PAGE_NOACCESS', 'PAGE_READONLY', 'PAGE_EXECUTE', 'PAGE_EXECUTE_READ', 'PAGE_READWRITE', 'PAGE_WRITECOPY', 'PAGE_EXECUTE_READWRITE', 'PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_NOCACHE | PAGE_READONLY', 'PAGE_NOCACHE | PAGE_EXECUTE', 'PAGE_NOCACHE | PAGE_EXECUTE_READ', 'PAGE_NOCACHE | PAGE_READWRITE', 'PAGE_NOCACHE | PAGE_WRITECOPY', 'PAGE_NOCACHE | PAGE_EXECUTE_READWRITE', 'PAGE_NOCACHE | PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_GUARD | PAGE_READONLY', 'PAGE_GUARD | PAGE_EXECUTE', 'PAGE_GUARD | PAGE_EXECUTE_READ', 'PAGE_GUARD | PAGE_READWRITE', 'PAGE_GUARD | PAGE_WRITECOPY', 'PAGE_GUARD | PAGE_EXECUTE_READWRITE', 'PAGE_GUARD | PAGE_EXECUTE_WRITECOPY', 'PAGE_NOACCESS', 'PAGE_WRITECOMBINE | PAGE_READONLY', 'PAGE_WRITECOMBINE | PAGE_EXECUTE', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_READ', 'PAGE_WRITECOMBINE | PAGE_READWRITE', 'PAGE_WRITECOMBINE | PAGE_WRITECOPY', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_READWRITE', 'PAGE_WRITECOMBINE | PAGE_EXECUTE_WRITECOPY', ])) # Vad Types. The _MMVAD_SHORT.u.VadFlags (_MMVAD_FLAGS) struct on XP has # individual flags, 1-bit each, for these types. The _MMVAD_FLAGS for all # OS after XP has a member _MMVAD_FLAGS.VadType, 3-bits, which is an index # into the following enumeration. MI_VAD_TYPE = dict(enumerate([ 'VadNone', 'VadDevicePhysicalMemory', 'VadImageMap', 'VadAwe', 'VadWriteWatch', 'VadLargePages', 'VadRotatePhysical', 'VadLargePageSection', ])) # Inherit from dlllist just for the config options (__init__) class VADInfo(taskmods.DllList): """Dump the VAD info""" def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) for vad in task.VadRoot.traverse(): if vad == None: outfd.write("Error: {0}".format(vad)) else: self.write_vad_short(outfd, vad) try: self.write_vad_control(outfd, vad) except AttributeError: pass try: self.write_vad_ext(outfd, vad) except AttributeError: pass outfd.write("\n") def write_vad_short(self, outfd, vad): """Renders a text version of a Short Vad""" self.table_header(None, [("VAD node @", str(len("VAD node @"))), ("address", "[addrpad]"), ("Start", "5"), ("startaddr", "[addrpad]"), ("End", "3"), ("endaddr", "[addrpad]"), ("Tag", "3"), ("tagval", ""), ]) self.table_row(outfd, "VAD node @", vad.obj_offset, "Start", vad.Start, "End", vad.End, "Tag", vad.Tag) outfd.write("Flags: {0}\n".format(str(vad.u.VadFlags))) # although the numeric value of Protection is printed above with VadFlags, # let's show the user a human-readable translation of the protection outfd.write("Protection: {0}\n".format(PROTECT_FLAGS.get(vad.u.VadFlags.Protection.v(), hex(vad.u.VadFlags.Protection)))) # translate the vad type if its available (> XP) if hasattr(vad.u.VadFlags, "VadType"): outfd.write("Vad Type: {0}\n".format(MI_VAD_TYPE.get(vad.u.VadFlags.VadType.v(), hex(vad.u.VadFlags.VadType)))) def write_vad_control(self, outfd, vad): """Renders a text version of a (non-short) Vad's control information""" # even if the ControlArea is not NULL, it is only meaningful # for shared (non private) memory sections. if vad.u.VadFlags.PrivateMemory == 1: return control_area = vad.ControlArea if not control_area: return outfd.write("ControlArea @{0:08x} Segment {1:08x}\n".format(control_area.dereference().obj_offset, control_area.Segment)) outfd.write("Dereference list: Flink {0:08x}, Blink {1:08x}\n".format(control_area.DereferenceList.Flink, control_area.DereferenceList.Blink)) outfd.write("NumberOfSectionReferences: {0:10} NumberOfPfnReferences: {1:10}\n".format(control_area.NumberOfSectionReferences, control_area.NumberOfPfnReferences)) outfd.write("NumberOfMappedViews: {0:10} NumberOfUserReferences: {1:10}\n".format(control_area.NumberOfMappedViews, control_area.NumberOfUserReferences)) outfd.write("WaitingForDeletion Event: {0:08x}\n".format(control_area.WaitingForDeletion)) outfd.write("Control Flags: {0}\n".format(str(control_area.u.Flags))) file_object = vad.FileObject if file_object: outfd.write("FileObject @{0:08x}, Name: {1}\n".format(file_object.obj_offset, str(file_object.FileName or ''))) def write_vad_ext(self, outfd, vad): """Renders a text version of a Long Vad""" outfd.write("First prototype PTE: {0:08x} Last contiguous PTE: {1:08x}\n".format(vad.FirstPrototypePte, vad.LastContiguousPte)) outfd.write("Flags2: {0}\n".format(str(vad.u2.VadFlags2))) class VADTree(VADInfo): """Walk the VAD tree and display in tree format""" def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) levels = {} self.table_header(None, [("indent", ""), ("Start", "[addrpad]"), ("-", "1"), ("End", "[addrpad]") ]) for vad in task.VadRoot.traverse(): if vad: level = levels.get(vad.Parent.obj_offset, -1) + 1 levels[vad.obj_offset] = level self.table_row(outfd, " " * level, vad.Start, "-", vad.End) def render_dot(self, outfd, data): for task in data: outfd.write("/" + "*" * 72 + "/\n") outfd.write("/* Pid: {0:6} */\n".format(task.UniqueProcessId)) outfd.write("digraph processtree {\n") outfd.write("graph [rankdir = \"TB\"];\n") for vad in task.VadRoot.traverse(): if vad: if vad.Parent: outfd.write("vad_{0:08x} -> vad_{1:08x}\n".format(vad.Parent.obj_offset or 0, vad.obj_offset)) outfd.write("vad_{0:08x} [label = \"{{ {1}\\n{2:08x} - {3:08x} }}\"" "shape = \"record\" color = \"blue\"];\n".format( vad.obj_offset, vad.Tag, vad.Start, vad.End)) outfd.write("}\n") class VADWalk(VADInfo): """Walk the VAD tree""" def render_text(self, outfd, data): for task in data: outfd.write("*" * 72 + "\n") outfd.write("Pid: {0:6}\n".format(task.UniqueProcessId)) self.table_header(outfd, [("Address", "[addrpad]"), ("Parent", "[addrpad]"), ("Left", "[addrpad]"), ("Right", "[addrpad]"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Tag", "4"), ]) for vad in task.VadRoot.traverse(): # Ignore Vads with bad tags (which we explicitly include as None) if vad: self.table_row(outfd, vad.obj_offset, vad.Parent.obj_offset or 0, vad.LeftChild.dereference().obj_offset or 0, vad.RightChild.dereference().obj_offset or 0, vad.Start, vad.End, vad.Tag) class VADDump(VADInfo): """Dumps out the vad sections to a file""" def __init__(self, config, *args, **kwargs): VADInfo.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump the VAD files') config.add_option('BASE', short_option = 'b', default = None, help = 'Dump VAD with BASE address (in hex)', action = 'store', type = 'int') def dump_vad(self, path, vad, address_space): """ Dump an MMVAD to a file. @param path: full path to output file @param vad: an MMVAD object @param address_space: process AS for the vad The purpose of this function is to read medium sized vad chunks and write them immediately to a file, rather than building a large buffer in memory and then flushing it at once. This prevents our own analysis process from consuming massive amounts of memory for large vads. @returns path to the image file on success or an error message stating why the file could not be dumped. """ fh = open(path, "wb") if fh: offset = vad.Start out_of_range = vad.Start + vad.Length while offset < out_of_range: to_read = min(constants.SCAN_BLOCKSIZE, out_of_range - offset) data = address_space.zread(offset, to_read) if not data: break fh.write(data) offset += to_read fh.close() return path else: return "Cannot open {0} for writing".format(path) def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Pid", "10"), ("Process", "20"), ("Start", "[addrpad]"), ("End", "[addrpad]"), ("Result", ""), ]) for task in data: # Walking the VAD tree can be done in kernel AS, but to # carve the actual data, we need a valid process AS. task_space = task.get_process_address_space() if not task_space: outfd.write("Unable to get process AS for {0}\n".format(task.UniqueProcessId)) continue offset = task_space.vtop(task.obj_offset) for vad in task.VadRoot.traverse(): if not vad.is_valid(): continue if self._config.BASE and vad.Start != self._config.BASE: continue # Open the file and initialize the data vad_start = self.format_value(vad.Start, "[addrpad]") vad_end = self.format_value(vad.End, "[addrpad]") path = os.path.join( self._config.DUMP_DIR, "{0}.{1:x}.{2}-{3}.dmp".format( task.ImageFileName, offset, vad_start, vad_end)) if (task.IsWow64 and vad.u.VadFlags.CommitCharge == 0x7ffffffffffff and vad.End > 0x7fffffff): result = "Skipping Wow64 MM_MAX_COMMIT range" else: result = self.dump_vad(path, vad, task_space) self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, vad.Start, vad.End, result) volatility-2.3.1/volatility/plugins/handles.py0000644000175000017500000001017512227253532021471 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Additional Authors: # Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods # Inherit from Dlllist for command line options class Handles(taskmods.DllList): """Print list of open handles for each process""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, help = "Physical Offset", action = "store_true") config.add_option("OBJECT-TYPE", short_option = 't', default = None, help = 'Show these object types (comma-separated)', action = 'store', type = 'str') config.add_option("SILENT", short_option = 's', default = False, action = 'store_true', help = 'Suppress less meaningful results') def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Pid", ">6"), ("Handle", "[addr]"), ("Access", "[addr]"), ("Type", "16"), ("Details", "") ]) if self._config.OBJECT_TYPE: object_list = [s for s in self._config.OBJECT_TYPE.split(',')] else: object_list = [] for pid, handle, object_type, name in data: if object_list and object_type not in object_list: continue if self._config.SILENT: if len(name.replace("'", "")) == 0: continue if not self._config.PHYSICAL_OFFSET: offset = handle.Body.obj_offset else: offset = handle.obj_vm.vtop(handle.Body.obj_offset) self.table_row(outfd, offset, pid, handle.HandleValue, handle.GrantedAccess, object_type, name) def calculate(self): for task in taskmods.DllList.calculate(self): pid = task.UniqueProcessId if task.ObjectTable.HandleTableList: for handle in task.ObjectTable.handles(): name = "" object_type = handle.get_object_type() if object_type == "File": file_obj = handle.dereference_as("_FILE_OBJECT") name = str(file_obj.file_name_with_device()) elif object_type == "Key": key_obj = handle.dereference_as("_CM_KEY_BODY") name = key_obj.full_key_name() elif object_type == "Process": proc_obj = handle.dereference_as("_EPROCESS") name = "{0}({1})".format(proc_obj.ImageFileName, proc_obj.UniqueProcessId) elif object_type == "Thread": thrd_obj = handle.dereference_as("_ETHREAD") name = "TID {0} PID {1}".format(thrd_obj.Cid.UniqueThread, thrd_obj.Cid.UniqueProcess) elif handle.NameInfo.Name == None: name = '' else: name = str(handle.NameInfo.Name) yield pid, handle, object_type, name volatility-2.3.1/volatility/plugins/taskmods.py0000644000175000017500000002414012227253532021675 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Additional Authors: # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 import os import volatility.plugins.common as common import volatility.win32 as win32 import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.cache as cache class DllList(common.AbstractWindowsCommand, cache.Testable): """Print list of loaded dlls for each process""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) cache.Testable.__init__(self) config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') def render_text(self, outfd, data): for task in data: pid = task.UniqueProcessId outfd.write("*" * 72 + "\n") outfd.write("{0} pid: {1:6}\n".format(task.ImageFileName, pid)) if task.Peb: outfd.write("Command line : {0}\n".format(str(task.Peb.ProcessParameters.CommandLine or ''))) if task.IsWow64: outfd.write("Note: use ldrmodules for listing DLLs in Wow64 processes\n") outfd.write("{0}\n".format(str(task.Peb.CSDVersion or ''))) outfd.write("\n") self.table_header(outfd, [("Base", "[addrpad]"), ("Size", "[addr]"), ("LoadCount", "[addr]"), ("Path", ""), ]) for m in task.get_load_modules(): self.table_row(outfd, m.DllBase, m.SizeOfImage, m.LoadCount, str(m.FullDllName or '')) else: outfd.write("Unable to read PEB for task.\n") def filter_tasks(self, tasks): """ Reduce the tasks based on the user selectable PIDS parameter. Returns a reduced list or the full list if config.PIDS not specified. """ if self._config.PID is None: return tasks try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) return [t for t in tasks if t.UniqueProcessId in pidlist] @staticmethod def virtual_process_from_physical_offset(addr_space, offset): """ Returns a virtual process from a physical offset in memory """ # Since this is a physical offset, we find the process flat_addr_space = utils.load_as(addr_space.get_config(), astype = 'physical') flateproc = obj.Object("_EPROCESS", offset, flat_addr_space) # then use the virtual address of its first thread to get into virtual land # (Note: the addr_space and flat_addr_space use the same config, so should have the same profile) tleoffset = addr_space.profile.get_obj_offset("_ETHREAD", "ThreadListEntry") ethread = obj.Object("_ETHREAD", offset = flateproc.ThreadListHead.Flink.v() - tleoffset, vm = addr_space) # and ask for the thread's process to get an _EPROCESS with a virtual address space virtual_process = ethread.owning_process() # Sanity check the bounce. See Issue 154. if virtual_process and offset == addr_space.vtop(virtual_process.obj_offset): return virtual_process return obj.NoneObject("Unable to bounce back from virtual _ETHREAD to virtual _EPROCESS") @cache.CacheDecorator(lambda self: "tests/pslist/pid={0}/offset={1}".format(self._config.PID, self._config.OFFSET)) def calculate(self): """Produces a list of processes, or just a single process based on an OFFSET""" addr_space = utils.load_as(self._config) if self._config.OFFSET != None: tasks = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] else: tasks = self.filter_tasks(win32.tasks.pslist(addr_space)) return tasks class PSList(DllList): """ Print all running processes by following the EPROCESS lists """ def __init__(self, config, *args, **kwargs): DllList.__init__(self, config, *args, **kwargs) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, cache_invalidator = False, help = "Physical Offset", action = "store_true") def render_text(self, outfd, data): offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)" self.table_header(outfd, [("Offset{0}".format(offsettype), "[addrpad]"), ("Name", "20s"), ("PID", ">6"), ("PPID", ">6"), ("Thds", ">6"), ("Hnds", ">8"), ("Sess", ">6"), ("Wow64", ">6"), ("Start", "30"), ("Exit", "30")] ) for task in data: # PHYSICAL_OFFSET must STRICTLY only be used in the results. If it's used for anything else, # it needs to have cache_invalidator set to True in the options if not self._config.PHYSICAL_OFFSET: offset = task.obj_offset else: offset = task.obj_vm.vtop(task.obj_offset) self.table_row(outfd, offset, task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.ActiveThreads, task.ObjectTable.HandleCount, task.SessionId, task.IsWow64, str(task.CreateTime or ''), str(task.ExitTime or ''), ) # Inherit from files just for the config options (__init__) class MemMap(DllList): """Print the memory map""" def render_text(self, outfd, data): first = True for pid, task, pagedata in data: if not first: outfd.write("*" * 72 + "\n") task_space = task.get_process_address_space() outfd.write("{0} pid: {1:6}\n".format(task.ImageFileName, pid)) first = False offset = 0 if pagedata: self.table_header(outfd, [("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]"), ("DumpFileOffset", "[addr]")]) for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: self.table_row(outfd, p[0], pa, p[1], offset) #else: # outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1])) offset += p[1] else: outfd.write("Unable to read pages for task.\n") @cache.CacheDecorator(lambda self: "tests/memmap/pid={0}/offset={1}".format(self._config.PID, self._config.OFFSET)) def calculate(self): tasks = DllList.calculate(self) for task in tasks: if task.UniqueProcessId: pid = task.UniqueProcessId task_space = task.get_process_address_space() pages = task_space.get_available_pages() yield pid, task, pages class MemDump(MemMap): """Dump the addressable memory for a process""" def __init__(self, config, *args, **kwargs): MemMap.__init__(self, config, *args, **kwargs) config.add_option('DUMP-DIR', short_option = 'D', default = None, cache_invalidator = False, help = 'Directory in which to dump memory') def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for pid, task, pagedata in data: outfd.write("*" * 72 + "\n") task_space = task.get_process_address_space() outfd.write("Writing {0} [{1:6}] to {2}.dmp\n".format(task.ImageFileName, pid, str(pid))) f = open(os.path.join(self._config.DUMP_DIR, str(pid) + ".dmp"), 'wb') if pagedata: for p in pagedata: data = task_space.read(p[0], p[1]) if data == None: if self._config.verbose: outfd.write("Memory Not Accessible: Virtual Address: 0x{0:x} File Offset: 0x{1:x} Size: 0x{2:x}\n".format(p[0], task.obj_offset, p[1])) else: f.write(data) else: outfd.write("Unable to read pages for task.\n") f.close() volatility-2.3.1/volatility/plugins/mbrparser.py0000644000175000017500000004033012227253532022044 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.commands as commands import volatility.scan as scan import volatility.obj as obj import volatility.utils as utils import volatility.debug as debug import struct import hashlib import os try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False # Partition types taken from Gary Kessler's MBRParser.pl: # http://www.garykessler.net/software/index.html PartitionTypes = { 0x00:"Empty", 0x01:"FAT12,CHS", 0x04:"FAT16 16-32MB,CHS", 0x05:"Microsoft Extended", 0x06:"FAT16 32MB,CHS", 0x07:"NTFS", 0x0b:"FAT32,CHS", 0x0c:"FAT32,LBA", 0x0e:"FAT16, 32MB-2GB,LBA", 0x0f:"Microsoft Extended, LBA", 0x11:"Hidden FAT12,CHS", 0x14:"Hidden FAT16,16-32MB,CHS", 0x16:"Hidden FAT16,32MB-2GB,CHS", 0x18:"AST SmartSleep Partition", 0x1b:"Hidden FAT32,CHS", 0x1c:"Hidden FAT32,LBA", 0x1e:"Hidden FAT16,32MB-2GB,LBA", 0x27:"PQservice", 0x39:"Plan 9 partition", 0x3c:"PartitionMagic recovery partition", 0x42:"Microsoft MBR,Dynamic Disk", 0x44:"GoBack partition", 0x51:"Novell", 0x52:"CP/M", 0x63:"Unix System V", 0x64:"PC-ARMOUR protected partition", 0x82:"Solaris x86 or Linux Swap", 0x83:"Linux", 0x84:"Hibernation", 0x85:"Linux Extended", 0x86:"NTFS Volume Set", 0x87:"NTFS Volume Set", 0x9f:"BSD/OS", 0xa0:"Hibernation", 0xa1:"Hibernation", 0xa5:"FreeBSD", 0xa6:"OpenBSD", 0xa8:"Mac OSX", 0xa9:"NetBSD", 0xab:"Mac OSX Boot", 0xaf:"MacOS X HFS", 0xb7:"BSDI", 0xb8:"BSDI Swap", 0xbb:"Boot Wizard hidden", 0xbe:"Solaris 8 boot partition", 0xd8:"CP/M-86", 0xde:"Dell PowerEdge Server utilities (FAT fs)", 0xdf:"DG/UX virtual disk manager partition", 0xeb:"BeOS BFS", 0xee:"EFI GPT Disk", 0xef:"EFI System Parition", 0xfb:"VMWare File System", 0xfc:"VMWare Swap", } # Using structures defined in File System Forensic Analysis pg 88+ # boot code is from bytes 0-439 in the partition table # we should dissassemble MBR_types = { 'PARTITION_ENTRY': [ 0x10, { 'BootableFlag': [0x0, ['char']], # 0x80 is bootable 'StartingCHS': [0x1, ['array', 3, ['unsigned char']]], 'PartitionType': [0x4, ['char']], 'EndingCHS': [0x5, ['array', 3, ['unsigned char']]], 'StartingLBA': [0x8, ['unsigned int']], 'SizeInSectors': [0xc, ['int']], }], 'PARTITION_TABLE': [ 0x200, { 'DiskSignature': [ 0x1b8, ['array', 4, ['unsigned char']]], 'Unused': [ 0x1bc, ['unsigned short']], 'Entry1': [ 0x1be, ['PARTITION_ENTRY']], 'Entry2': [ 0x1ce, ['PARTITION_ENTRY']], 'Entry3': [ 0x1de, ['PARTITION_ENTRY']], 'Entry4': [ 0x1ee, ['PARTITION_ENTRY']], 'Signature': [0x1fe, ['unsigned short']], }] } class PARTITION_ENTRY(obj.CType): def get_value(self, char): padded = "\x00\x00\x00" + str(char) val = int(struct.unpack('>I', padded)[0]) return val def get_type(self): return PartitionTypes.get(self.get_value(self.PartitionType), "Invalid") def is_bootable(self): return self.get_value(self.BootableFlag) == 0x80 def is_bootable_and_used(self): return self.is_bootable() and self.is_used() def is_valid(self): return self.get_type() != "Invalid" def is_used(self): return self.get_type() != "Empty" and self.is_valid() def StartingSector(self): return self.StartingCHS[1] % 64 def StartingCylinder(self): return (self.StartingCHS[1] - self.StartingSector()) * 4 + self.StartingCHS[2] def EndingSector(self): return self.EndingCHS[1] % 64 def EndingCylinder(self): return (self.EndingCHS[1] - self.EndingSector()) * 4 + self.EndingCHS[2] def __str__(self): processed_entry = "" bootable = self.get_value(self.BootableFlag) processed_entry = "Boot flag: {0:#x} {1}\n".format(bootable, "(Bootable)" if self.is_bootable() else '') processed_entry += "Partition type: {0:#x} ({1})\n".format(self.get_value(self.PartitionType), self.get_type()) processed_entry += "Starting Sector (LBA): {0:#x} ({0})\n".format(self.StartingLBA) processed_entry += "Starting CHS: Cylinder: {0} Head: {1} Sector: {2}\n".format(self.StartingCylinder(), self.StartingCHS[0], self.StartingSector()) processed_entry += "Ending CHS: Cylinder: {0} Head: {1} Sector: {2}\n".format(self.EndingCylinder(), self.EndingCHS[0], self.EndingSector()) processed_entry += "Size in sectors: {0:#x} ({0})\n\n".format(self.SizeInSectors) return processed_entry class MbrObjectTypes(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'PARTITION_ENTRY': PARTITION_ENTRY, }) profile.vtypes.update(MBR_types) class MBRScanner(scan.BaseScanner): checks = [ ] def __init__(self, window_size = 512, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles})] scan.BaseScanner.__init__(self, window_size) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset - 0x1fe class MBRParser(commands.Command): """ Scans for and parses potential Master Boot Records (MBRs) """ def __init__(self, config, *args, **kwargs): commands.Command.__init__(self, config, *args) # We have all these options, however another will be added for diffing # when it is more refined config.add_option('HEX', short_option = 'H', default = False, help = 'Output HEX of Bootcode instead of default disassembly', action = "store_true") config.add_option('HASH', short_option = 'M', default = None, help = "Hash of bootcode (up to RET) to search for", action = "store", type = "str") config.add_option('FULLHASH', short_option = 'F', default = None, help = "Hash of full bootcode to search for", action = "store", type = "str") config.add_option('DISOFFSET', short_option = 'D', default = None, help = "Offset to start disassembly", action = "store", type = "int") config.add_option('OFFSET', short_option = 'o', default = None, help = "Offset of MBR", action = "store", type = "int") config.add_option('CHECK', short_option = 'C', default = False, help = "Check partitions", action = "store_true") config.add_option('DISK', short_option = 'm', default = None, help = "Disk or extracted MBR", action = "store", type = "str") config.add_option('MAXDISTANCE', short_option = 'x', default = None, help = "Maximum Levenshtein distance for MBR vs Disk", action = "store", type = "int") config.add_option('ZEROSTART', short_option = 'z', default = False, help = 'Start the output header at zero', action = "store_true") self.code_data = "" self.disk_mbr = None # Taken from: # http://en.wikibooks.org/wiki/Algorithm_implementation/Strings/Levenshtein_distance#Python def levenshtein(self, s1, s2): if len(s1) < len(s2): return self.levenshtein(s2, s1) # len(s1) >= len(s2) if len(s2) == 0: return len(s1) previous_row = xrange(len(s2) + 1) for i, c1 in enumerate(s1): current_row = [i + 1] for j, c2 in enumerate(s2): insertions = previous_row[j + 1] + 1 # j+1 instead of j since previous_row and current_row are one character longer deletions = current_row[j] + 1 # than s2 substitutions = previous_row[j] + (c1 != c2) current_row.append(min(insertions, deletions, substitutions)) previous_row = current_row return previous_row[-1] def calculate(self): address_space = utils.load_as(self._config, astype = 'physical') if not has_distorm3 and not self._config.HEX: debug.error("Install distorm3 code.google.com/p/distorm/") if self._config.MAXDISTANCE != None and not self._config.DISK: debug.error("Must supply the path for the extracted MBR/Disk when using MAXDISTANCE") if self._config.DISK and not os.path.isfile(self._config.DISK): debug.error(self._config.DISK + " does not exist") diff = 0 if self._config.DISOFFSET: diff = self._config.DISOFFSET if self._config.DISK: file = open(self._config.DISK, "rb") self.disk_mbr = file.read(440) file.close() if self._config.OFFSET: PARTITION_TABLE = obj.Object('PARTITION_TABLE', vm = address_space, offset = self._config.OFFSET) boot_code = address_space.read(self._config.OFFSET + diff, 440 - diff) all_zeros = boot_code.count(chr(0)) == len(boot_code) if not all_zeros: yield self._config.OFFSET, PARTITION_TABLE, boot_code else: print "Not a valid MBR: Data all zeroed out" else: scanner = MBRScanner(needles = ['\x55\xaa']) for offset in scanner.scan(address_space): PARTITION_TABLE = obj.Object('PARTITION_TABLE', vm = address_space, offset = offset) boot_code = address_space.read(offset + diff, 440 - diff) all_zeros = boot_code.count(chr(0)) == len(boot_code) if not all_zeros: yield offset, PARTITION_TABLE, boot_code def Hexdump(self, data, given_offset = 0, width = 16): for offset in xrange(0, len(data), width): row_data = data[offset:offset + width] translated_data = [x if ord(x) < 127 and ord(x) > 32 else "." for x in row_data] hexdata = " ".join(["{0:02x}".format(ord(x)) for x in row_data]) yield offset + given_offset, hexdata, translated_data def _get_instructions(self, boot_code): if self._config.HEX: return "".join(["{2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code, 0)]) iterable = distorm3.DecodeGenerator(0, boot_code, distorm3.Decode16Bits) ret = "" for (offset, size, instruction, hexdump) in iterable: ret += "{0}".format(instruction) if instruction == "RET": hexstuff = "".join(["{2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code[offset + size:], 0)]) ret += hexstuff break return ret def get_disasm_text(self, boot_code, start): iterable = distorm3.DecodeGenerator(0, boot_code, distorm3.Decode16Bits) ret = "" self.code_data = boot_code for (offset, size, instruction, hexdump) in iterable: ret += "{0:010x}: {1:<32} {2}\n".format(offset + start, hexdump, instruction) if instruction == "RET": self.code_data = boot_code[0:offset + size] hexstuff = "\n" + "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code[offset + size:], offset + start + size)]) ret += hexstuff break return ret def render_text(self, outfd, data): border = "*" * 75 dis = 0 if self._config.DISOFFSET: dis = self._config.DISOFFSET for offset, PARTITION_TABLE, boot_code in data: entry1 = PARTITION_TABLE.Entry1.dereference_as('PARTITION_ENTRY') entry2 = PARTITION_TABLE.Entry2.dereference_as('PARTITION_ENTRY') entry3 = PARTITION_TABLE.Entry3.dereference_as('PARTITION_ENTRY') entry4 = PARTITION_TABLE.Entry4.dereference_as('PARTITION_ENTRY') have_bootable = entry1.is_bootable_and_used() or entry2.is_bootable_and_used() or entry3.is_bootable_and_used() or entry4.is_bootable_and_used() if self._config.CHECK and not have_bootable: # it doesn't really make sense to have a partition that is bootable, but empty or invalid # but we only skip MBRs with these types of partitions if we are checking continue disasm = "" distance = 0 start = offset boot_code_output = "" if self._config.ZEROSTART: start = 0 if not self._config.HEX: disasm = self.get_disasm_text(boot_code, start + dis) if disasm == "" or self.code_data == None: continue boot_code_output = "Disassembly of Bootable Code:\n{0}\n\n".format(disasm) else: hexstuff = "\n" + "\n".join(["{0:010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in self.Hexdump(boot_code, start)]) boot_code_output = "Bootable code: \n{0} \n\n".format(hexstuff) h = hashlib.md5() f = hashlib.md5() h.update(self.code_data) f.update(boot_code) if self._config.HASH: hash = "{0}".format(h.hexdigest()) if hash.lower() != self._config.HASH.lower(): continue elif self._config.FULLHASH: hash = "{0}".format(f.hexdigest()) if hash.lower() != self._config.FULLHASH.lower(): continue if self.disk_mbr: distance = self.levenshtein(self._get_instructions(self.disk_mbr), self._get_instructions(boot_code)) if self._config.MAXDISTANCE != None and distance > self._config.MAXDISTANCE: continue outfd.write("{0}\n".format(border)) outfd.write("Potential MBR at physical offset: {0:#x}\n".format(offset)) outfd.write("Disk Signature: {0:02x}-{1:02x}-{2:02x}-{3:02x}\n".format( PARTITION_TABLE.DiskSignature[0], PARTITION_TABLE.DiskSignature[1], PARTITION_TABLE.DiskSignature[2], PARTITION_TABLE.DiskSignature[3])) outfd.write("Bootcode md5: {0}\n".format(h.hexdigest())) outfd.write("Bootcode (FULL) md5: {0}\n".format(f.hexdigest())) if self.disk_mbr: outfd.write("\nLevenshtein Distance from Supplied MBR: {0}\n\n".format(distance)) outfd.write(boot_code_output) outfd.write("===== Partition Table #1 =====\n") outfd.write(str(entry1)) outfd.write("===== Partition Table #2 =====\n") outfd.write(str(entry2)) outfd.write("===== Partition Table #3 =====\n") outfd.write(str(entry3)) outfd.write("===== Partition Table #4 =====\n") outfd.write(str(entry4)) outfd.write("{0}\n\n".format(border)) volatility-2.3.1/volatility/plugins/privileges.py0000644000175000017500000001434712227253532022231 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012, 2013 Cem Gurkok # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Cem Gurkok @license: GNU General Public License 2.0 @contact: cemgurkok@gmail.com @organization: Volatility Foundation """ import re import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.plugins.taskmods as taskmods class TokenXP2003(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x < 6} def modification(self, profile): profile.merge_overlay({"_TOKEN" : [None, {'Privileges': [None, ['pointer', ['array', lambda x: x.PrivilegeCount, ['_LUID_AND_ATTRIBUTES']]]], }]}) PRIVILEGE_INFO = { 2: ('SeCreateTokenPrivilege', "Create a token object"), 3: ('SeAssignPrimaryTokenPrivilege', "Replace a process-level token"), 4: ('SeLockMemoryPrivilege', "Lock pages in memory"), 5: ('SeIncreaseQuotaPrivilege', "Increase quotas"), 6: ('SeMachineAccountPrivilege', "Add workstations to the domain"), 7: ('SeTcbPrivilege', "Act as part of the operating system"), 8: ('SeSecurityPrivilege', "Manage auditing and security log"), 9: ('SeTakeOwnershipPrivilege', "Take ownership of files/objects"), 10: ('SeLoadDriverPrivilege', "Load and unload device drivers"), 11: ('SeSystemProfilePrivilege', "Profile system performance"), 12: ('SeSystemtimePrivilege', "Change the system time"), 13: ('SeProfileSingleProcessPrivilege', "Profile a single process"), 14: ('SeIncreaseBasePriorityPrivilege', "Increase scheduling priority"), 15: ('SeCreatePagefilePrivilege', "Create a pagefile"), 16: ('SeCreatePermanentPrivilege', "Create permanent shared objects"), 17: ('SeBackupPrivilege', "Backup files and directories"), 18: ('SeRestorePrivilege', "Restore files and directories"), 19: ('SeShutdownPrivilege', "Shut down the system"), 20: ('SeDebugPrivilege', "Debug programs"), 21: ('SeAuditPrivilege', "Generate security audits"), 22: ('SeSystemEnvironmentPrivilege', "Edit firmware environment values"), 23: ('SeChangeNotifyPrivilege', "Receive notifications of changes to files or directories"), 24: ('SeRemoteShutdownPrivilege', "Force shutdown from a remote system"), 25: ('SeUndockPrivilege', "Remove computer from docking station"), 26: ('SeSyncAgentPrivilege', "Synch directory service data"), 27: ('SeEnableDelegationPrivilege', "Enable user accounts to be trusted for delegation"), 28: ('SeManageVolumePrivilege', "Manage the files on a volume"), 29: ('SeImpersonatePrivilege', "Impersonate a client after authentication"), 30: ('SeCreateGlobalPrivilege', "Create global objects"), 31: ('SeTrustedCredManAccessPrivilege', "Access Credential Manager as a trusted caller"), 32: ('SeRelabelPrivilege', "Modify the mandatory integrity level of an object"), 33: ('SeIncreaseWorkingSetPrivilege', "Allocate more memory for user applications"), 34: ('SeTimeZonePrivilege', "Adjust the time zone of the computer's internal clock"), 35: ('SeCreateSymbolicLinkPrivilege', "Required to create a symbolic link"), } class Privs(taskmods.DllList): "Display process privileges" def __init__(self, config, *args): taskmods.DllList.__init__(self, config, *args) config.add_option("SILENT", short_option = "s", default = False, help = "Suppress less meaningful results", action = "store_true") config.add_option('REGEX', short_option = 'r', help = 'Show privileges matching REGEX', action = 'store', type = 'string') def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "16"), ("Value", "6"), ("Privilege", "36"), ("Attributes", "24"), ("Description", "")]) if self._config.REGEX: priv_re = re.compile(self._config.REGEX, re.I) for task in data: for value, present, enabled, default in task.get_token().privileges(): # Skip privileges whose bit positions cannot be # translated to a privilege name try: name, desc = PRIVILEGE_INFO[int(value)] except KeyError: continue # If we're operating in silent mode, only print privileges # that have been explicitly enabled by the process or that # appear to have been DKOM'd via Ceasar's proposed attack. if self._config.SILENT: if not ((enabled and not default) or (enabled and not present)): continue # Set the attributes attributes = [] if present: attributes.append("Present") if enabled: attributes.append("Enabled") if default: attributes.append("Default") if self._config.REGEX: if not priv_re.search(name): continue self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, value, name, ",".join(attributes), desc) volatility-2.3.1/volatility/plugins/strings.py0000644000175000017500000002034112227253532021540 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2009 Timothy D. Morgan (strings optimization) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.taskmods as taskmods import volatility.plugins.filescan as filescan import volatility.obj as obj import volatility.utils as utils import volatility.win32 as win32 import volatility.debug as debug class Strings(taskmods.DllList): """Match physical offsets to virtual addresses (may take a while, VERY verbose)""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.remove_option('PID') config.add_option('STRING-FILE', short_option = 's', default = None, help = 'File output in strings format (offset:string)', action = 'store', type = 'str') config.add_option("SCAN", short_option = 'S', default = False, action = 'store_true', help = 'Use PSScan if no offset is provided') config.add_option('OFFSET', short_option = 'o', default = None, help = 'EPROCESS offset (in hex) in the physical address space', action = 'store', type = 'int') config.add_option('PIDS', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') def calculate(self): """Calculates the physical to virtual address mapping""" if self._config.STRING_FILE is None or not os.path.exists(self._config.STRING_FILE): debug.error("Strings file not found") addr_space = utils.load_as(self._config) if self._config.OFFSET != None: tasks = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)] elif self._config.SCAN: procs = list(filescan.PSScan(self._config).calculate()) tasks = [] for task in procs: tasks.append(self.virtual_process_from_physical_offset(addr_space, task.obj_offset)) else: tasks = win32.tasks.pslist(addr_space) try: if self._config.PIDS is not None: pidlist = [int(p) for p in self._config.PIDS.split(',')] tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist] except (ValueError, TypeError): # TODO: We should probably print a non-fatal warning here pass return addr_space, tasks def render_text(self, outfd, data): """Runs through the text file outputting which string appears where""" addr_space, tasks = data stringlist = open(self._config.STRING_FILE, "r") verbfd = None if self._config.VERBOSE: verbfd = outfd reverse_map = self.get_reverse_map(addr_space, tasks, verbfd) for stringLine in stringlist: (offsetString, string) = self.parse_line(stringLine) try: offset = int(offsetString) except ValueError: debug.error("String file format invalid.") if reverse_map.has_key(offset & 0xFFFFF000): outfd.write("{0:08x} [".format(offset)) outfd.write(' '.join(["{0}:{1:08x}".format(pid[0], pid[1] | (offset & 0xFFF)) for pid in reverse_map[offset & 0xFFFFF000][1:]])) outfd.write("] {0}\n".format(string.strip())) @staticmethod def get_reverse_map(addr_space, tasks, verbfd = None): """Generates a reverse mapping from physical addresses to the kernel and/or tasks Returns: dict of form phys_page -> [isKernel, (pid1, vaddr1), (pid2, vaddr2) ...] where isKernel is True or False. if isKernel is true, list is of all kernel addresses """ if verbfd is None: verbfd = obj.NoneObject("Swallow output unless VERBOSE mode is enabled") # ASSUMPTION: no pages mapped in kernel and userland # XXX: Can we eliminate the above assumption? It seems like the only change needed for # that would be to store a boolean with each pid/vaddr pair... # # XXX: The following code still fails to represent information about larger pages in # the final output. The output implies that addresses in a large page are # really stored in one or more 4k pages. This is no different from the old # version of the code, but in this version it could be corrected easily by # recording vpage instead of vpage+i in the reverse map. -- TDM reverse_map = {} verbfd.write("Enumerating kernel modules...\n") mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in win32.modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) verbfd.write("Calculating kernel mapping...\n") available_pages = addr_space.get_available_pages() for (vpage, vpage_size) in available_pages: kpage = addr_space.vtop(vpage) for i in range(0, vpage_size, 0x1000): # Since the output will always be mutable, we don't need to reinsert into the list pagelist = reverse_map.get(kpage + i, None) if pagelist is None: pagelist = [True] reverse_map[kpage + i] = pagelist # Try to lookup the owning kernel module module = win32.tasks.find_module(mods, mod_addrs, addr_space.address_mask(vpage + i)) if module: hint = str(module.BaseDllName) else: hint = 'kernel' pagelist.append((hint, vpage + i)) verbfd.write("\r Kernel [{0:08x}]".format(vpage)) verbfd.write("\n") verbfd.write("Calculating task mappings...\n") for task in tasks: task_space = task.get_process_address_space() verbfd.write(" Task {0} ...".format(task.UniqueProcessId)) process_id = int(task.UniqueProcessId) try: available_pages = task_space.get_available_pages() for (vpage, vpage_size) in available_pages: physpage = task_space.vtop(vpage) for i in range(0, vpage_size, 0x1000): # Since the output will always be mutable, we don't need to reinsert into the list pagelist = reverse_map.get(physpage + i, None) if pagelist is None: pagelist = [False] reverse_map[physpage + i] = pagelist if not pagelist[0]: pagelist.append((process_id, vpage + i)) verbfd.write("\r Task {0} [{1:08x}]".format(process_id, vpage)) except (AttributeError, ValueError, TypeError): # Handle most errors, but not all of them continue verbfd.write("\n") verbfd.write("\n") return reverse_map @staticmethod def parse_line(stringLine): """Parses a line of strings""" # Remove any leading spaces to handle nasty strings output stringLine = stringLine.lstrip() maxlen = len(stringLine) split_char = ' ' for char in [' ', ':']: charpos = stringLine.find(char) if charpos < maxlen and charpos > 0: split_char = char maxlen = charpos return tuple(stringLine.split(split_char, 1)) volatility-2.3.1/volatility/plugins/bioskbd.py0000644000175000017500000000465412227253532021475 0ustar mikemike00000000000000# Volatility # # Authors: # Adam Boileau # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # *Heavily* based upon http://www.storm.net.nz/static/files/bioskbsnarf import struct import volatility.plugins.common as common import volatility.utils as utils import volatility.debug as debug class BiosKbd(common.AbstractWindowsCommand): """Reads the keyboard buffer from Real Mode memory""" BASE = 0x400 OFFSET = 0x17 BUFOFFSET = 0x1e LEN = 39 FORMAT = "?!"$%^&*()_+-=`\\|': return c return "." def calculate(self): """Calculate returns the results of the bios keyboard reading""" addr_space = utils.load_as(self._config, astype = 'physical') data = addr_space.read(self.BASE + self.OFFSET, self.LEN) if not data or len(data) != self.LEN: debug.error("Failed to read keyboard buffer, please check this is a physical memory image.") _shifta, _shiftb, _alt, readp, _writep, buf = struct.unpack(self.FORMAT, data) unringed = buf[readp - self.BUFOFFSET:] unringed += buf[:readp - self.BUFOFFSET] results = [] for i in range(0, len(unringed) - 2, 2): if ord(unringed[i]) != 0: results.append((unringed[i], ord(unringed[i + 1]))) return results volatility-2.3.1/volatility/plugins/pstree.py0000644000175000017500000001015112227253532021347 0ustar mikemike00000000000000# Volatility # # Authors # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """pstree example file""" import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.plugins.common as common import volatility.cache as cache import volatility.obj as obj #pylint: disable-msg=C0111 class ProcessAuditVTypes(obj.ProfileModification): before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], }], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], }]}) class PSTree(common.AbstractWindowsCommand): """Print process list as a tree""" def find_root(self, pid_dict, pid): # Prevent circular loops. seen = set() while pid in pid_dict and pid not in seen: seen.add(pid) pid = int(pid_dict[pid].InheritedFromUniqueProcessId) return pid def render_text(self, outfd, data): self.table_header(outfd, [("Name", "<50"), ("Pid", ">6"), ("PPid", ">6"), ("Thds", ">6"), ("Hnds", ">6"), ("Time", "")]) def draw_branch(pad, inherited_from): for task in data.values(): if task.InheritedFromUniqueProcessId == inherited_from: first_column = "{0} {1:#x}:{2:20}".format( "." * pad, task.obj_offset, str(task.ImageFileName or '') ) self.table_row(outfd, first_column, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.ActiveThreads, task.ObjectTable.HandleCount, task.CreateTime) if self._config.VERBOSE: outfd.write("{0} audit: {1}\n".format( ' ' * pad, str(task.SeAuditProcessCreationInfo.ImageFileName.Name or ''))) process_params = task.Peb.ProcessParameters if process_params: outfd.write("{0} cmd: {1}\n".format( ' ' * pad, str(process_params.CommandLine or ''))) outfd.write("{0} path: {1}\n".format( ' ' * pad, str(process_params.ImagePathName or ''))) del data[int(task.UniqueProcessId)] draw_branch(pad + 1, task.UniqueProcessId) while len(data.keys()) > 0: keys = data.keys() root = self.find_root(data, keys[0]) draw_branch(0, root) @cache.CacheDecorator(lambda self: "tests/pstree/verbose={0}".format(self._config.VERBOSE)) def calculate(self): ## Load a new address space addr_space = utils.load_as(self._config) return dict( (int(task.UniqueProcessId), task) for task in tasks.pslist(addr_space) ) volatility-2.3.1/volatility/plugins/malware/0000755000175000017500000000000012234427260021124 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/malware/psxview.py0000644000175000017500000002117212227253532023207 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.tasks as tasks import volatility.plugins.modscan as modscan import volatility.plugins.filescan as filescan import volatility.plugins.overlays.windows.windows as windows import volatility.plugins.gui.sessions as sessions import volatility.plugins.gui.windowstations as windowstations #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _PSP_CID_TABLE(windows._HANDLE_TABLE): #pylint: disable-msg=W0212 """Subclass the Windows handle table object for parsing PspCidTable""" def get_item(self, entry, handle_value = 0): p = obj.Object("address", entry.Object.v(), self.obj_vm) handle = obj.Object("_OBJECT_HEADER", offset = (p & ~7) - self.obj_vm.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), vm = self.obj_vm) return handle #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwarePspCid(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({"_PSP_CID_TABLE" : profile.vtypes["_HANDLE_TABLE"]}) profile.merge_overlay({"_KDDEBUGGER_DATA64" : [None, {'PspCidTable': [None, ["pointer", ["pointer", ['_PSP_CID_TABLE']]]], }]}) profile.object_classes.update({ '_PSP_CID_TABLE': _PSP_CID_TABLE, }) #-------------------------------------------------------------------------------- # psxview plugin #-------------------------------------------------------------------------------- class PsXview(common.AbstractWindowsCommand, sessions.SessionsMixin): "Find hidden processes with various process listings" def __init__(self, config, *args): common.AbstractWindowsCommand.__init__(self, config, *args) config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False, help = "Physcal Offset", action = "store_true") def check_pslist(self, all_tasks): """Enumerate processes from PsActiveProcessHead""" return dict((p.obj_vm.vtop(p.obj_offset), p) for p in all_tasks) def check_psscan(self): """Enumerate processes with pool tag scanning""" return dict((p.obj_offset, p) for p in filescan.PSScan(self._config).calculate()) def check_thrdproc(self, _addr_space): """Enumerate processes indirectly by ETHREAD scanning""" ret = dict() for ethread in modscan.ThrdScan(self._config).calculate(): if ethread.ExitTime != 0: continue # Bounce back to the threads owner process = None if hasattr(ethread.Tcb, 'Process'): process = ethread.Tcb.Process.dereference_as('_EPROCESS') elif hasattr(ethread, 'ThreadsProcess'): process = ethread.ThreadsProcess.dereference() # Make sure the bounce succeeded if (process and process.ExitTime == 0 and process.UniqueProcessId > 0 and process.UniqueProcessId < 65535): ret[process.obj_vm.vtop(process.obj_offset)] = process return ret def check_sessions(self, addr_space): """Enumerate processes from session structures""" ret = dict() for session in self.session_spaces(addr_space): for process in session.processes(): ret[process.obj_vm.vtop(process.obj_offset)] = process return ret def check_desktop_thread(self, addr_space): """Enumerate processes from desktop threads""" ret = dict() for windowstation in windowstations.WndScan(self._config).calculate(): for desktop in windowstation.desktops(): for thread in desktop.threads(): process = thread.ppi.Process.dereference() if process == None: continue ret[process.obj_vm.vtop(process.obj_offset)] = process return ret def check_pspcid(self, addr_space): """Enumerate processes by walking the PspCidTable""" ret = dict() # Follow the pointers to the table base kdbg = tasks.get_kdbg(addr_space) PspCidTable = kdbg.PspCidTable.dereference().dereference() # Walk the handle table for handle in PspCidTable.handles(): if handle.get_object_type() == "Process": process = handle.dereference_as("_EPROCESS") ret[process.obj_vm.vtop(process.obj_offset)] = process return ret def check_csrss_handles(self, all_tasks): """Enumerate processes using the csrss.exe handle table""" ret = dict() for p in all_tasks: if str(p.ImageFileName).lower() == "csrss.exe": # Gather the handles to process objects for handle in p.ObjectTable.handles(): if handle.get_object_type() == "Process": process = handle.dereference_as("_EPROCESS") ret[process.obj_vm.vtop(process.obj_offset)] = process return ret def calculate(self): addr_space = utils.load_as(self._config) all_tasks = list(tasks.pslist(addr_space)) ps_sources = {} # The keys are names of process sources. The values # are dictionaries whose keys are physical process # offsets and the values are _EPROCESS objects. ps_sources['pslist'] = self.check_pslist(all_tasks) ps_sources['psscan'] = self.check_psscan() ps_sources['thrdproc'] = self.check_thrdproc(addr_space) ps_sources['csrss'] = self.check_csrss_handles(all_tasks) ps_sources['pspcid'] = self.check_pspcid(addr_space) ps_sources['session'] = self.check_sessions(addr_space) ps_sources['deskthrd'] = self.check_desktop_thread(addr_space) # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources.values(): for offset in source.keys(): if offset not in seen_offsets: seen_offsets.append(offset) yield offset, source[offset], ps_sources def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('psscan', '5'), ('thrdproc', '5'), ('pspcid', '5'), ('csrss', '5'), ('session', '5'), ('deskthrd', '5'), ]) for offset, process, ps_sources in data: self.table_row(outfd, offset, process.ImageFileName, process.UniqueProcessId, str(ps_sources['pslist'].has_key(offset)), str(ps_sources['psscan'].has_key(offset)), str(ps_sources['thrdproc'].has_key(offset)), str(ps_sources['pspcid'].has_key(offset)), str(ps_sources['csrss'].has_key(offset)), str(ps_sources['session'].has_key(offset)), str(ps_sources['deskthrd'].has_key(offset)) ) volatility-2.3.1/volatility/plugins/malware/idt.py0000644000175000017500000002654512227253532022273 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.malware.malfind as malfind import volatility.exceptions as exceptions #-------------------------------------------------------------------------------- # constants #-------------------------------------------------------------------------------- GDT_DESCRIPTORS = dict(enumerate([ "Data RO", "Data RO Ac", "Data RW", "Data RW Ac", "Data RO E", "Data RO EA", "Data RW E", "Data RW EA", "Code EO", "Code EO Ac", "Code RE", "Code RE Ac", "Code EO C", "Code EO CA", "Code RE C", "Code RE CA", "", "TSS16 Avl", "LDT", "TSS16 Busy", "CallGate16", "TaskGate", "Int Gate16", "TrapGate16", "", "TSS32 Avl", "", "TSS32 Busy", "CallGate32", "", "Int Gate32", "TrapGate32", ])) #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _KIDTENTRY(obj.CType): """Class for interrupt descriptors""" @property def Address(self): """Return the address of the IDT entry handler""" if self.ExtendedOffset == 0: return 0 return (self.ExtendedOffset.v() << 16 | self.Offset.v()) class _KGDTENTRY(obj.CType): """A class for GDT entries""" @property def Type(self): """Get a string name of the descriptor type""" flag = self.HighWord.Bits.Type.v() & 1 << 4 typeval = self.HighWord.Bits.Type.v() & ~(1 << 4) if flag == 0: typeval += 16 return GDT_DESCRIPTORS.get(typeval, "UNKNOWN") @property def Base(self): """Get the base (start) of memory for this GDT""" return (self.BaseLow + ((self.HighWord.Bits.BaseMid + (self.HighWord.Bits.BaseHi << 8)) << 16)) @property def Limit(self): """Get the limit (end) of memory for this GDT""" limit = (self.HighWord.Bits.LimitHi.v() << 16) | self.LimitLow.v() if self.HighWord.Bits.Granularity == 1: limit = (limit + 1) * 0x1000 limit -= 1 return limit @property def CallGate(self): """Get the call gate address""" return self.HighWord.v() & 0xffff0000 | self.LimitLow.v() @property def Present(self): """Returns True if the entry is present""" return self.HighWord.Bits.Pres == 1 @property def Granularity(self): """Returns True if page granularity is used. Otherwise returns False indicating byte granularity is used.""" return self.HighWord.Bits.Granularity == 1 @property def Dpl(self): """Returns the descriptor privilege level""" return self.HighWord.Bits.Dpl #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareIDTGDTx86(obj.ProfileModification): before = ['WindowsObjectClasses', 'WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.object_classes.update({ '_KIDTENTRY': _KIDTENTRY, '_KGDTENTRY': _KGDTENTRY, }) profile.merge_overlay({"_KPCR" : [None, {'IDT': [None, ["pointer", ["array", 256, ['_KIDTENTRY']]]], }]}) # Since the real GDT size is read from a register, we'll just assume # that there are 128 entries (which is normal for most OS) profile.merge_overlay({"_KPCR" : [None, {'GDT': [None, ["pointer", ["array", 128, ['_KGDTENTRY']]]], }]}) #-------------------------------------------------------------------------------- # GDT plugin #-------------------------------------------------------------------------------- class GDT(common.AbstractWindowsCommand): "Display Global Descriptor Table" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') def calculate(self): addr_space = utils.load_as(self._config) # Currently we only support x86. The x64 does still have a GDT # but hooking is prohibited and results in bugcheck. if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") for kpcr in tasks.get_kdbg(addr_space).kpcrs(): for i, entry in kpcr.gdt_entries(): yield i, entry def render_text(self, outfd, data): self.table_header(outfd, [('CPU', '>6'), ('Sel', '[addr]'), ('Base', '[addrpad]'), ('Limit', '[addrpad]'), ('Type', '<14'), ('DPL', '>6'), ('Gr', '<4'), ('Pr', '<4') ]) for n, entry in data: selector = n * 8 # Is the entry present? This applies to all types of GDT entries if entry.Present: present = "P" else: present = "Np" # The base, limit, and granularity is calculated differently # for 32bit call gates than they are for all other types. if entry.Type == 'CallGate32': base = entry.CallGate limit = 0 granularity = '-' else: base = entry.Base limit = entry.Limit if entry.Granularity: granularity = "Pg" else: granularity = "By" # The parent is GDT. The grand-parent is _KPCR cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number self.table_row(outfd, cpu_number, selector, base, limit, entry.Type, entry.Dpl, granularity, present) #-------------------------------------------------------------------------------- # IDT plugin #-------------------------------------------------------------------------------- class IDT(common.AbstractWindowsCommand): "Display Interrupt Descriptor Table" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') @staticmethod def get_section_name(mod, addr): """Get the name of the PE section containing the specified address. @param mod: an _LDR_DATA_TABLE_ENTRY @param addr: virtual address to lookup @returns string PE section name """ try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = mod.DllBase, vm = mod.obj_vm) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException): return '' for sec in nt_header.get_sections(False): if (addr > mod.DllBase + sec.VirtualAddress and addr < sec.Misc.VirtualSize + (mod.DllBase + sec.VirtualAddress)): return str(sec.Name or '') return '' def calculate(self): addr_space = utils.load_as(self._config) # Currently we only support x86. The x64 does still have a IDT # but hooking is prohibited and results in bugcheck. if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) for kpcr in tasks.get_kdbg(addr_space).kpcrs(): # Get the GDT for access to selector bases gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries()) for i, entry in kpcr.idt_entries(): # Where the IDT entry points. addr = entry.Address # Per MITRE, add the GDT selector base if available. # This allows us to detect sneaky attempts to hook IDT # entries by changing the entry's GDT selector. gdt_entry = gdt.get(entry.Selector.v()) if gdt_entry != None and "Code" in gdt_entry.Type: addr += gdt_entry.Base # Lookup the function's owner module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr)) yield i, entry, addr, module def render_text(self, outfd, data): self.table_header(outfd, [('CPU', '>6X'), ('Index', '>6X'), ('Selector', '[addr]'), ('Value', '[addrpad]'), ('Module', '20'), ('Section', '12'), ]) for n, entry, addr, module in data: if module: module_name = str(module.BaseDllName or '') sect_name = self.get_section_name(module, addr) else: module_name = "UNKNOWN" sect_name = '' # The parent is IDT. The grand-parent is _KPCR. cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number self.table_row(outfd, cpu_number, n, entry.Selector, addr, module_name, sect_name) if self._config.verbose: data = entry.obj_vm.zread(addr, 32) outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True) ])) outfd.write("\n") volatility-2.3.1/volatility/plugins/malware/threads.py0000644000175000017500000005231512227253532023137 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys, pydoc import volatility.utils as utils import volatility.registry as registry import volatility.obj as obj import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.plugins.ssdt as ssdt import volatility.plugins.taskmods as taskmods import volatility.plugins.modscan as modscan import volatility.plugins.malware.malfind as malfind import volatility.debug as debug try: import distorm3 #pylint: disable-msg=W0611 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- thread_types = { '_KTHREAD' : [ None , { 'State' : [ None, ['Enumeration', dict(target = 'unsigned char', choices = { 0: 'Initialized', 1: 'Ready', 2: 'Running', 3: 'Standby', 4: 'Terminated', 5: 'Waiting', 6: 'Transition', 7: 'DeferredReady', 8: 'GateWait'})]], 'WaitReason' : [ None, ['Enumeration', dict(target = 'unsigned char', choices = { 0: 'Executive', 1: 'FreePage', 2: 'PageIn', 3: 'PoolAllocation', 4: 'DelayExecution', 5: 'Suspended', 6: 'UserRequest', 7: 'WrExecutive', 8: 'WrFreePage', 9: 'WrPageIn', 10: 'WrPoolAllocation', 11: 'WrDelayExecution', 12: 'WrSuspended', 13: 'WrUserRequest', 14: 'WrEventPair', 15: 'WrQueue', 16: 'WrLpcReceive', 17: 'WrLpcReply', 18: 'WrVirtualMemory', 19: 'WrPageOut', 20: 'WrRendezvous', 21: 'Spare2', 22: 'Spare3', 23: 'Spare4', 24: 'Spare5', 25: 'Spare6', 26: 'WrKernel', 27: 'WrResource', 28: 'WrPushLock', 29: 'WrMutex', 30: 'WrQuantumEnd', 31: 'WrDispatchInt', 32: 'WrPreempted', 33: 'WrYieldExecution', 34: 'WrFastMutex', 35: 'WrGuardedMutex', 36: 'WrRundown', 37: 'MaximumWaitReason'})]], }], '_ETHREAD': [ None, { 'CrossThreadFlags': [ None, ['Flags', {'bitmap': { 'PS_CROSS_THREAD_FLAGS_TERMINATED': 0, 'PS_CROSS_THREAD_FLAGS_DEADTHREAD': 1, 'PS_CROSS_THREAD_FLAGS_HIDEFROMDBG': 2, 'PS_CROSS_THREAD_FLAGS_IMPERSONATING': 3, 'PS_CROSS_THREAD_FLAGS_SYSTEM': 4, 'PS_CROSS_THREAD_FLAGS_HARD_ERRORS_DISABLED': 5, 'PS_CROSS_THREAD_FLAGS_BREAK_ON_TERMINATION': 6, 'PS_CROSS_THREAD_FLAGS_SKIP_CREATION_MSG': 7, 'PS_CROSS_THREAD_FLAGS_SKIP_TERMINATION_MSG': 8, }}]], }], } #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareKthread(obj.ProfileModification): before = ['WindowsObjectClasses', 'WindowsOverlay'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay(thread_types) #-------------------------------------------------------------------------------- # thread checks #-------------------------------------------------------------------------------- class AbstractThreadCheck(object): """Base thread check class""" def __init__(self, thread, mods, mod_addrs, \ hooked_tables, found_by_scanner): """ @param thread: the _ETHREAD object @param mods: a dictionary with module bases as keys and _LDR_DATA_TABLE_ENTRY as values. @param mod_addrs: a sorted list of module base addresses @param hooked_tables: a list of SSDTs that have one or more hooked functions. @param found_by_scanner: True/False if the _ETHREAD passed as the thread parameter was found via list walking or pool scanning. """ self.thread = thread self.mods = mods self.mod_addrs = mod_addrs self.hooked_tables = hooked_tables self.found_by_scanner = found_by_scanner self.flags = str(thread.CrossThreadFlags) def check(self): """Return True or False from this method""" class OrphanThread(AbstractThreadCheck): """Detect orphan threads""" def check(self): """This check is True for system threads whose start address do not map back to known/loaded kernel drivers.""" # Take the address space from any module object addr_space = self.mods.values()[0].obj_vm module = tasks.find_module(self.mods, self.mod_addrs, addr_space.address_mask(self.thread.StartAddress)) return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and module == None) class DkomExit(AbstractThreadCheck): """Detect inconsistencies wrt exit times and termination""" def check(self): """This check is True when a thread's ExitTime is non-zero (indicating it has exited) but the state and flags indicate that it is still active.""" return (self.thread.ExitTime != 0 and str(self.thread.Tcb.State) != 'Terminated' and not 'PS_CROSS_THREAD_FLAGS_TERMINATED' in self.flags) class HideFromDebug(AbstractThreadCheck): """Detect threads hidden from debuggers""" def check(self): """This check is True when a thread's flags report that it is being hidden from a debugger.""" return 'PS_CROSS_THREAD_FLAGS_HIDEFROMDBG' in self.flags class SystemThread(AbstractThreadCheck): """Detect system threads""" def check(self): """This check is True when a thread's flags report that it is a system thread (i.e. PsCreateSystemThread).""" return 'PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags class Impersonation(AbstractThreadCheck): """Detect impersonating threads""" def check(self): """This check is True when a thread's flags indicate that it is impersonating another thread's security context.""" return 'PS_CROSS_THREAD_FLAGS_IMPERSONATING' in self.flags class HwBreakpoint(AbstractThreadCheck): """Detect threads with hardware breakpoints""" def check(self): """This check is True when a thread's trap frame shows usage of the Dr* registers in a manner consistent with hardware breakpoints.""" # Don't check threads that appear to have exited if self.found_by_scanner: return False if 'PS_CROSS_THREAD_FLAGS_TERMINATED' in self.flags: return False trap = self.thread.Tcb.TrapFrame.dereference_as("_KTRAP_FRAME") if not trap: return False if ((trap.Dr0 != 0 or trap.Dr1 != 0 or trap.Dr2 != 0 or trap.Dr3 != 0) and (trap.Dr6 != 0 and trap.Dr7 != 0)): return True return False class AttachedProcess(AbstractThreadCheck): """Detect threads attached to another process""" def check(self): """This check is True when a thread is currently attached to a process other than the process that owns the thread.""" return (self.thread.ExitTime == 0 and self.thread.owning_process().obj_offset != self.thread.attached_process().obj_offset) class HookedSSDT(AbstractThreadCheck): """Check if a thread is using a hooked SSDT""" def check(self): """This check is True if any of the thread's SSDTs have hooked functions. If its True and the SSDT hooking module is legit, you can filter them out with --allow-hook.""" # Check doesn't apply to x64 if self.hooked_tables == None: return False ssdt_obj = self.thread.Tcb.ServiceTable.\ dereference_as('_SERVICE_DESCRIPTOR_TABLE') for _, desc in enumerate(ssdt_obj.Descriptors): table = desc.KiServiceTable.v() if table in self.hooked_tables.keys(): return True return False class ScannerOnly(AbstractThreadCheck): """Detect threads no longer in a linked list""" def check(self): """This check is True when a thread is found by pool tag scanning but not in list traversal.""" return self.found_by_scanner #-------------------------------------------------------------------------------- # threads plugin #-------------------------------------------------------------------------------- class Threads(taskmods.DllList): "Investigate _ETHREAD and _KTHREADs" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) self.bits32 = None config.add_option("FILTER", short_option = 'F', default = None, help = 'Tags to filter (comma-separated)') config.add_option("LISTTAGS", short_option = 'L', default = False, action = 'store_true', help = 'List all available tags') def get_hooked_tables(self, addr_space): """This function finds SSDTs in an address space, checks if there are any hooked functions in the SSDTs, and returns a dictionary where SSDT base addresses are the keys and the values are lists of hooked function names. @param addr_space: a kernel address space. """ # Names of the legit executive modules for SSDT tables executive_modules = [ # SSDT 0 ["ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe"], # SSDT 1 ["win32k.sys"], # SSDT 2 ["spud.sys"], # SSDT 3 []] syscalls = addr_space.profile.syscalls hooked_tables = {} for info in ssdt.SSDT(self._config).calculate(): idx, table, n, vm, mods, mod_addrs = info # This is straight out of ssdt.py. Too bad there's no better way # to not duplicate code? for i in range(n): if self.bits32: # These are absolute function addresses in kernel memory. syscall_addr = obj.Object('address', table + (i * 4), vm).v() else: # These must be signed long for x64 because they are RVAs # relative to the base of the table and can be negative. offset = obj.Object('long', table + (i * 4), vm).v() # The offset is the top 20 bits of the 32 bit number. syscall_addr = table + (offset >> 4) try: syscall_name = syscalls[idx][i] except IndexError: syscall_name = "UNKNOWN" syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr) if syscall_mod: syscall_modname = syscall_mod.BaseDllName else: syscall_modname = "UNKNOWN" if str(syscall_modname).lower() not in executive_modules[idx]: fields = (i, syscall_name, syscall_addr, syscall_modname) if hooked_tables.has_key(table): hooked_tables[table].append(fields) else: hooked_tables[table] = [(fields)] return hooked_tables def calculate(self): if not has_distorm3: debug.warning("For best results please install distorm3") # Checks that subclass AbstractThreadCheck checks = registry.get_plugin_classes(AbstractThreadCheck) # If --listtags is chosen, just print the tags and return if self._config.LISTTAGS: for cls_name, cls in checks.items(): sys.stdout.write("{0:<20} {1}\n".format(cls_name, pydoc.getdoc(cls))) return addr_space = utils.load_as(self._config) system_range = tasks.get_kdbg(addr_space).MmSystemRangeStart.dereference_as("Pointer") # Only show threads owned by particular processes if self._config.PID: pidlist = [int(p) for p in self._config.PID.split(',')] else: pidlist = [] # Get sorted list of kernel modules mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) # Gather processes all_tasks = list(tasks.pslist(addr_space)) # Are we on x86 or x64. Save this for render_text self.bits32 = addr_space.profile.metadata.\ get("memory_model", "32bit") == "32bit" # Get a list of hooked SSDTs but only on x86 if self.bits32: hooked_tables = self.get_hooked_tables(addr_space) else: hooked_tables = None # Dictionary to store threads. Keys are physical offsets of # ETHREAD objects. Values are tuples, where the first item is # a boolean specifying if the object was found by scanning and # the second item is the actual ETHREAD object. seen_threads = dict() # Gather threads by list traversal of active/linked processes for task in self.filter_tasks(all_tasks): for thread in task.ThreadListHead.\ list_of_type("_ETHREAD", "ThreadListEntry"): seen_threads[thread.obj_vm.vtop(thread.obj_offset)] = (False, thread) # Now scan for threads and save any that haven't been seen for thread in modscan.ThrdScan(self._config).calculate(): if not seen_threads.has_key(thread.obj_offset): seen_threads[thread.obj_offset] = (True, thread) # Keep a record of processes whose DLLs we've already enumerated process_dll_info = {} for _offset, (found_by_scanner, thread) in seen_threads.items(): # Skip processes the user doesn't want to see if pidlist and thread.Cid.UniqueProcess not in pidlist: continue # Do we need to gather DLLs for module resolution if addr_space.address_compare(thread.StartAddress, system_range) != -1: owner = tasks.find_module(mods, mod_addrs, addr_space.address_mask(thread.StartAddress)) else: owning_process = thread.owning_process() if not owning_process.is_valid(): owner = None else: try: user_mod_addrs, user_mods = process_dll_info[owning_process.obj_offset] except KeyError: user_mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in owning_process.get_load_modules()) user_mod_addrs = sorted(user_mods.keys()) process_dll_info[owning_process.obj_offset] = (user_mod_addrs, user_mods) owner = tasks.find_module(user_mods, user_mod_addrs, addr_space.address_mask(thread.StartAddress)) if owner: owner_name = str(owner.BaseDllName or '') else: owner_name = "UNKNOWN" # Replace the dummy class with an instance instances = dict( (cls_name, cls(thread, mods, mod_addrs, hooked_tables, found_by_scanner)) for cls_name, cls in checks.items() ) yield thread, addr_space, mods, mod_addrs, \ instances, hooked_tables, system_range, owner_name def render_text(self, outfd, data): # Determine which filters the user wants to see if self._config.FILTER: filters = set(self._config.FILTER.split(',')) else: filters = set() for thread, addr_space, mods, mod_addrs, \ instances, hooked_tables, system_range, owner_name in data: # If the user didn't set filters, display all results. If # the user set one or more filters, only show threads # with matching results. tags = set([t for t, v in instances.items() if v.check()]) if filters and not filters & tags: continue s = "------\n" s += "ETHREAD: {0:#010x} Pid: {1} Tid: {2}\n".format( thread.obj_offset, thread.Cid.UniqueProcess, thread.Cid.UniqueThread) s += "Tags: {0}\n".format(','.join(tags)) s += "Created: {0}\n".format(thread.CreateTime) s += "Exited: {0}\n".format(thread.ExitTime) s += "Owning Process: {0}\n".format( thread.owning_process().ImageFileName) s += "Attached Process: {0}\n".format( thread.attached_process().ImageFileName) # Lookup the thread's state state = str(thread.Tcb.State) # Append the wait reason if state == 'Waiting': state = state + ':' + str(thread.Tcb.WaitReason) s += "State: {0}\n".format(state) s += "BasePriority: {0:#x}\n".format(thread.Tcb.BasePriority) s += "Priority: {0:#x}\n".format(thread.Tcb.Priority) s += "TEB: {0:#010x}\n".format(thread.Tcb.Teb) s += "StartAddress: {0:#010x} {1}\n".format( thread.StartAddress, owner_name) # Check the flag which indicates whether Win32StartAddress is valid if thread.SameThreadApcFlags & 1: s += "Win32StartAddress: {0:#010x}\n".format( thread.Win32StartAddress) if self.bits32: s += "ServiceTable: {0:#010x}\n".format(thread.Tcb.ServiceTable) ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", offset = thread.Tcb.ServiceTable, vm = addr_space ) if ssdt_obj != None: for i, desc in enumerate(ssdt_obj.Descriptors): if desc.is_valid(): s += " [{0}] {1:#010x}\n".format(i, desc.KiServiceTable.v()) else: s += " [{0}] -\n".format(i) # Show exactly which functions are hooked table = desc.KiServiceTable.v() if table not in hooked_tables.keys(): continue for (i, func_name, func_addr, mod_name) in hooked_tables[table]: s += " [{0:#x}] {1} {2:#x} {3}\n".format( i, func_name, func_addr, mod_name) s += "Win32Thread: {0:#010x}\n".format(thread.Tcb.Win32Thread) s += "CrossThreadFlags: {0}\n".format(thread.CrossThreadFlags) # Print the registers if possible trapframe = thread.Tcb.TrapFrame.dereference_as("_KTRAP_FRAME") if trapframe and self.bits32: s += "Eip: {0:#10x}\n".format(trapframe.Eip) s += " eax={0:#010x} ebx={1:#010x} ecx={2:#010x}".format( trapframe.Eax, trapframe.Ebx, trapframe.Ecx) s += " edx={0:#010x} esi={1:#010x} edi={2:#010x}\n".format( trapframe.Edx, trapframe.Esi, trapframe.Edi) s += " eip={0:#010x} esp={1:#010x} ebp={2:#010x} err={3:#010x}\n".format( trapframe.Eip, trapframe.HardwareEsp, trapframe.Ebp, trapframe.ErrCode) s += " cs={0:#04x} ss={1:#04x} ds={2:#04x}".format( trapframe.SegCs, trapframe.HardwareSegSs, trapframe.SegDs) s += " es={0:#04x} gs={1:#04x} fs={2:#04x} efl={3:#010x}\n".format( trapframe.SegEs, trapframe.SegGs, trapframe.SegFs, trapframe.EFlags) s += " dr0={0:#010x} dr1={1:#010x} dr2={2:#010x}".format( trapframe.Dr0, trapframe.Dr1, trapframe.Dr2) s += " dr3={0:#010x} dr6={1:#010x} dr7={2:#010x}\n".format( trapframe.Dr3, trapframe.Dr6, trapframe.Dr7) # Disasemble the start address if possible process_space = thread.owning_process().get_process_address_space() if process_space.is_valid_address(thread.StartAddress): buf = process_space.zread(thread.StartAddress, 24) mode = "32bit" if self.bits32 else "64bit" s += "\n".join(["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(buf, thread.StartAddress.v(), mode)]) outfd.write("{0}\n".format(s)) volatility-2.3.1/volatility/plugins/malware/callbacks.py0000644000175000017500000005401712227253532023425 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.scan as scan import volatility.debug as debug import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.plugins.malware.devicetree as devicetree try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- callback_types = { '_NOTIFICATION_PACKET' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NotificationRoutine' : [ 0xC, ['unsigned int']], } ], '_KBUGCHECK_CALLBACK_RECORD' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x8, ['unsigned int']], 'Buffer' : [ 0xC, ['pointer', ['void']]], 'Length' : [ 0x10, ['unsigned int']], 'Component' : [ 0x14, ['pointer', ['String', dict(length = 64)]]], 'Checksum' : [ 0x18, ['pointer', ['unsigned int']]], 'State' : [ 0x1C, ['unsigned char']], } ], '_KBUGCHECK_REASON_CALLBACK_RECORD' : [ 0x1C, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'CallbackRoutine' : [ 0x8, ['unsigned int']], 'Component' : [ 0xC, ['pointer', ['String', dict(length = 8)]]], 'Checksum' : [ 0x10, ['pointer', ['unsigned int']]], 'Reason' : [ 0x14, ['unsigned int']], 'State' : [ 0x18, ['unsigned char']], } ], '_SHUTDOWN_PACKET' : [ 0xC, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], } ], '_EX_CALLBACK_ROUTINE_BLOCK' : [ 0x8, { 'RundownProtect' : [ 0x0, ['unsigned int']], 'Function' : [ 0x4, ['unsigned int']], 'Context' : [ 0x8, ['unsigned int']], } ], '_GENERIC_CALLBACK' : [ 0xC, { 'Callback' : [ 0x4, ['pointer', ['void']]], 'Associated' : [ 0x8, ['pointer', ['void']]], } ], '_REGISTRY_CALLBACK_LEGACY' : [ 0x38, { 'CreateTime' : [ 0x0, ['WinTimeStamp', dict(is_utc = True)]], } ], '_REGISTRY_CALLBACK' : [ None, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Function' : [ 0x1C, ['pointer', ['void']]], } ], '_DBGPRINT_CALLBACK' : [ 0x14, { 'Function' : [ 0x8, ['pointer', ['void']]], } ], '_NOTIFY_ENTRY_HEADER' : [ None, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'EventCategory' : [ 0x8, ['Enumeration', dict(target = 'long', choices = { 0: 'EventCategoryReserved', 1: 'EventCategoryHardwareProfileChange', 2: 'EventCategoryDeviceInterfaceChange', 3: 'EventCategoryTargetDeviceChange'})]], 'CallbackRoutine' : [ 0x14, ['unsigned int']], 'DriverObject' : [ 0x1C, ['pointer', ['_DRIVER_OBJECT']]], } ], } #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _SHUTDOWN_PACKET(obj.CType): """Class for shutdown notification callbacks""" def sanity_check(self): """ Perform some checks. Note: obj_native_vm is kernel space. """ if (not self.obj_native_vm.is_valid_address(self.Entry.Flink) or not self.obj_native_vm.is_valid_address(self.Entry.Blink) or not self.obj_native_vm.is_valid_address(self.DeviceObject)): return False # Dereference the device object device = self.DeviceObject.dereference() # Carve out the device's object header and check its type object_header = obj.Object("_OBJECT_HEADER", offset = device.obj_offset - self.obj_native_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = device.obj_vm, native_vm = device.obj_native_vm) return object_header.get_object_type() == "Device" #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareCallbackMods(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(callback_types) profile.object_classes.update({ '_SHUTDOWN_PACKET': _SHUTDOWN_PACKET, }) #-------------------------------------------------------------------------------- # pool scanners #-------------------------------------------------------------------------------- class AbstractCallbackScanner(scan.PoolScanner): """Return the offset of the callback, no object headers""" def object_offset(self, found, address_space): return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) class PoolScanFSCallback(AbstractCallbackScanner): """PoolScanner for File System Callbacks""" checks = [ ('PoolTagCheck', dict(tag = "IoFs")), ('CheckPoolSize', dict(condition = lambda x: x == 0x18)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), #('CheckPoolIndex', dict(value = 4)), ] class PoolScanShutdownCallback(AbstractCallbackScanner): """PoolScanner for Shutdown Callbacks""" checks = [ ('PoolTagCheck', dict(tag = "IoSh")), ('CheckPoolSize', dict(condition = lambda x: x == 0x18)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class PoolScanGenericCallback(AbstractCallbackScanner): """PoolScanner for Generic Callbacks""" checks = [ ('PoolTagCheck', dict(tag = "Cbrb")), ('CheckPoolSize', dict(condition = lambda x: x == 0x18)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), # This is a good constraint for all images except Frank's rustock-c.vmem #('CheckPoolIndex', dict(value = 1)), ] class PoolScanDbgPrintCallback(AbstractCallbackScanner): """PoolScanner for DebugPrint Callbacks on Vista and 7""" checks = [ ('PoolTagCheck', dict(tag = "DbCb")), ('CheckPoolSize', dict(condition = lambda x: x == 0x20)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), #('CheckPoolIndex', dict(value = 0)), ] class PoolScanRegistryCallback(AbstractCallbackScanner): """PoolScanner for DebugPrint Callbacks on Vista and 7""" checks = [ ('PoolTagCheck', dict(tag = "CMcb")), # Seen as 0x38 on Vista SP2 and 0x30 on 7 SP0 ('CheckPoolSize', dict(condition = lambda x: x >= 0x38)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 4)), ] class PoolScanPnp9(AbstractCallbackScanner): """PoolScanner for Pnp9 (EventCategoryHardwareProfileChange)""" checks = [ ('PoolTagCheck', dict(tag = "Pnp9")), # seen as 0x2C on W7, 0x28 on vistasp0 (4 less but needs 8 less) ('CheckPoolSize', dict(condition = lambda x: x >= 0x30)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] class PoolScanPnpD(AbstractCallbackScanner): """PoolScanner for PnpD (EventCategoryDeviceInterfaceChange)""" checks = [ ('PoolTagCheck', dict(tag = "PnpD")), # seen as 0x3C on W7, 0x38 on vistasp0 (4 less but needs 8 less) ('CheckPoolSize', dict(condition = lambda x: x >= 0x40)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] class PoolScanPnpC(AbstractCallbackScanner): """PoolScanner for PnpC (EventCategoryTargetDeviceChange)""" checks = [ ('PoolTagCheck', dict(tag = "PnpC")), # seen as 0x34 on W7, 0x30 on vistasp0 (4 less but needs 8 less) ('CheckPoolSize', dict(condition = lambda x: x >= 0x38)), ('CheckPoolType', dict(non_paged = True, paged = True, free = True)), ('CheckPoolIndex', dict(value = 1)), ] #-------------------------------------------------------------------------------- # callbacks plugin #-------------------------------------------------------------------------------- class Callbacks(common.AbstractWindowsCommand): "Print system-wide notification routines" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') def __init__(self, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, *args, **kwargs) self.phys_space = None self.kern_space = None @staticmethod def get_kernel_callbacks(nt_mod): """ Enumerate the Create Process, Create Thread, and Image Load callbacks. On some systems, the byte sequences will be inaccurate or the exported function will not be found. In these cases, the PoolScanGenericCallback scanner will pick up the pool associated with the callbacks. """ routines = [ # push esi; mov esi, offset _PspLoadImageNotifyRoutine ('PsSetLoadImageNotifyRoutine', "\x56\xbe"), # push esi; mov esi, offset _PspCreateThreadNotifyRoutine ('PsSetCreateThreadNotifyRoutine', "\x56\xbe"), # mov edi, offset _PspCreateProcessNotifyRoutine ('PsSetCreateProcessNotifyRoutine', "\xbf"), ] for symbol, hexbytes in routines: # Locate the exported symbol in the NT module symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: continue symbol_address = symbol_rva + nt_mod.DllBase # Find the global variable referenced by the exported symbol data = nt_mod.obj_vm.zread(symbol_address, 100) offset = data.find(hexbytes) if offset == -1: continue # Read the pointer to the list p = obj.Object('Pointer', offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) # The list is an array of 8 _EX_FAST_REF objects addrs = obj.Object('Array', count = 8, targetType = '_EX_FAST_REF', offset = p, vm = nt_mod.obj_vm) for addr in addrs: callback = addr.dereference_as("_GENERIC_CALLBACK") if callback: yield symbol, callback.Callback, None def get_fs_callbacks(self): """Enumerate the File System change callbacks""" for offset in PoolScanFSCallback().scan(self.phys_space): callback = obj.Object('_NOTIFICATION_PACKET', offset, self.phys_space) yield "IoRegisterFsRegistrationChange", callback.NotificationRoutine, None def get_shutdown_callbacks(self): """Enumerate shutdown notification callbacks""" for offset in PoolScanShutdownCallback().scan(self.phys_space): # Instantiate the object in physical space but give it a native # VM of kernel space callback = obj.Object('_SHUTDOWN_PACKET', offset = offset, vm = self.phys_space, native_vm = self.kern_space) if not callback.sanity_check(): continue # Get the callback's driver object. We've already # checked the sanity of the device object pointer. driver_obj = callback.DeviceObject.dereference().DriverObject address = driver_obj.MajorFunction[devicetree.MAJOR_FUNCTIONS.index('IRP_MJ_SHUTDOWN')] details = str(driver_obj.DriverName) yield "IoRegisterShutdownNotification", address, details def get_bugcheck_callbacks(self): """ Enumerate generic Bugcheck callbacks. Note: These structures don't exist in tagged pools, but you can find them via KDDEBUGGER_DATA64 on all versions of Windows. """ kbcclh = tasks.get_kdbg(self.kern_space).KeBugCheckCallbackListHead.dereference_as('_KBUGCHECK_CALLBACK_RECORD') for l in kbcclh.Entry.list_of_type("_KBUGCHECK_CALLBACK_RECORD", "Entry"): yield "KeBugCheckCallbackListHead", l.CallbackRoutine, l.Component.dereference() @staticmethod def get_registry_callbacks_legacy(nt_mod): """ Enumerate registry change callbacks. This method of finding a global variable via disassembly of the CmRegisterCallback function is only for XP systems. If it fails on XP you can still find the callbacks using PoolScanGenericCallback. On Vista and Windows 7, these callbacks are registered using the CmRegisterCallbackEx function. """ if not has_distorm3: return symbol = "CmRegisterCallback" # Get the RVA of the symbol from NT's EAT symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: return # Absolute VA to the symbol code symbol_address = symbol_rva + nt_mod.DllBase # Read the function prologue data = nt_mod.obj_vm.zread(symbol_address, 200) c = 0 vector = None # Looking for MOV EBX, CmpCallBackVector # This may be the first or second MOV EBX instruction for op in distorm3.Decompose(symbol_address, data, distorm3.Decode32Bits): if op.valid and op.mnemonic == "MOV" and len(op.operands) == 2 and op.operands[0].name == 'EBX': vector = op.operands[1].value if c == 1: break else: c += 1 # Can't find the global variable if vector == None: return # The vector is an array of 100 _EX_FAST_REF objects addrs = obj.Object("Array", count = 100, offset = vector, vm = nt_mod.obj_vm, targetType = "_EX_FAST_REF") for addr in addrs: callback = addr.dereference_as("_EX_CALLBACK_ROUTINE_BLOCK") if callback: yield symbol, callback.Function, None def get_generic_callbacks(self): """ Enumerate generic callbacks of the following types: * PsSetCreateProcessNotifyRoutine * PsSetThreadCreateNotifyRoutine * PsSetLoadImageNotifyRoutine * CmRegisterCallback (on XP only) * DbgkLkmdRegisterCallback (on Windows 7 only) The only issue is that you can't distinguish between the types by just finding the generic callback structure """ for offset in PoolScanGenericCallback().scan(self.phys_space): callback = obj.Object('_GENERIC_CALLBACK', offset, self.phys_space) yield "GenericKernelCallback", callback.Callback, None def get_dbgprint_callbacks(self): """Enumerate DebugPrint callbacks on Vista and 7""" for offset in PoolScanDbgPrintCallback().scan(self.phys_space): callback = obj.Object('_DBGPRINT_CALLBACK', offset, self.phys_space) yield "DbgSetDebugPrintCallback", callback.Function, None def get_registry_callbacks(self): """ Enumerate registry callbacks on Vista and 7. These callbacks are installed via CmRegisterCallback or CmRegisterCallbackEx. """ for offset in PoolScanRegistryCallback().scan(self.phys_space): callback = obj.Object('_REGISTRY_CALLBACK', offset, self.phys_space) yield "CmRegisterCallback", callback.Function, None def get_pnp_callbacks(self): """Enumerate IoRegisterPlugPlayNotification""" offsets = [] for offset in PoolScanPnp9().scan(self.phys_space): offsets.append(offset) for offset in PoolScanPnpD().scan(self.phys_space): offsets.append(offset) for offset in PoolScanPnpC().scan(self.phys_space): offsets.append(offset) for offset in offsets: entry = obj.Object("_NOTIFY_ENTRY_HEADER", offset = offset, vm = self.phys_space, native_vm = self.kern_space) # Dereference the driver object pointer driver = entry.DriverObject.dereference() # Instantiate an object header for the driver name header = obj.Object("_OBJECT_HEADER", offset = driver.obj_offset - driver.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = driver.obj_vm, native_vm = driver.obj_native_vm) # Grab the object name driver_name = header.NameInfo.Name.v() yield entry.EventCategory, entry.CallbackRoutine, driver_name @staticmethod def get_bugcheck_reason_callbacks(nt_mod): """ Enumerate Bugcheck Reason callbacks. Note: These structures don't exist in tagged pools, so we find them by locating the list head which is a non-exported NT symbol. The method works on all x86 versions of Windows. mov [eax+KBUGCHECK_REASON_CALLBACK_RECORD.Entry.Blink], \ offset _KeBugCheckReasonCallbackListHead """ symbol = "KeRegisterBugCheckReasonCallback" hexbytes = "\xC7\x40\x04" # Locate the symbol RVA symbol_rva = nt_mod.getprocaddress(symbol) if symbol_rva == None: return # Compute the absolute virtual address symbol_address = symbol_rva + nt_mod.DllBase data = nt_mod.obj_vm.zread(symbol_address, 100) # Search for the pattern offset = data.find(hexbytes) if offset == -1: return p = obj.Object('Pointer', offset = symbol_address + offset + len(hexbytes), vm = nt_mod.obj_vm) bugs = p.dereference_as('_KBUGCHECK_REASON_CALLBACK_RECORD') for l in bugs.Entry.list_of_type("_KBUGCHECK_REASON_CALLBACK_RECORD", "Entry"): yield symbol, l.CallbackRoutine, l.Component.dereference() def calculate(self): # All scanners will share a kernel and physical space self.kern_space = utils.load_as(self._config) self.phys_space = utils.load_as(self._config, astype = 'physical') # We currently dont support x64 if not self.is_valid_profile(self.kern_space.profile): debug.error("This command does not support the selected profile.") # Get the OS version we're analyzing version = (self.kern_space.profile.metadata.get('major', 0), self.kern_space.profile.metadata.get('minor', 0)) modlist = list(modules.lsmod(self.kern_space)) mods = dict((self.kern_space.address_mask(mod.DllBase), mod) for mod in modlist) mod_addrs = sorted(mods.keys()) # First few routines are valid on all OS versions for info in self.get_fs_callbacks(): yield info, mods, mod_addrs for info in self.get_bugcheck_callbacks(): yield info, mods, mod_addrs for info in self.get_shutdown_callbacks(): yield info, mods, mod_addrs for info in self.get_generic_callbacks(): yield info, mods, mod_addrs for info in self.get_bugcheck_reason_callbacks(modlist[0]): yield info, mods, mod_addrs for info in self.get_kernel_callbacks(modlist[0]): yield info, mods, mod_addrs # Valid for Vista and later if version >= (6, 0): for info in self.get_dbgprint_callbacks(): yield info, mods, mod_addrs for info in self.get_registry_callbacks(): yield info, mods, mod_addrs for info in self.get_pnp_callbacks(): yield info, mods, mod_addrs # Valid for XP if version == (5, 1): for info in self.get_registry_callbacks_legacy(modlist[0]): yield info, mods, mod_addrs def render_text(self, outfd, data): self.table_header(outfd, [("Type", "36"), ("Callback", "[addrpad]"), ("Module", "20"), ("Details", ""), ]) for (sym, cb, detail), mods, mod_addrs in data: module = tasks.find_module(mods, mod_addrs, self.kern_space.address_mask(cb)) ## The original callbacks plugin searched driver objects ## if the owning module isn't found (Rustock.B). We leave that ## task up to the user this time, and will be incoporating ## some different module association methods later. if module: module_name = module.BaseDllName or module.FullDllName else: module_name = "UNKNOWN" self.table_row(outfd, sym, cb, module_name, detail or "-") volatility-2.3.1/volatility/plugins/malware/__init__.py0000644000175000017500000000000011732225561023225 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/malware/cmdhistory.py0000644000175000017500000010252112227253532023665 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # Contributors/References: # Richard Stevens and Eoghan Casey # Extracting Windows Cmd Line Details from Physical Memory. # http://ww.dfrws.org/2010/proceedings/stevens.pdf # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.common as common import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.debug as debug MAX_HISTORY_DEFAULT = 50 #-------------------------------------------------------------------------------- # VTypes #-------------------------------------------------------------------------------- # Windows 7 Types from conhost.exe conhost_types_x86 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'Flags' : [ 0x08, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'Application': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x10, ['short']], 'LastAdded': [ 0x12, ['short']], 'LastDisplayed': [ 0x14, ['short']], 'FirstCommand': [ 0x16, ['short']], 'CommandCountMax': [ 0x18, ['short']], 'ProcessHandle': [ 0x1C, ['unsigned int']], 'PopupList': [ 0x20, ['_LIST_ENTRY']], 'CommandBucket': [ 0x28, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x08, ['unsigned short']], 'TargetLength': [ 0x0A, ['unsigned short']], 'Source': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x08, ['unsigned short']], 'ExeName': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x10, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0x98, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0x9C, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0xD4, ['_LIST_ENTRY']], 'ProcessList': [ 0x18, ['_LIST_ENTRY']], # GetConsoleProcessList() 'ExeAliasList': [ 0xDC, ['_LIST_ENTRY']], # GetConsoleAliasExes() 'HistoryBufferCount': [ 0xE4, ['unsigned short']], # GetConsoleHistoryInfo() 'HistoryBufferMax': [ 0xE6, ['unsigned short']], # GetConsoleHistoryInfo() 'CommandHistorySize': [ 0xE8, ['unsigned short']], 'OriginalTitle': [ 0xEC, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # GetConsoleOriginalTitle() 'Title': [ 0xF0, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # GetConsoleTitle() }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x8, ['unsigned int']], }], '_SCREEN_INFORMATION': [ None, { 'ScreenX': [ 0x08, ['short']], 'ScreenY': [ 0x0A, ['short']], 'Rows': [ 0x3C, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0xDC, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x1C, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], } # Windows 7 Types from conhost.exe conhost_types_x64 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], # AllocateCommandHistory() 'Application': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # AllocateCommandHistory() 'CommandCount': [ 0x20, ['short']], 'LastAdded': [ 0x22, ['short']], 'LastDisplayed': [ 0x24, ['short']], 'FirstCommand': [ 0x26, ['short']], 'CommandCountMax': [ 0x28, ['short']], # AllocateCommandHistory() 'ProcessHandle': [ 0x30, ['address']], # AllocateCommandHistory() 'PopupList': [ 0x38, ['_LIST_ENTRY']], # AllocateCommandHistory() 'CommandBucket': [ 0x48, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x10, ['unsigned short']], # AddAlias() 'TargetLength': [ 0x12, ['unsigned short']], # AddAlias() 'Source': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], # AddAlias() 'Target': [ 0x20, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], # AddAlias() }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x10, ['unsigned short']], # AddExeAliasList() 'ExeName': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], # AddExeAliasList() 'AliasList': [ 0x20, ['_LIST_ENTRY']], # AddExeAliasList() }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'ProcessList': [ 0x28, ['_LIST_ENTRY']], # SrvGetConsoleProcessList() 'CurrentScreenBuffer': [ 0xE0, ['pointer', ['_SCREEN_INFORMATION']]], # AllocateConsole() 'ScreenBuffer': [ 0xE8, ['pointer', ['_SCREEN_INFORMATION']]], # AllocateConsole() 'HistoryList': [ 0x148, ['_LIST_ENTRY']], # AllocateCommandHistory() 'ExeAliasList': [ 0x158, ['_LIST_ENTRY']], # SrvGetConsoleAliasExes() 'HistoryBufferCount': [ 0x168, ['unsigned short']], # AllocateConsole() 'HistoryBufferMax': [ 0x16A, ['unsigned short']], # AllocateConsole() 'CommandHistorySize': [ 0x16C, ['unsigned short']], # AllocateConsole() 'OriginalTitle': [ 0x170, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # SrvGetConsoleTitle() 'Title': [ 0x178, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], # SrvGetConsoleTitle() }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x10, ['unsigned int']], # FindProcessInList() }], '_SCREEN_INFORMATION': [ None, { 'ScreenX': [ 8, ['short']], 'ScreenY': [ 10, ['short']], 'Rows': [ 0x48, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0x128, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x28, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], } # Windows XP, 2003, 2008, Vista from winsrv.dll winsrv_types_x86 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'Flags' : [ 0x00, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'ListEntry': [ 0x04, ['_LIST_ENTRY']], 'Application': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x10, ['short']], 'LastAdded': [ 0x12, ['short']], 'LastDisplayed': [ 0x14, ['short']], 'FirstCommand': [ 0x16, ['short']], 'CommandCountMax': [ 0x18, ['short']], 'ProcessHandle': [ 0x1C, ['unsigned int']], 'PopupList': [ 0x20, ['_LIST_ENTRY']], 'CommandBucket': [ 0x28, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x08, ['unsigned short']], 'TargetLength': [ 0x0A, ['unsigned short']], 'Source': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x08, ['unsigned short']], 'ExeName': [ 0x0C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x10, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0xB0, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0xB4, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0x108, ['_LIST_ENTRY']], 'ProcessList': [ 0x100, ['_LIST_ENTRY']], 'ExeAliasList': [ 0x110, ['_LIST_ENTRY']], 'HistoryBufferCount': [ 0x118, ['unsigned short']], 'HistoryBufferMax': [ 0x11A, ['unsigned short']], 'CommandHistorySize': [ 0x11C, ['unsigned short']], 'OriginalTitle': [ 0x124, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Title': [ 0x128, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x08, ['unsigned int']], 'Process': [ 0x0C, ['pointer', ['_CSR_PROCESS']]], }], '_SCREEN_INFORMATION': [ None, { 'Console': [ 0x00, ['pointer', ['_CONSOLE_INFORMATION']]], 'ScreenX': [ 0x24, ['short']], 'ScreenY': [ 0x26, ['short']], 'Rows': [ 0x58, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0xF8, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x1C, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CSR_PROCESS' : [ 0x60, { # this is a public PDB 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'ListLink' : [ 0x8, ['_LIST_ENTRY']], 'ThreadList' : [ 0x10, ['_LIST_ENTRY']], 'NtSession' : [ 0x18, ['pointer', ['_CSR_NT_SESSION']]], 'ClientPort' : [ 0x1c, ['pointer', ['void']]], 'ClientViewBase' : [ 0x20, ['pointer', ['unsigned char']]], 'ClientViewBounds' : [ 0x24, ['pointer', ['unsigned char']]], 'ProcessHandle' : [ 0x28, ['pointer', ['void']]], 'SequenceNumber' : [ 0x2c, ['unsigned long']], 'Flags' : [ 0x30, ['unsigned long']], 'DebugFlags' : [ 0x34, ['unsigned long']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessGroupId' : [ 0x3c, ['unsigned long']], 'ProcessGroupSequence' : [ 0x40, ['unsigned long']], 'LastMessageSequence' : [ 0x44, ['unsigned long']], 'NumOutstandingMessages' : [ 0x48, ['unsigned long']], 'ShutdownLevel' : [ 0x4c, ['unsigned long']], 'ShutdownFlags' : [ 0x50, ['unsigned long']], 'Luid' : [ 0x54, ['_LUID']], 'ServerDllPerProcessData' : [ 0x5c, ['array', 1, ['pointer', ['void']]]], }], } winsrv_types_x64 = { '_COMMAND': [ None, { 'CmdLength': [ 0x00, ['unsigned short']], 'Cmd' : [ 0x02, ['String', dict(encoding = 'utf16', length = lambda x : x.CmdLength)]], }], '_COMMAND_HISTORY': [ None, { 'Flags' : [ 0x00, ['Flags', {'bitmap': {'Allocated': 0, 'Reset': 1}}]], 'ListEntry': [ 0x08, ['_LIST_ENTRY']], 'Application': [ 0x18, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'CommandCount': [ 0x20, ['short']], 'LastAdded': [ 0x22, ['short']], 'LastDisplayed': [ 0x24, ['short']], 'FirstCommand': [ 0x26, ['short']], 'CommandCountMax': [ 0x28, ['short']], 'ProcessHandle': [ 0x30, ['unsigned int']], 'PopupList': [ 0x38, ['_LIST_ENTRY']], 'CommandBucket': [ 0x48, ['array', lambda x : x.CommandCount, ['pointer', ['_COMMAND']]]], }], '_ALIAS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'SourceLength': [ 0x10, ['unsigned short']], 'TargetLength': [ 0x12, ['unsigned short']], 'Source': [ 0x14, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.SourceLength)]]], 'Target': [ 0x1C, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.TargetLength)]]], }], '_EXE_ALIAS_LIST' : [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ExeLength': [ 0x10, ['unsigned short']], 'ExeName': [ 0x12, ['pointer', ['String', dict(encoding = 'utf16', length = lambda x : x.ExeLength * 2)]]], 'AliasList': [ 0x1A, ['_LIST_ENTRY']], }], '_POPUP_LIST' : [ None, { 'ListEntry' : [ 0x00, ['_LIST_ENTRY']], }], '_CONSOLE_INFORMATION': [ None, { 'CurrentScreenBuffer': [ 0xE8, ['pointer', ['_SCREEN_INFORMATION']]], 'ScreenBuffer': [ 0xF0, ['pointer', ['_SCREEN_INFORMATION']]], 'HistoryList': [ 0x188, ['_LIST_ENTRY']], 'ProcessList': [ 0x178, ['_LIST_ENTRY']], 'ExeAliasList': [ 0x198, ['_LIST_ENTRY']], 'HistoryBufferCount': [ 0x1A8, ['unsigned short']], 'HistoryBufferMax': [ 0x1AA, ['unsigned short']], 'CommandHistorySize': [ 0x1AC, ['unsigned short']], 'OriginalTitle': [ 0x1B0, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Title': [ 0x1B8, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CONSOLE_PROCESS': [ None, { 'ListEntry': [ 0x00, ['_LIST_ENTRY']], 'ProcessHandle': [ 0x10, ['unsigned int']], 'Process': [ 0x18, ['pointer', ['_CSR_PROCESS']]], }], '_SCREEN_INFORMATION': [ None, { 'Console': [ 0x00, ['pointer', ['_CONSOLE_INFORMATION']]], 'ScreenX': [ 0x28, ['short']], 'ScreenY': [ 0x2A, ['short']], 'Rows': [ 0x68, ['pointer', ['array', lambda x : x.ScreenY, ['_ROW']]]], 'Next': [ 0x128, ['pointer', ['_SCREEN_INFORMATION']]], }], '_ROW': [ 0x28, { 'Chars': [ 0x08, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], }], '_CSR_PROCESS' : [ 0x60, { # this is a public PDB 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'ListLink' : [ 0x8, ['_LIST_ENTRY']], 'ThreadList' : [ 0x10, ['_LIST_ENTRY']], 'NtSession' : [ 0x18, ['pointer', ['_CSR_NT_SESSION']]], 'ClientPort' : [ 0x1c, ['pointer', ['void']]], 'ClientViewBase' : [ 0x20, ['pointer', ['unsigned char']]], 'ClientViewBounds' : [ 0x24, ['pointer', ['unsigned char']]], 'ProcessHandle' : [ 0x28, ['pointer', ['void']]], 'SequenceNumber' : [ 0x2c, ['unsigned long']], 'Flags' : [ 0x30, ['unsigned long']], 'DebugFlags' : [ 0x34, ['unsigned long']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessGroupId' : [ 0x3c, ['unsigned long']], 'ProcessGroupSequence' : [ 0x40, ['unsigned long']], 'LastMessageSequence' : [ 0x44, ['unsigned long']], 'NumOutstandingMessages' : [ 0x48, ['unsigned long']], 'ShutdownLevel' : [ 0x4c, ['unsigned long']], 'ShutdownFlags' : [ 0x50, ['unsigned long']], 'Luid' : [ 0x54, ['_LUID']], 'ServerDllPerProcessData' : [ 0x5c, ['array', 1, ['pointer', ['void']]]], }], } #-------------------------------------------------------------------------------- # Object Classes #-------------------------------------------------------------------------------- class _CONSOLE_INFORMATION(obj.CType): """ object class for console information structs """ def get_histories(self): for hist in self.HistoryList.list_of_type("_COMMAND_HISTORY", "ListEntry"): yield hist def get_exe_aliases(self): """Generator for exe aliases. There is one _EXE_ALIAS_LIST for each executable (i.e. C:\windows\system32\cmd.exe) with registered aliases. The _EXE_ALIAS_LIST.AliasList contains one _ALIAS structure for each specific mapping. See GetConsoleAliasExes, GetConsoleAliases, and AddConsoleAlias. """ for exe_alias in self.ExeAliasList.list_of_type("_EXE_ALIAS_LIST", "ListEntry"): yield exe_alias def get_processes(self): """Generator for processes attached to the console. Multiple processes can be attached to the same console (usually as a result of inheritance from a parent process or by duplicating another process's console handle). Internally, they are tracked as _CONSOLE_PROCESS structures in this linked list. See GetConsoleProcessList and AttachConsole. """ for h in self.ProcessList.list_of_type("_CONSOLE_PROCESS", "ListEntry"): yield h def get_screens(self): """Generator for screens in the console. A console can have multiple screen buffers at a time, but only the current/active one is displayed. Multiple screens are tracked using the singly-linked list _SCREEN_INFORMATION.Next. See CreateConsoleScreenBuffer """ screens = [self.CurrentScreenBuffer] if self.ScreenBuffer not in screens: screens.append(self.ScreenBuffer) for screen in screens: cur = screen while cur and cur.v() != 0: yield cur cur = cur.Next.dereference() class _CONSOLE_PROCESS(obj.CType): """ object class for console process """ def reference_object_by_handle(self): """ Given a process handle, return a reference to the _EPROCESS object. This function is similar to the kernel API ObReferenceObjectByHandle. """ console_information = self.obj_parent parent_process = console_information.obj_parent for h in parent_process.ObjectTable.handles(): if h.HandleValue == self.ProcessHandle: return h.dereference_as("_EPROCESS") return obj.NoneObject("Could not find process in handle table") class _SCREEN_INFORMATION(obj.CType): """ object class for screen information """ def get_buffer(self, truncate = True): """Get the screen buffer. The screen buffer is comprised of the screen's Y coordinate which tells us the number of rows and the X coordinate which tells us the width of each row in characters. These together provide all of the input and output that users see when the console is displayed. @param truncate: True if the empty rows at the end (i.e. bottom) of the screen buffer should be supressed. """ rows = [] for _, row in enumerate(self.Rows.dereference()): if row.Chars.is_valid(): rows.append(str(row.Chars.dereference())[0:self.ScreenX]) # To truncate empty rows at the end, walk the list # backwards and get the last non-empty row. Use that # row index to splice. An "empty" row isn't just "" # as one might assume. It is actually ScreenX number # of space characters if truncate: non_empty_index = 0 for index, row in enumerate(reversed(rows)): ## It seems that when the buffer width is greater than 128 ## characters, its truncated to 128 in memory. if row.count(" ") != min(self.ScreenX, 128): non_empty_index = index break if non_empty_index == 0: rows = [] else: rows = rows[0:len(rows) - non_empty_index] return rows class _EXE_ALIAS_LIST(obj.CType): """ object class for alias lists """ def get_aliases(self): """Generator for the individual aliases for a particular executable.""" for alias in self.AliasList.list_of_type("_ALIAS", "ListEntry"): yield alias class _COMMAND_HISTORY(obj.CType): """ object class for command histories """ def is_valid(self, max_history = MAX_HISTORY_DEFAULT): #pylint: disable-msg=W0221 """Override BaseObject.is_valid with some additional checks specific to _COMMAND_HISTORY objects.""" if not obj.CType.is_valid(self): return False # The count must be between zero and max if self.CommandCount < 0 or self.CommandCount > max_history: return False # Last added must be between -1 and max if self.LastAdded < -1 or self.LastAdded > max_history: return False # Last displayed must be between -1 and max if self.LastDisplayed < -1 or self.LastDisplayed > max_history: return False # First command must be between zero and max if self.FirstCommand < 0 or self.FirstCommand > max_history: return False # Validate first command with last added if self.FirstCommand != 0 and self.FirstCommand != self.LastAdded + 1: return False # Process handle must be a valid pid if self.ProcessHandle <= 0 or self.ProcessHandle > 0xFFFF: return False Popup = obj.Object("_POPUP_LIST", offset = self.PopupList.Flink, vm = self.obj_vm) # Check that the popup list entry is in tact if Popup.ListEntry.Blink != self.PopupList.obj_offset: return False return True def get_commands(self): """Generator for commands in the history buffer. The CommandBucket is an array of pointers to _COMMAND structures. The array size is CommandCount. Once CommandCount is reached, the oldest commands are cycled out and the rest are coalesced. """ for i, cmd in enumerate(self.CommandBucket): if cmd: yield i, cmd.dereference() #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class CmdHistoryVTypesx86(obj.ProfileModification): """This modification applies the vtypes for 32bit Windows up to Windows 7.""" before = ['WindowsObjectClasses'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and m.get('memory_model', '32bit') == '32bit' and (m.get('major') < 6 or (m.get('major') == 6 and m.get('minor') < 1))) def modification(self, profile): profile.vtypes.update(winsrv_types_x86) class CmdHistoryVTypesx64(obj.ProfileModification): """This modification applies the vtypes for 64bit Windows up to Windows 7.""" before = ['WindowsObjectClasses'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and m.get('memory_model', '32bit') == '64bit' and (m.get('major') < 6 or (m.get('major') == 6 and m.get('minor') < 1))) def modification(self, profile): profile.vtypes.update(winsrv_types_x64) class CmdHistoryVTypesWin7x86(obj.ProfileModification): """This modification applies the vtypes for 32bit Windows starting with Windows 7.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1, 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.vtypes.update(conhost_types_x86) class CmdHistoryVTypesWin7x64(obj.ProfileModification): """This modification applies the vtypes for 64bit Windows starting with Windows 7.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x >= 1, 'memory_model': lambda x : x == '64bit'} def modification(self, profile): profile.vtypes.update(conhost_types_x64) class CmdHistoryObjectClasses(obj.ProfileModification): """This modification applies the object classes for all versions of 32bit Windows.""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} # 'memory_model': lambda x : x == '32bit'} def modification(self, profile): profile.object_classes.update({ '_CONSOLE_INFORMATION': _CONSOLE_INFORMATION, '_SCREEN_INFORMATION': _SCREEN_INFORMATION, '_EXE_ALIAS_LIST': _EXE_ALIAS_LIST, '_COMMAND_HISTORY': _COMMAND_HISTORY, '_CONSOLE_PROCESS': _CONSOLE_PROCESS, }) #-------------------------------------------------------------------------------- # CmdScan Plugin #-------------------------------------------------------------------------------- class CmdScan(common.AbstractWindowsCommand): """Extract command history by scanning for _COMMAND_HISTORY""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # The default comes from HKCU\Console\HistoryBufferSize config.add_option('MAX_HISTORY', short_option = 'M', default = MAX_HISTORY_DEFAULT, action = 'store', type = 'int', help = 'CommandCountMax (default = 50)') def cmdhistory_process_filter(self, addr_space): """Generator for processes that might contain command history information. Takes into account if we're on Windows 7 or an earlier operator system. @param addr_space: a kernel address space. """ # Detect if we're on windows seven use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) for task in tasks.pslist(addr_space): process_name = str(task.ImageFileName).lower() # The process we select is conhost on Win7 or csrss for others if ((use_conhost and process_name == "conhost.exe") or (not use_conhost and process_name == "csrss.exe")): yield task def calculate(self): """The default pattern we search for, as described by Stevens and Casey, is "\x32\x00". That's because CommandCountMax is a little-endian unsigned short whose default value is 50. However, that value can be changed by right clicking cmd.exe and going to Properties->Options->Cmd History or by calling the API function kernel32!SetConsoleHistoryInfo. Thus you can tweak the search criteria by using the --MAX_HISTORY. """ addr_space = utils.load_as(self._config) MAX_HISTORY = self._config.MAX_HISTORY srch_pattern = chr(MAX_HISTORY) + "\x00" for task in self.cmdhistory_process_filter(addr_space): process_space = task.get_process_address_space() for found in task.search_process_memory([srch_pattern]): hist = obj.Object("_COMMAND_HISTORY", vm = process_space, offset = found - addr_space.profile.\ get_obj_offset("_COMMAND_HISTORY", "CommandCountMax")) if hist.is_valid(max_history = MAX_HISTORY): yield task, hist def render_text(self, outfd, data): for task, hist in data: outfd.write("*" * 50 + "\n") outfd.write("CommandProcess: {0} Pid: {1}\n".format( task.ImageFileName, task.UniqueProcessId)) outfd.write("CommandHistory: {0:#x} Application: {1} Flags: {2}\n".format( hist.obj_offset, hist.Application.dereference(), hist.Flags)) outfd.write("CommandCount: {0} LastAdded: {1} LastDisplayed: {2}\n".format( hist.CommandCount, hist.LastAdded, hist.LastDisplayed)) outfd.write("FirstCommand: {0} CommandCountMax: {1}\n".format( hist.FirstCommand, hist.CommandCountMax)) outfd.write("ProcessHandle: {0:#x}\n".format(hist.ProcessHandle)) # If the _COMMAND_HISTORY is in use, we would only take # hist.CommandCount but since we're brute forcing, try the # maximum and hope that some slots were not overwritten # or zero-ed out. pointers = obj.Object("Array", targetType = "address", count = hist.CommandCountMax, offset = hist.obj_offset + hist.obj_vm.profile.get_obj_offset("_COMMAND_HISTORY", "CommandBucket"), vm = hist.obj_vm) for i, p in enumerate(pointers): cmd = p.dereference_as("_COMMAND") if cmd and str(cmd.Cmd): outfd.write("Cmd #{0} @ {1:#x}: {2}\n".format( i, cmd.obj_offset, str(cmd.Cmd))) #-------------------------------------------------------------------------------- # Consoles Plugin #-------------------------------------------------------------------------------- class Consoles(CmdScan): """Extract command history by scanning for _CONSOLE_INFORMATION""" def __init__(self, config, *args, **kwargs): CmdScan.__init__(self, config, *args, **kwargs) # The default comes from HKCU\Console\NumberOfHistoryBuffers config.add_option('HISTORY_BUFFERS', short_option = 'B', default = 4, action = 'store', type = 'int', help = 'HistoryBufferMax (default = 4)') def calculate(self): addr_space = utils.load_as(self._config) srch_pattern = chr(self._config.MAX_HISTORY) + "\x00" for task in self.cmdhistory_process_filter(addr_space): for found in task.search_process_memory([srch_pattern]): console = obj.Object("_CONSOLE_INFORMATION", offset = found - addr_space.profile.get_obj_offset("_CONSOLE_INFORMATION", "CommandHistorySize"), vm = task.get_process_address_space(), parent = task) if (console.HistoryBufferMax != self._config.HISTORY_BUFFERS or console.HistoryBufferCount > self._config.HISTORY_BUFFERS): continue # Check the first command history as the final constraint history = obj.Object("_COMMAND_HISTORY", offset = console.HistoryList.Flink.dereference().obj_offset - addr_space.profile.get_obj_offset("_COMMAND_HISTORY", "ListEntry"), vm = task.get_process_address_space()) if history.CommandCountMax != self._config.MAX_HISTORY: continue yield task, console def render_text(self, outfd, data): for task, console in data: outfd.write("*" * 50 + "\n") outfd.write("ConsoleProcess: {0} Pid: {1}\n".format( task.ImageFileName, task.UniqueProcessId)) outfd.write("Console: {0:#x} CommandHistorySize: {1}\n".format( console.obj_offset, console.CommandHistorySize)) outfd.write("HistoryBufferCount: {0} HistoryBufferMax: {1}\n".format( console.HistoryBufferCount, console.HistoryBufferMax)) outfd.write("OriginalTitle: {0}\n".format(console.OriginalTitle.dereference())) outfd.write("Title: {0}\n".format(console.Title.dereference())) for console_proc in console.get_processes(): process = console_proc.reference_object_by_handle() if process: outfd.write("AttachedProcess: {0} Pid: {1} Handle: {2:#x}\n".format( process.ImageFileName, process.UniqueProcessId, console_proc.ProcessHandle)) for hist in console.get_histories(): outfd.write("----\n") outfd.write("CommandHistory: {0:#x} Application: {1} Flags: {2}\n".format( hist.obj_offset, hist.Application.dereference(), hist.Flags)) outfd.write("CommandCount: {0} LastAdded: {1} LastDisplayed: {2}\n".format( hist.CommandCount, hist.LastAdded, hist.LastDisplayed)) outfd.write("FirstCommand: {0} CommandCountMax: {1}\n".format( hist.FirstCommand, hist.CommandCountMax)) outfd.write("ProcessHandle: {0:#x}\n".format(hist.ProcessHandle)) for i, cmd in hist.get_commands(): if cmd.Cmd: outfd.write("Cmd #{0} at {1:#x}: {2}\n".format( i, cmd.obj_offset, str(cmd.Cmd))) for exe_alias in console.get_exe_aliases(): for alias in exe_alias.get_aliases(): outfd.write("----\n") outfd.write("Alias: {0} Source: {1} Target: {2}\n".format( exe_alias.ExeName.dereference(), alias.Source.dereference(), alias.Target.dereference())) for screen in console.get_screens(): outfd.write("----\n") outfd.write("Screen {0:#x} X:{1} Y:{2}\n".format( screen.dereference(), screen.ScreenX, screen.ScreenY)) outfd.write("Dump:\n{0}\n".format('\n'.join(screen.get_buffer()))) volatility-2.3.1/volatility/plugins/malware/impscan.py0000644000175000017500000003413012227253532023132 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010 - 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules try: import distorm3 has_distorm = True except ImportError: has_distorm = False class ImpScan(common.AbstractWindowsCommand): """Scan for calls to imported functions""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) # Define a new PID option instead of inheriting from # taskmods.DllList because this one cannot be a comma # separated list of PIDs. config.remove_option('PID') config.add_option('PID', short_option = 'p', default = None, help = 'Process ID (leave off to scan kernel memory)', action = 'store', type = 'int') # The base address in kernel or process memory where # we begin scanning. This is an executable region with # assembly instructions like a .text or .code PE section. config.add_option('BASE', short_option = 'b', default = None, help = 'Base address in process memory if --pid ' + 'is supplied, otherwise an address in kernel space', action = 'store', type = 'int') # The size in bytes of data to scan from the base address. config.add_option('SIZE', short_option = 's', default = None, help = 'Size of memory to scan', action = 'store', type = 'int') ## FIXME. ImpScan currently does not work on wow64 processes. ## Add an option to override the profile's memory_model and ## allow 32bit disasm on x64 operating systems. self.forwarded_imports = { "RtlGetLastWin32Error" : "kernel32.dll!GetLastError", "RtlSetLastWin32Error" : "kernel32.dll!SetLastError", "RtlRestoreLastWin32Error" : "kernel32.dll!SetLastError", "RtlAllocateHeap" : "kernel32.dll!HeapAlloc", "RtlReAllocateHeap" : "kernel32.dll!HeapReAlloc", "RtlFreeHeap" : "kernel32.dll!HeapFree", "RtlEnterCriticalSection" : "kernel32.dll!EnterCriticalSection", "RtlLeaveCriticalSection" : "kernel32.dll!LeaveCriticalSection", "RtlDeleteCriticalSection" : "kernel32.dll!DeleteCriticalSection", "RtlZeroMemory" : "kernel32.dll!ZeroMemory", "RtlSizeHeap" : "kernel32.dll!HeapSize", "RtlUnwind" : "kernel32.dll!RtlUnwind", } @staticmethod def enum_apis(all_mods): """Enumerate all exported functions from kernel or process space. @param all_mods: list of _LDR_DATA_TABLE_ENTRY To enum kernel APIs, all_mods is a list of drivers. To enum process APIs, all_mods is a list of DLLs. The function name is used if available, otherwise we take the ordinal value. """ exports = {} for mod in all_mods: for ordinal, func_addr, func_name in mod.exports(): # This value should only be None if its forwarded if func_addr != None: name = func_name or ordinal or '' exports[int(mod.DllBase + func_addr)] = (mod, str(name)) return exports def _call_or_unc_jmp(self, op): """Determine if an instruction is a call or an unconditional jump @param op: a distorm3 Op object """ return ((op.flowControl == 'FC_CALL' and op.mnemonic == "CALL") or (op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP")) def _vicinity_scan(self, addr_space, calls_imported, apis, base_address, data_len, forward): """Scan forward from the lowest IAT entry found or backward from the highest IAT entry found. We do this because not every imported function will be called from the code section and sometimes page(s) with the calls are unavailable. @param addr_space: an AS @param calls_imported: dictionary of confirmed imports @param apis: dictionary of exported functions in the AS @param base_address: memory base address @param data_len: size in bytes to check from base_address @param forwared: the direction for the vicinity scan """ sortedlist = calls_imported.keys() sortedlist.sort() if not sortedlist: return size_of_address = addr_space.profile.get_obj_size("address") if forward: start_addr = sortedlist[0] else: start_addr = sortedlist[len(sortedlist) - 1] # We stop scanning when the threshold reaches zero. This # value is decremented each invalid or duplicate API call # seen. It resets when a valid API call is seen. threshold = 5 i = 0 while threshold and i < 0x2000: if forward: next_addr = start_addr + (i * size_of_address) else: next_addr = start_addr - (i * size_of_address) call_dest = obj.Object("address", offset = next_addr, vm = addr_space).v() if (not call_dest or call_dest < base_address or call_dest > base_address + data_len): threshold -= 1 i += 1 continue # Reset the threshold if we found a valid API call, # otherwise decrement the threshold by one if call_dest in apis and call_dest not in calls_imported: calls_imported[next_addr] = call_dest threshold = 5 else: threshold -= 1 i += 1 def _original_import(self, mod_name, func_name): """Revert a forwarded import to the original module and function name. @param mod_name: current module name @param func_name: current function name """ if func_name in self.forwarded_imports: return self.forwarded_imports[func_name].split("!") else: return mod_name, func_name def call_scan(self, addr_space, base_address, data): """Disassemble a block of data and yield possible calls to imported functions. We're looking for instructions such as these: x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400] x64: CALL QWORD [RIP+0x989d] On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called. On x64, the 0x989d is a relative offset from the current instruction (RIP). @param addr_space: an AS to scan with @param base_address: memory base address @param data: buffer of data found at base_address """ end_address = base_address + len(data) memory_model = addr_space.profile.metadata.get('memory_model', '32bit') if memory_model == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits for op in distorm3.DecomposeGenerator(base_address, data, mode): if not op.valid: continue iat_loc = None if memory_model == '32bit': if (self._call_or_unc_jmp(op) and op.operands[0].type == 'AbsoluteMemoryAddress'): iat_loc = (op.operands[0].disp) & 0xffffffff else: if (self._call_or_unc_jmp(op) and 'FLAG_RIP_RELATIVE' in op.flags and op.operands[0].type == 'AbsoluteMemory'): iat_loc = op.address + op.size + op.operands[0].disp if (not iat_loc or (iat_loc < base_address) or (iat_loc > end_address)): continue # This is the address being called call_dest = obj.Object("address", offset = iat_loc, vm = addr_space) if call_dest == None: continue yield op.address, iat_loc, int(call_dest) def calculate(self): if not has_distorm: debug.error("You must install distorm3") addr_space = utils.load_as(self._config) all_tasks = list(tasks.pslist(addr_space)) all_mods = list(modules.lsmod(addr_space)) # Operate in kernel mode if pid is not supplied if not self._config.PID: if not self._config.BASE: debug.error("You must specify --BASE") base_address = self._config.BASE size_to_read = self._config.SIZE # Get the size from the module list if its not supplied if not size_to_read: for module in all_mods: if module.DllBase == base_address: size_to_read = module.SizeOfImage break if not size_to_read: debug.error("You must specify --SIZE") kernel_space = tasks.find_space(addr_space, all_tasks, base_address) if not kernel_space: debug.error("Cannot read supplied address") data = kernel_space.zread(base_address, size_to_read) apis = self.enum_apis(all_mods) addr_space = kernel_space else: # In process mode, we find the process by PID task = None for atask in all_tasks: if atask.UniqueProcessId == self._config.PID: task = atask break if not task: debug.error("You must supply an active PID") task_space = task.get_process_address_space() if not task_space: debug.error("Cannot acquire process AS") all_mods = list(task.get_load_modules()) # PEB is paged or no DLLs loaded if not all_mods: debug.error("Cannot load DLLs in process AS") # If an address is supplied with a size, try to get # the size from the vad node. If neither are supplied, # assume we should carve the main process executable. if self._config.BASE: base_address = self._config.BASE size_to_read = self._config.SIZE if not size_to_read: for vad in task.VadRoot.traverse(): if base_address >= vad.Start and base_address <= vad.End: size_to_read = vad.Length if not size_to_read: debug.error("You must specify --SIZE") else: # Its OK to blindly take the 0th element because the # executable is always the first module to load. base_address = all_mods[0].DllBase size_to_read = all_mods[0].SizeOfImage if not task_space.is_valid_address(base_address): debug.error("Address is not valid in process AS") data = task_space.zread(base_address, size_to_read) apis = self.enum_apis(all_mods) addr_space = task_space # This is a dictionary of confirmed API calls. calls_imported = dict( (iat, call) for (_, iat, call) in self.call_scan(addr_space, base_address, data) if call in apis ) # Scan forward self._vicinity_scan(addr_space, calls_imported, apis, base_address, len(data), forward = True) # Scan reverse self._vicinity_scan(addr_space, calls_imported, apis, base_address, len(data), forward = False) for iat, call in sorted(calls_imported.items()): yield iat, call, apis[call][0], apis[call][1] def render_text(self, outfd, data): """Render as text""" self.table_header(outfd, [("IAT", "[addrpad]"), ("Call", "[addrpad]"), ("Module", "20"), ("Function", ""), ]) for iat, call, mod, func in data: mod_name, func_name = self._original_import( str(mod.BaseDllName or ''), func) self.table_row(outfd, iat, call, mod_name, func_name) def render_idc(self, outfd, data): """Render as IDC""" outfd.write("#include \nstatic main(void) {\n") for iat, _, mod, func in data: _, func_name = self._original_import( str(mod.BaseDllName or ''), func) outfd.write(" MakeDword(0x{0:08X});\n".format(iat)) outfd.write(" MakeName(0x{0:08X}, \"{1}\");\n".format(iat, func_name)) outfd.write("}") volatility-2.3.1/volatility/plugins/malware/timers.py0000644000175000017500000001731512227253532023011 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- # This type is defined in Win2K3SP0x86 and VistaSP2x86, but # it applies to many other profiles in which it is not defined # in the public PDBs. timer_types = { '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], }]} #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareTimerVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(timer_types) #-------------------------------------------------------------------------------- # timers #-------------------------------------------------------------------------------- class Timers(common.AbstractWindowsCommand): """Print kernel timers and associated module DPCs""" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') def find_list_head(self, nt_mod, func, sig): """ Find the KiTimerTableListHead given an exported function as a starting point and a small signature. @param nt_mod: _LDR_DATA_TABLE_ENTRY object for NT module @param func: function name exported by the NT module @param sig: byte string/pattern to use for finding the symbol """ # Lookup the exported function func_rva = nt_mod.getprocaddress(func) if func_rva == None: return None func_addr = func_rva + nt_mod.DllBase # Read enough of the function prolog data = nt_mod.obj_vm.zread(func_addr, 200) # Scan for the byte signature n = data.find(sig) if n == -1: return None return obj.Object('address', func_addr + n + len(sig), nt_mod.obj_vm) def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") # Get the OS version we're analyzing version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) modlist = list(modules.lsmod(addr_space)) mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist) mod_addrs = sorted(mods.keys()) # KTIMERs collected timers = [] # Valid KTIMER.Header.Type values TimerNotificationObject = 8 TimerSynchronizationObject = 9 valid_types = (TimerNotificationObject, TimerSynchronizationObject) if version == (5, 1) or (version == (5, 2) and addr_space.profile.metadata.get('build', 0) == 3789): # On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead # is an array of 256 _LIST_ENTRY for _KTIMERs. KiTimerTableListHead = self.find_list_head(modlist[0], "KeUpdateSystemTime", "\x25\xFF\x00\x00\x00\x8D\x0C\xC5") lists = obj.Object("Array", offset = KiTimerTableListHead, vm = addr_space, targetType = '_LIST_ENTRY', count = 256) for l in lists: for t in l.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) elif version == (5, 2) or version == (6, 0): # On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2, KiTimerTableListHead # is an array of 512 _KTIMER_TABLE_ENTRY structs. KiTimerTableListHead = self.find_list_head(modlist[0], "KeCancelTimer", "\xC1\xE7\x04\x81\xC7") lists = obj.Object("Array", offset = KiTimerTableListHead, vm = addr_space, targetType = '_KTIMER_TABLE_ENTRY', count = 512) for l in lists: for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) elif version == (6, 1): # On Windows 7, there is no more KiTimerTableListHead. The list is # at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche # for this one. See http://pastebin.com/FiRsGW3f). for kpcr in tasks.get_kdbg(addr_space).kpcrs(): for table in kpcr.ProcessorBlock.TimerTable.TimerEntries: for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"): timers.append(t) for timer in timers: # Sanity check on the timer type if timer.Header.Type not in valid_types: continue # Ignore timers without DPCs if not timer.Dpc.is_valid() or not timer.Dpc.DeferredRoutine.is_valid(): continue # Lookup the module containing the DPC module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(timer.Dpc.DeferredRoutine)) yield timer, module def render_text(self, outfd, data): self.table_header(outfd, [("Offset(V)", "[addrpad]"), ("DueTime", "24"), ("Period(ms)", "10"), ("Signaled", "10"), ("Routine", "[addrpad]"), ("Module", ""), ]) for timer, module in data: if timer.Header.SignalState.v(): signaled = "Yes" else: signaled = "-" if module: module_name = str(module.BaseDllName or '') else: module_name = "UNKNOWN" due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart) self.table_row(outfd, timer.obj_offset, due_time, timer.Period, signaled, timer.Dpc.DeferredRoutine, module_name) volatility-2.3.1/volatility/plugins/malware/devicetree.py0000644000175000017500000002524112227253532023622 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re import volatility.obj as obj import volatility.plugins.filescan as filescan import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.plugins.malware.malfind as malfind #-------------------------------------------------------------------------------- # constants #-------------------------------------------------------------------------------- MAJOR_FUNCTIONS = [ 'IRP_MJ_CREATE', 'IRP_MJ_CREATE_NAMED_PIPE', 'IRP_MJ_CLOSE', 'IRP_MJ_READ', 'IRP_MJ_WRITE', 'IRP_MJ_QUERY_INFORMATION', 'IRP_MJ_SET_INFORMATION', 'IRP_MJ_QUERY_EA', 'IRP_MJ_SET_EA', 'IRP_MJ_FLUSH_BUFFERS', 'IRP_MJ_QUERY_VOLUME_INFORMATION', 'IRP_MJ_SET_VOLUME_INFORMATION', 'IRP_MJ_DIRECTORY_CONTROL', 'IRP_MJ_FILE_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CONTROL', 'IRP_MJ_INTERNAL_DEVICE_CONTROL', 'IRP_MJ_SHUTDOWN', 'IRP_MJ_LOCK_CONTROL', 'IRP_MJ_CLEANUP', 'IRP_MJ_CREATE_MAILSLOT', 'IRP_MJ_QUERY_SECURITY', 'IRP_MJ_SET_SECURITY', 'IRP_MJ_POWER', 'IRP_MJ_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CHANGE', 'IRP_MJ_QUERY_QUOTA', 'IRP_MJ_SET_QUOTA', 'IRP_MJ_PNP' ] DEVICE_CODES = { 0x00000027 : 'FILE_DEVICE_8042_PORT', 0x00000032 : 'FILE_DEVICE_ACPI', 0x00000029 : 'FILE_DEVICE_BATTERY', 0x00000001 : 'FILE_DEVICE_BEEP', 0x0000002a : 'FILE_DEVICE_BUS_EXTENDER', 0x00000002 : 'FILE_DEVICE_CD_ROM', 0x00000003 : 'FILE_DEVICE_CD_ROM_FILE_SYSTEM', 0x00000030 : 'FILE_DEVICE_CHANGER', 0x00000004 : 'FILE_DEVICE_CONTROLLER', 0x00000005 : 'FILE_DEVICE_DATALINK', 0x00000006 : 'FILE_DEVICE_DFS', 0x00000035 : 'FILE_DEVICE_DFS_FILE_SYSTEM', 0x00000036 : 'FILE_DEVICE_DFS_VOLUME', 0x00000007 : 'FILE_DEVICE_DISK', 0x00000008 : 'FILE_DEVICE_DISK_FILE_SYSTEM', 0x00000033 : 'FILE_DEVICE_DVD', 0x00000009 : 'FILE_DEVICE_FILE_SYSTEM', 0x0000003a : 'FILE_DEVICE_FIPS', 0x00000034 : 'FILE_DEVICE_FULLSCREEN_VIDEO', 0x0000000a : 'FILE_DEVICE_INPORT_PORT', 0x0000000b : 'FILE_DEVICE_KEYBOARD', 0x0000002f : 'FILE_DEVICE_KS', 0x00000039 : 'FILE_DEVICE_KSEC', 0x0000000c : 'FILE_DEVICE_MAILSLOT', 0x0000002d : 'FILE_DEVICE_MASS_STORAGE', 0x0000000d : 'FILE_DEVICE_MIDI_IN', 0x0000000e : 'FILE_DEVICE_MIDI_OUT', 0x0000002b : 'FILE_DEVICE_MODEM', 0x0000000f : 'FILE_DEVICE_MOUSE', 0x00000010 : 'FILE_DEVICE_MULTI_UNC_PROVIDER', 0x00000011 : 'FILE_DEVICE_NAMED_PIPE', 0x00000012 : 'FILE_DEVICE_NETWORK', 0x00000013 : 'FILE_DEVICE_NETWORK_BROWSER', 0x00000014 : 'FILE_DEVICE_NETWORK_FILE_SYSTEM', 0x00000028 : 'FILE_DEVICE_NETWORK_REDIRECTOR', 0x00000015 : 'FILE_DEVICE_NULL', 0x00000016 : 'FILE_DEVICE_PARALLEL_PORT', 0x00000017 : 'FILE_DEVICE_PHYSICAL_NETCARD', 0x00000018 : 'FILE_DEVICE_PRINTER', 0x00000019 : 'FILE_DEVICE_SCANNER', 0x0000001c : 'FILE_DEVICE_SCREEN', 0x00000037 : 'FILE_DEVICE_SERENUM', 0x0000001a : 'FILE_DEVICE_SERIAL_MOUSE_PORT', 0x0000001b : 'FILE_DEVICE_SERIAL_PORT', 0x00000031 : 'FILE_DEVICE_SMARTCARD', 0x0000002e : 'FILE_DEVICE_SMB', 0x0000001d : 'FILE_DEVICE_SOUND', 0x0000001e : 'FILE_DEVICE_STREAMS', 0x0000001f : 'FILE_DEVICE_TAPE', 0x00000020 : 'FILE_DEVICE_TAPE_FILE_SYSTEM', 0x00000038 : 'FILE_DEVICE_TERMSRV', 0x00000021 : 'FILE_DEVICE_TRANSPORT', 0x00000022 : 'FILE_DEVICE_UNKNOWN', 0x0000002c : 'FILE_DEVICE_VDM', 0x00000023 : 'FILE_DEVICE_VIDEO', 0x00000024 : 'FILE_DEVICE_VIRTUAL_DISK', 0x00000025 : 'FILE_DEVICE_WAVE_IN', 0x00000026 : 'FILE_DEVICE_WAVE_OUT', } #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _DRIVER_OBJECT(obj.CType): "Class for driver objects" def devices(self): "Enumerate the driver's device objects" device = self.DeviceObject.dereference() while device: yield device device = device.NextDevice.dereference() class _DEVICE_OBJECT(obj.CType): "Class for device objects" def attached_devices(self): "Enumerate the device's attachees" device = self.AttachedDevice.dereference() while device: yield device device = device.AttachedDevice.dereference() #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareDrivers(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_DRIVER_OBJECT': _DRIVER_OBJECT, '_DEVICE_OBJECT': _DEVICE_OBJECT, }) #-------------------------------------------------------------------------------- # devicetree plugin #-------------------------------------------------------------------------------- class DeviceTree(filescan.DriverScan): "Show device tree" def render_text(self, outfd, data): for _object_obj, driver_obj, _ in data: outfd.write("DRV 0x{0:08x} {1}\n".format(driver_obj.obj_offset, str(driver_obj.DriverName or ''))) for device in driver_obj.devices(): device_header = obj.Object("_OBJECT_HEADER", offset = device.obj_offset - device.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = device.obj_vm, native_vm = device.obj_native_vm ) device_name = str(device_header.NameInfo.Name or '') outfd.write("---| DEV {0:#x} {1} {2}\n".format( device.obj_offset, device_name, DEVICE_CODES.get(device.DeviceType.v(), "UNKNOWN"))) level = 0 for att_device in device.attached_devices(): device_header = obj.Object("_OBJECT_HEADER", offset = att_device.obj_offset - att_device.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), vm = att_device.obj_vm, native_vm = att_device.obj_native_vm ) device_name = str(device_header.NameInfo.Name or '') name = (device_name + " - " + str(att_device.DriverObject.DriverName or '')) outfd.write("------{0}| ATT {1:#x} {2} {3}\n".format( "---" * level, att_device.obj_offset, name, DEVICE_CODES.get(att_device.DeviceType.v(), "UNKNOWN"))) level += 1 #-------------------------------------------------------------------------------- # driverirp plugin #-------------------------------------------------------------------------------- class DriverIrp(filescan.DriverScan): "Driver IRP hook detection" def __init__(self, config, *args, **kwargs): filescan.DriverScan.__init__(self, config, *args, **kwargs) config.add_option("REGEX", short_option = 'r', type = 'str', action = 'store', help = 'Analyze drivers matching REGEX') def render_text(self, outfd, data): addr_space = utils.load_as(self._config) # Compile the regular expression for filtering by driver name if self._config.regex != None: mod_re = re.compile(self._config.regex, re.I) else: mod_re = None mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) bits = addr_space.profile.metadata.get('memory_model', '32bit') self.table_header(None, [('i', ">4"), ('Funcs', "36"), ('addr', '[addrpad]'), ('name', '') ]) for object_obj, driver_obj, _ in data: driver_name = str(object_obj.NameInfo.Name or '') # Continue if a regex was supplied and it doesn't match if mod_re != None: if not (mod_re.search(driver_name) or mod_re.search(driver_name)): continue # Write the standard header for each driver object outfd.write("{0}\n".format("-" * 50)) outfd.write("DriverName: {0}\n".format(driver_name)) outfd.write("DriverStart: {0:#x}\n".format(driver_obj.DriverStart)) outfd.write("DriverSize: {0:#x}\n".format(driver_obj.DriverSize)) outfd.write("DriverStartIo: {0:#x}\n".format(driver_obj.DriverStartIo)) # Write the address and owner of each IRP function for i, function in enumerate(driver_obj.MajorFunction): function = driver_obj.MajorFunction[i] module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function)) if module: module_name = str(module.BaseDllName or '') else: module_name = "Unknown" # This is where we check for inline hooks once the # ApiHooks plugin is ported to 2.1. self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name) if self._config.verbose: data = addr_space.zread(function, 64) outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data = data, start = function, bits = bits, stoponret = True) ])) outfd.write("\n") volatility-2.3.1/volatility/plugins/malware/apihooks.py0000644000175000017500000012400312227253532023314 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re, ntpath import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.malware.malfind as malfind import volatility.plugins.overlays.basic as basic import volatility.plugins.procdump as procdump import volatility.exceptions as exceptions try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # Constants #-------------------------------------------------------------------------------- # hook modes HOOK_MODE_USER = 1 HOOK_MODE_KERNEL = 2 # hook types HOOKTYPE_IAT = 4 HOOKTYPE_EAT = 8 HOOKTYPE_INLINE = 16 HOOKTYPE_NT_SYSCALL = 32 HOOKTYPE_CODEPAGE_KERNEL = 64 HOOKTYPE_IDT = 128 HOOKTYPE_IRP = 256 HOOKTYPE_WINSOCK = 512 # names for hook types hook_type_strings = { HOOKTYPE_IAT : "Import Address Table (IAT)", HOOKTYPE_EAT : "Export Address Table (EAT)", HOOKTYPE_INLINE : "Inline/Trampoline", HOOKTYPE_NT_SYSCALL : "NT Syscall", HOOKTYPE_CODEPAGE_KERNEL : "Unknown Code Page Call", HOOKTYPE_WINSOCK : "Winsock Procedure Table Hook", } WINSOCK_TABLE = [ '_WSPAccept', '_WSPAddressToString', '_WSPAsyncSelect', '_WSPBind', '_WSPCancelBlockingCall', '_WSPCleanup', '_WSPCloseSocket', '_WSPConnect', '_WSPDuplicateSocket', '_WSPEnumNetworkEvents', '_WSPEventSelect', '_WSPGetOverlappedResult', '_WSPGetPeerName', '_WSPGetSockName', '_WSPGetSockOpt', '_WSPGetQOSByName', '_WSPIoctl', '_WSPJoinLeaf', '_WSPListen', '_WSPRecv', '_WSPRecvDisconnect', '_WSPRecvFrom', '_WSPSelect', '_WSPSend', '_WSPSendDisconnect', '_WSPSendTo', '_WSPSetSockOpt', '_WSPShutdown', '_WSPSocket', '_WSPStringToAddress', ] #-------------------------------------------------------------------------------- # Profile Modifications #-------------------------------------------------------------------------------- class MalwareWSPVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ '_SOCK_PROC_TABLE' : [ None, { 'Functions' : [ 0x0, ['array', 30, ['address']]], }]}) #-------------------------------------------------------------------------------- # Module Group Class #-------------------------------------------------------------------------------- class ModuleGroup(object): """A class to assist with module lookups""" def __init__(self, mod_list): """Initialize. @param mod_list: a list of _LDR_DATA_TABLE_ENTRY objects. This can be a generator. """ self.mods = list(mod_list) self.mod_name = {} self.mod_fast = [(mod.DllBase, mod.DllBase + mod.SizeOfImage, mod) for mod in self.mods] for mod in self.mods: name = str(mod.BaseDllName or '').lower() if name in self.mod_name: self.mod_name[name].append(mod) else: self.mod_name[name] = [mod] def find_module(self, address): """Find a module by an address it contains. @param address: location in process or kernel AS to find an owning module. When performing thousands of lookups, this method is actually quicker than tasks.find_module. """ for base, end, mod in self.mod_fast: if address >= base and address <= end: return mod return obj.NoneObject("") #-------------------------------------------------------------------------------- # Hook Class #-------------------------------------------------------------------------------- class Hook(object): """A class for API hooks. It helps organize the many pieces of information required to report on the hook.""" def __init__(self, hook_type, hook_mode, function_name, function_address = None, hook_address = None, hook_module = None, victim_module = None): """ Initalize a hook class instance. @params hook_type: one of the HOOK_TYPE_* constants @params hook_mode: one of the HOOK_MODE_* constants @params function_name: name of the function being hooked @params function_address: address of the hooked function in process or kernel memory. @params hook_address: address where the hooked function actually points. @params hook_module: the _LDR_DATA_TABLE_ENTRY of the hooking module (owner of the hook_address). note: this can be None if the module cannot be identified. @params victim_module: the _LDR_DATA_TABLE_ENTRY of the module being hooked (contains the function_address). note: this can be a string if checking IAT hooks. """ self.hook_mode = hook_mode self.hook_type = hook_type self.function_name = function_name self.function_address = function_address self.hook_address = hook_address self.hook_module = hook_module self.victim_module = victim_module # List of tuples: address, data pairs self.disassembled_hops = [] def add_hop_chunk(self, address, data): """Support disassembly for multiple hops""" self.disassembled_hops.append((address, data)) def _module_name(self, module): """Return a sanitized module name""" # The module can't be identified if not module: return '' # The module is a string name like "ntdll.dll" if isinstance(module, basic.String) or isinstance(module, str): return str(module) # The module is a _LDR_DATA_TABLE_ENTRY return str(module.BaseDllName or '') or str(module.FullDllName or '') or '' @property def Type(self): """Translate the hook type into a string""" return hook_type_strings.get(self.hook_type, "") @property def Mode(self): """Translate the hook mode into a string""" if self.hook_mode == HOOK_MODE_USER: return "Usermode" else: return "Kernelmode" @property def Function(self): """Return the function name if its available""" return str(self.function_name) or '' @property def Detail(self): """The detail depends on the hook type""" if self.hook_type == HOOKTYPE_IAT: return "{0}!{1}".format(self.VictimModule, self.Function) elif self.hook_type == HOOKTYPE_EAT: return "{0} at {1:#x}".format(self.Function, self.hook_address) elif self.hook_type == HOOKTYPE_INLINE: return "{0}!{1} at {2:#x}".format(self.VictimModule, self.Function, self.function_address) else: return self.Function @property def HookModule(self): """Name of the hooking module""" return self._module_name(self.hook_module) @property def VictimModule(self): """Name of the victim module""" return self._module_name(self.victim_module) #-------------------------------------------------------------------------------- # Whitelist Rules #-------------------------------------------------------------------------------- # The values of each dictionary item is a list of tuples which are regexes # in the format (process, srd_mod, dst_mod, function). If you specify # (".*", ".*", ".*", ".*") then you essentially whitelist all possible hooks # of the given type. whitelist_rules = { HOOK_MODE_USER | HOOKTYPE_IAT : [ # Ignore hooks that point inside C runtime libraries (".*", ".*", "(msvcr|msvcp).+\.dll", ".*"), # Ignore hooks of WMI that point inside advapi32.dll (".*", "wmi.dll", "advapi32.dll", ".*"), # Ignore hooks of winsock that point inside ws2 and mswsock (".*", "WSOCK32.dll", "(WS2_32|MSWSOCK)\.dll", ".*"), # Ignore hooks of SCHANNEL* that point inside secur32.dll (".*", "schannel.dll", "secur32.dll", ".*"), # Ignore hooks of Secur32* that point inside SSPICLI (".*", "Secur32.dll", "SSPICLI.DLL", ".*"), # Ignore hooks that point inside known modules (".*", ".*", "(kernel32|gdi32|advapi32|ntdll|shimeng|kernelbase|shlwapi|user32|cfgmgr32)", ".*"), # Handle some known forwarded imports (".*", ".*", ".*", "((Enter|Delete|Leave)CriticalSection|(Get|Set)LastError|Heap(ReAlloc|Free|Size|Alloc)|Rtl(Unwind|MoveMemory))"), # Ignore sfc hooks going to sfc_os (".*", "sfc\.dll", "sfc_os\.dll", ".*"), # Ignore netapi32 hooks pointing at netutils or samcli (".*", "netapi32\.dll", "(netutils|samcli)\.dll", ".*"), (".*", "setupapi\.dll", "devrtl\.dll", ".*"), ], HOOK_MODE_USER | HOOKTYPE_EAT : [ # These modules have so many hooks its really not useful to check (".*", "(msvcp|msvcr|mfc|wbemcomn|fastprox)", ".*", ".*"), ], HOOK_MODE_USER | HOOKTYPE_INLINE : [ # Ignore hooks in the pywin32 service process ("pythonservice", ".*", ".*", ".*"), # Many legit hooks land inside these modules (".*", ".*", "(msvcr|advapi32|version|wbemcomn|ntdll|kernel32|kernelbase|sechost|ole32|shlwapi|user32|gdi32|ws2_32|shell32)", ".*"), # Ignore hooks of the c runtime DLLs (".*", "(msvc(p|r)\d{2}|mfc\d{2})\.dll", ".*", ".*"), # This is a global variable (".*", "msvcrt\.dll", ".*", "_acmdln"), # Ignore hooks of MD5Final, MD5Init, MD5Update that point inside advapi32 (".*", ".*", "advapi32.dll", "MD5.+"), # Ignore hooks of common firefox components ("firefox\.exe", ".*", "(xul|mozcrt|nspr4)", ".*"), # Ignore hooks created by Parallels VM software (".*", "user32.dll", "prl_hook.dll", ".*"), # Ignore DLL registration functions (".*", ".*", ".*", "(DllCanUnloadNow|DllRegisterServer|DllUnregisterServer)"), # Ignore netapi32 hooks pointing at netutils (".*", "netapi32\.dll", "netutils\.dll", ".*"), ], HOOK_MODE_KERNEL | HOOKTYPE_IAT : [ (".*", ".*", "(win32k\.sys|hal\.dll|dump_wmilib\.sys|ntkrnlpa\.exe|ntoskrnl\.exe)", ".*"), # Ignore hooks of the SCSI module which point inside the dump_scsiport module (".*", "scsiport\.sys", "dump_scsiport\.sys", ".*"), # Ignore other storage port hooks (".*", "storport\.sys", "dump_storport\.sys", ".*"), ], HOOK_MODE_KERNEL | HOOKTYPE_EAT : [ ], HOOK_MODE_KERNEL | HOOKTYPE_INLINE : [ # Ignore kernel hooks that point inside these modules (".*", ".*", "(hal.dll|ndis.sys|ntkrnlpa.exe|ntoskrnl.exe)", ".*"), ], } class ApiHooks(procdump.ProcExeDump): """Detect API hooks in process and kernel memory""" def __init__(self, config, *args, **kwargs): procdump.ProcExeDump.__init__(self, config, *args, **kwargs) config.remove_option("DUMP-DIR") config.add_option("NO-WHITELIST", short_option = 'N', default = False, action = 'store_true', help = 'No whitelist (show all hooks, can be verbose)') config.add_option("SKIP-KERNEL", short_option = 'R', default = False, action = 'store_true', help = 'Skip kernel mode checks') config.add_option("SKIP-PROCESS", short_option = 'P', default = False, action = 'store_true', help = 'Skip process checks') config.add_option("QUICK", short_option = 'Q', default = False, action = 'store_true', help = 'Work faster by only analyzing critical processes and dlls') self.compiled_rules = self.compile() # When the --quick option is set, we only scan the processes # and dlls in these lists. Feel free to adjust them for # your own purposes. self.critical_process = ["explorer.exe", "svchost.exe", "lsass.exe", "services.exe", "winlogon.exe", "csrss.exe", "smss.exe", "wininit.exe", "iexplore.exe", "firefox.exe", "spoolsv.exe"] self.critical_dlls = ["ntdll.dll", "kernel32.dll", "ws2_32.dll", "advapi32.dll", "secur32.dll", "crypt32.dll", "user32.dll", "gdi32.dll", "shell32.dll", "shlwapi.dll", "lsasrv.dll", "cryptdll.dll", "wsock32.dll", "mswsock.dll", "urlmon.dll", "csrsrv.dll", "winsrv.dll", "wininet.dll"] # When scanning for calls to unknown code pages (UCP), only # analyze the following drivers. This is based on an analysis of # the modules rootkits are most likely to infect, but feel free # to adjust it for your own purposes. self.ucpscan_modules = ["tcpip.sys", "ntfs.sys", "fastfast.sys", "wanarp.sys", "ndis.sys", "atapi.sys", "ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe"] @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('memory_model', '32bit') == '32bit') def compile(self): """ Precompile the regular expression rules. Its quicker if we do this once per plugin run, rather than once per API hook that needs checking. """ ret = dict() for key, rules in whitelist_rules.items(): for rule in rules: ruleset = ((re.compile(rule[0], re.I), # Process name re.compile(rule[1], re.I), # Source module re.compile(rule[2], re.I), # Destination module re.compile(rule[3], re.I), # Function name )) if ret.has_key(key): ret[key].append(ruleset) else: ret[key] = [ruleset] return ret def whitelist(self, rule_key, process, src_mod, dst_mod, function): """Check if an API hook should be ignored due to whitelisting. @param rule_key: a key from the whitelist_rules dictionary which describes the type of hook (i.e. Usermode IAT or Kernel Inline). @param process: name of the suspected victim process. @param src_mod: name of the source module whose function has been hooked. this varies depending on whether we're dealing with IAT EAT, inline, etc. @param dst_mod: name of the module that is the destination of the hook pointer. this is usually the rootkit dll, exe, or sys, however, in many cases there is no module name since the rootkit is trying to be stealthy. @param function: name of the function that has been hooked. """ # There are no whitelist rules for this hook type if rule_key not in self.compiled_rules: return False for rule in self.compiled_rules[rule_key]: if (rule[0].search(process) != None and rule[1].search(src_mod) != None and rule[2].search(dst_mod) != None and rule[3].search(function) != None): return True return False @staticmethod def check_syscall(addr_space, module, module_group): """ Enumerate syscall hooks in ntdll.dll. A syscall hook is one that modifies the function prologue of an NT API function (i.e. ntdll!NtCreateFile) or swaps the location of the sysenter with a malicious address. @param addr_space: a process AS for the process containing the ntdll.dll module. @param module: the _LDR_DATA_TABLE_ENTRY for ntdll.dll @param module_group: a ModuleGroup instance for the process. """ # Resolve the real location of KiFastSystem Call for comparison KiFastSystemCall = module.getprocaddress("KiFastSystemCall") KiIntSystemCall = module.getprocaddress("KiIntSystemCall") if not KiFastSystemCall or not KiIntSystemCall: #debug.debug("Abort check_syscall, can't find KiFastSystemCall") return # Add the RVA to make it absolute KiFastSystemCall += module.DllBase KiIntSystemCall += module.DllBase # Check each exported function if its an NT syscall for _, f, n in module.exports(): # Ignore forwarded exports if not f: #debug.debug("Skipping forwarded export {0}".format(n or '')) continue function_address = module.DllBase + f if not addr_space.is_valid_address(function_address): #debug.debug("Function address {0:#x} for {1} is paged".format( # function_address, n or '')) continue # Read enough of the function prologue for two instructions data = addr_space.zread(function_address, 24) instructions = [] for op in distorm3.Decompose(function_address, data, distorm3.Decode32Bits): if not op.valid: break if len(instructions) == 3: break instructions.append(op) i0 = instructions[0] i1 = instructions[1] i2 = instructions[2] # They both must be properly decomposed and have two operands if (not i0 or not i0.valid or len(i0.operands) != 2 or not i1 or not i1.valid or len(i1.operands) != 2): #debug.debug("Error decomposing prologue for {0} at {1:#x}".format( # n or '', function_address)) continue # Now check the instruction and operand types if (i0.mnemonic == "MOV" and i0.operands[0].type == 'Register' and i0.operands[0].name == 'EAX' and i0.operands[1].type == 'Immediate' and i1.mnemonic == "MOV" and i1.operands[0].type == 'Register' and i1.operands[0].name == 'EDX' and i0.operands[1].type == 'Immediate'): if i2.operands[0].type == "Register": # KiFastSystemCall is already in the register syscall_address = i1.operands[1].value else: # Pointer to where KiFastSystemCall is stored syscall_address = obj.Object('address', offset = i1.operands[1].value, vm = addr_space) if syscall_address not in [KiFastSystemCall, KiIntSystemCall]: hook_module = module_group.find_module(syscall_address) hook = Hook(hook_type = HOOKTYPE_NT_SYSCALL, hook_mode = HOOK_MODE_USER, function_name = n or '', function_address = function_address, hook_address = syscall_address, hook_module = hook_module, victim_module = module, ) # Add the bytes that will later be disassembled in the # output to show exactly how the hook works. The first # hop is the ntdll!Nt* API and the next hop is the rootkit. hook.add_hop_chunk(function_address, data) hook.add_hop_chunk(syscall_address, addr_space.zread(syscall_address, 24)) yield hook def check_ucpcall(self, addr_space, module, module_group): """Scan for calls to unknown code pages. @param addr_space: a kernel AS @param module: the _LDR_DATA_TABLE_ENTRY to scan @param module_group: a ModuleGroup instance for the process. """ try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = module.DllBase, vm = addr_space) nt_header = dos_header.get_nt_header() except (ValueError, exceptions.SanityCheckException), _why: #debug.debug('get_nt_header() failed: {0}'.format(why)) return # Parse the PE sections for this driver for sec in nt_header.get_sections(self._config.UNSAFE): # Only check executable sections if not sec.Characteristics & 0x20000000: continue # Calculate the virtual address of this PE section in memory sec_va = module.DllBase + sec.VirtualAddress # Extract the section's data and make sure its not all zeros data = addr_space.zread(sec_va, sec.Misc.VirtualSize) if data == "\x00" * len(data): continue # Disassemble instructions in the section for op in distorm3.DecomposeGenerator(sec_va, data, distorm3.Decode32Bits): if (op.valid and ((op.flowControl == 'FC_CALL' and op.mnemonic == "CALL") or (op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP")) and op.operands[0].type == 'AbsoluteMemoryAddress'): # This is ADDR, which is the IAT location const = op.operands[0].disp & 0xFFFFFFFF # Abort if ADDR is not a valid address if not addr_space.is_valid_address(const): continue # This is what [ADDR] points to - the absolute destination call_dest = obj.Object("address", offset = const, vm = addr_space) # Abort if [ADDR] is not a valid address if not addr_space.is_valid_address(call_dest): continue check1 = module_group.find_module(const) check2 = module_group.find_module(call_dest) # If ADDR or [ADDR] point to an unknown code page if not check1 or not check2: hook = Hook(hook_type = HOOKTYPE_CODEPAGE_KERNEL, hook_mode = HOOK_MODE_KERNEL, function_name = "", function_address = op.address, hook_address = call_dest, ) # Add the location we found the call hook.add_hop_chunk(op.address, data[op.address - sec_va : op.address - sec_va + 24]) # Add the rootkit stub hook.add_hop_chunk(call_dest, addr_space.zread(call_dest, 24)) yield hook def check_wsp(self, addr_space, module, module_group): """ Check for hooks of non-exported WSP* functions. The mswsock.dll module contains a global variable which points to all the internal Winsock functions. We find the function table by the reference from the exported WSPStartup API. .text:6C88922E 8B 7D 50 mov edi, [ebp+lpProcTable] .text:6C889231 6A 1E push 1Eh .text:6C889233 59 pop ecx .text:6C889234 BE 40 64 8B 6C mov esi, offset _SockProcTable .text:6C889239 F3 A5 rep movsd @param addr_space: process AS @param module: the _LDR_DATA_TABLE_ENTRY for mswsock.dll @param module_group: a ModuleGroup instance for the process. """ WSPStartup = module.getprocaddress("WSPStartup") if not WSPStartup: #debug.debug("Abort check_wsp, can't find WSPStartup") return WSPStartup += module.DllBase # Opcode pattern to look for signature = "\x6A\x1E\x59\xBE" # Read enough bytes of the function to find our signature data = addr_space.zread(WSPStartup, 300) if data == "\x00" * len(data): #debug.debug("WSPStartup prologue is paged") return offset = data.find(signature) if offset == -1: #debug.debug("Can't find {0} in WSPStartup".format(repr(signature))) return # Dereference the pointer as our _SockProcTable p = obj.Object("address", offset = WSPStartup + offset + len(signature), vm = addr_space) p = p.dereference_as("_SOCK_PROC_TABLE") # Enumerate functions in the procedure table for i, function_address in enumerate(p.Functions): function_owner = module_group.find_module(function_address) # The function points outside of mwsock, its hooked if function_owner != module: hook = Hook(hook_type = HOOKTYPE_WINSOCK, hook_mode = HOOK_MODE_USER, function_name = WINSOCK_TABLE[i], function_address = function_address, hook_module = function_owner, victim_module = module ) hook.add_hop_chunk(function_address, addr_space.zread(function_address, 12)) yield hook else: # The function points inside mwsock, check inline ret = self.check_inline(function_address, addr_space, module.DllBase, module.DllBase + module.SizeOfImage) if not ret: #debug.debug("Cannot analyze {0}".format(WINSOCK_TABLE[i])) continue (hooked, data, hook_address) = ret if hooked: hook_module = module_group.find_module(hook_address) if hook_module != module: hook = Hook(hook_type = HOOKTYPE_WINSOCK, hook_mode = HOOK_MODE_USER, function_name = WINSOCK_TABLE[i], function_address = function_address, hook_module = hook_module, hook_address = hook_address, victim_module = module ) hook.add_hop_chunk(function_address, data) hook.add_hop_chunk(hook_address, addr_space.zread(hook_address, 12)) yield hook @staticmethod def check_inline(va, addr_space, mem_start, mem_end): """ Check for inline API hooks. We check for direct and indirect calls, direct and indirect jumps, and PUSH/RET combinations. @param va: the virtual address of the function to check @param addr_space: process or kernel AS where the function resides @param mem_start: base address of the module containing the function being checked. @param mem_end: end address of the module containing the func being checked. @returns: a tuple of (hooked, data, hook_address) """ data = addr_space.zread(va, 24) if data == "\x00" * len(data): #debug.debug("Cannot read function prologue at {0:#x}".format(va)) return None outside_module = lambda x: x != None and (x < mem_start or x > mem_end) # Number of instructions disassembled so far n = 0 # Destination address of hooks d = None # Save the last PUSH before a CALL push_val = None # Save the general purpose registers regs = {} for op in distorm3.Decompose(va, data, distorm3.Decode32Bits): # Quit the loop when we have three instructions or when # a decomposition error is encountered, whichever is first. if not op.valid or n == 3: break if op.flowControl == 'FC_CALL': # Clear the push value if push_val: push_val = None if op.mnemonic == "CALL" and op.operands[0].type == 'AbsoluteMemoryAddress': # Check for CALL [ADDR] const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) if outside_module(d): break elif op.operands[0].type == 'Immediate': # Check for CALL ADDR d = op.operands[0].value & 0xFFFFFFFF if outside_module(d): break elif op.operands[0].type == 'Register': # Check for CALL REG d = regs.get(op.operands[0].name) if d and outside_module(d): break elif op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP": # Clear the push value if push_val: push_val = None if op.size > 2: if op.operands[0].type == 'AbsoluteMemoryAddress': # Check for JMP [ADDR] const = op.operands[0].disp & 0xFFFFFFFF d = obj.Object("unsigned int", offset = const, vm = addr_space) if outside_module(d): break elif op.operands[0].type == 'Immediate': # Check for JMP ADDR d = op.operands[0].value & 0xFFFFFFFF if outside_module(d): break elif op.size == 2 and op.operands[0].type == 'Register': # Check for JMP REG d = regs.get(op.operands[0].name) if d and outside_module(d): break elif op.flowControl == 'FC_NONE': # Check for PUSH followed by a RET if (op.mnemonic == "PUSH" and op.operands[0].type == 'Immediate' and op.size == 5): # Set the push value push_val = op.operands[0].value & 0xFFFFFFFF # Check for moving imm values into a register if (op.mnemonic == "MOV" and op.operands[0].type == 'Register' and op.operands[1].type == 'Immediate'): # Clear the push value if push_val: push_val = None # Save the value put into the register regs[op.operands[0].name] = op.operands[1].value elif op.flowControl == 'FC_RET': if push_val: d = push_val if outside_module(d): break # This causes us to stop disassembling when # reaching the end of a function break n += 1 # Check EIP after the function prologue if outside_module(d): return True, data, d else: return False, data, d def gather_stuff(self, _addr_space, module): """Use the Volatility object classes to enumerate imports and exports. This function can be overriden to use pefile instead for speed testing""" # This is a dictionary where keys are the names of imported # modules and values are lists of tuples (ord, addr, name). imports = {} exports = [(o, module.DllBase + f, n) for o, f, n in module.exports()] for dll, o, f, n in module.imports(): dll = dll.lower() if dll in imports: imports[dll].append((o, f, n)) else: imports[dll] = [(o, f, n)] return imports, exports def get_hooks(self, hook_mode, addr_space, module, module_group): """Enumerate IAT, EAT, Inline hooks. Also acts as a dispatcher for NT syscall, UCP scans, and winsock procedure table hooks. @param hook_mode: one of the HOOK_MODE_* constants @param addr_space: a process AS or kernel AS @param module: an _LDR_DATA_TABLE_ENTRY for the module being checked for hooks. @param module_group: a ModuleGroup instance for the process. """ # We start with the module base name. If that's not available, # trim the full name down to its base name. module_name = (str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or ''))) # Lowercase for string matching module_name = module_name.lower() if hook_mode == HOOK_MODE_USER: if module_name == "ntdll.dll": for hook in self.check_syscall(addr_space, module, module_group): yield hook elif module_name == "mswsock.dll": for hook in self.check_wsp(addr_space, module, module_group): yield hook else: if module_name in self.ucpscan_modules: for hook in self.check_ucpcall(addr_space, module, module_group): yield hook imports, exports = \ self.gather_stuff(addr_space, module) for dll, functions in imports.items(): valid_owners = module_group.mod_name.get(dll, []) if not valid_owners: #debug.debug("Cannot find any modules named {0}".format(dll)) continue for (_, f, n) in functions: if not f: #debug.debug("IAT function {0} is paged or ordinal".format(n or '')) continue if not addr_space.is_valid_address(f): continue function_owner = module_group.find_module(f) if function_owner not in valid_owners: hook = Hook(hook_type = HOOKTYPE_IAT, hook_mode = hook_mode, function_name = n or '', hook_address = f, hook_module = function_owner, victim_module = dll, # only for IAT hooks ) # Add the rootkit code hook.add_hop_chunk(f, addr_space.zread(f, 24)) yield hook for _, f, n in exports: if not f: #debug.debug("EAT function {0} is paged".format(n or '')) continue function_address = f if not addr_space.is_valid_address(function_address): continue # Get the module containing the function function_owner = module_group.find_module(function_address) # This is a check for EAT hooks if function_owner != module: hook = Hook(hook_type = HOOKTYPE_EAT, hook_mode = hook_mode, function_name = n or '', hook_address = function_address, hook_module = function_owner, ) hook.add_hop_chunk(function_address, addr_space.zread(function_address, 24)) yield hook # No need to check for inline hooks if EAT is hooked continue ret = self.check_inline(function_address, addr_space, module.DllBase, module.DllBase + module.SizeOfImage) if ret == None: #debug.debug("Cannot analyze {0}".format(n or '')) continue (hooked, data, dest_addr) = ret if not hooked: continue if not addr_space.is_valid_address(dest_addr): continue function_owner = module_group.find_module(dest_addr) if function_owner != module: # only do this for kernel hooks #if params['mode'] == HOOK_MODE_KERNEL: # if owner: # if self.in_data_section(owner, status['destaddr']): # continue hook = Hook(hook_type = HOOKTYPE_INLINE, hook_mode = hook_mode, function_name = n or '', function_address = function_address, hook_address = dest_addr, hook_module = function_owner, victim_module = module, ) # Add the function prologue hook.add_hop_chunk(function_address, data) # Add the first redirection hook.add_hop_chunk(dest_addr, addr_space.zread(dest_addr, 24)) yield hook def calculate(self): addr_space = utils.load_as(self._config) if not has_distorm3: debug.error("Install distorm3 code.google.com/p/distorm/") if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") if not self._config.SKIP_PROCESS: for proc in self.filter_tasks(tasks.pslist(addr_space)): process_name = str(proc.ImageFileName).lower() if (self._config.QUICK and process_name not in self.critical_process): #debug.debug("Skipping non-critical process {0} ({1})".format( # process_name, proc.UniqueProcessId)) continue process_space = proc.get_process_address_space() if not process_space: #debug.debug("Cannot acquire process AS for {0} ({1})".format( # process_name, proc.UniqueProcessId)) continue module_group = ModuleGroup(proc.get_load_modules()) for dll in module_group.mods: if not process_space.is_valid_address(dll.DllBase): continue dll_name = str(dll.BaseDllName or '').lower() if (self._config.QUICK and dll_name not in self.critical_dlls and dll.DllBase != proc.Peb.ImageBaseAddress): #debug.debug("Skipping non-critical dll {0} at {1:#x}".format( # dll_name, dll.DllBase)) continue #debug.debug("Analyzing {0}!{1}".format(process_name, dll_name)) for hook in self.get_hooks(HOOK_MODE_USER, process_space, dll, module_group): yield proc, dll, hook if not self._config.SKIP_KERNEL: process_list = list(tasks.pslist(addr_space)) module_group = ModuleGroup(modules.lsmod(addr_space)) for mod in module_group.mods: #module_name = str(mod.BaseDllName or '') #debug.debug("Analyzing {0}".format(module_name)) kernel_space = tasks.find_space(addr_space, process_list, mod.DllBase) if not kernel_space: #debug.debug("No kernel AS for {0} at {1:#x}".format( # module_name, mod.DllBase)) continue for hook in self.get_hooks(HOOK_MODE_KERNEL, kernel_space, mod, module_group): yield None, mod, hook def render_text(self, outfd, data): for process, module, hook in data: if not self._config.NO_WHITELIST: if process: process_name = str(process.ImageFileName) else: process_name = '' if self.whitelist(hook.hook_mode | hook.hook_type, process_name, hook.VictimModule, hook.HookModule, hook.Function): #debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format( # process_name, hook.VictimModule, hook.HookModule, # hook.Function)) continue outfd.write("*" * 72 + "\n") outfd.write("Hook mode: {0}\n".format(hook.Mode)) outfd.write("Hook type: {0}\n".format(hook.Type)) if process: outfd.write('Process: {0} ({1})\n'.format( process.UniqueProcessId, process.ImageFileName)) outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format( str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')), module.DllBase, module.DllBase + module.SizeOfImage)) outfd.write("Function: {0}\n".format(hook.Detail)) outfd.write("Hook address: {0:#x}\n".format(hook.hook_address)) outfd.write("Hooking module: {0}\n\n".format(hook.HookModule)) for n, info in enumerate(hook.disassembled_hops): (address, data) = info s = ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in malfind.Disassemble(data, int(address)) ] outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s))) outfd.write("\n\n") volatility-2.3.1/volatility/plugins/malware/svcscan.py0000644000175000017500000003771012227253532023147 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.common as common import volatility.win32.tasks as tasks import volatility.debug as debug import volatility.plugins.registry.registryapi as registryapi #-------------------------------------------------------------------------------- # vtypes #-------------------------------------------------------------------------------- SERVICE_TYPE_FLAGS = { 'SERVICE_KERNEL_DRIVER': 0, 'SERVICE_FILE_SYSTEM_DRIVER': 1, 'SERVICE_WIN32_OWN_PROCESS': 4, 'SERVICE_WIN32_SHARE_PROCESS': 5, 'SERVICE_INTERACTIVE_PROCESS': 8} SERVICE_STATE_ENUM = { 1: 'SERVICE_STOPPED', 2: 'SERVICE_START_PENDING', 3: 'SERVICE_STOP_PENDING', 4: 'SERVICE_RUNNING', 5: 'SERVICE_CONTINUE_PENDING', 6: 'SERVICE_PAUSE_PENDING', 7: 'SERVICE_PAUSED'} svcscan_base_x86 = { '_SERVICE_HEADER': [ None, { 'Tag': [ 0x0, ['array', 4, ['unsigned char']]], 'ServiceRecord': [ 0xC, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_LIST_ENTRY' : [ 0x8, { 'Blink' : [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'Flink' : [ 0x4, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_RECORD' : [ None, { 'ServiceList' : [ 0x0, ['_SERVICE_LIST_ENTRY']], 'ServiceName' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0xc, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x10, ['unsigned int']], 'Tag' : [ 0x18, ['array', 4, ['unsigned char']]], 'DriverName' : [ 0x24, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x24, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x28, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], } ], '_SERVICE_PROCESS' : [ None, { 'BinaryPath' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId' : [ 0xc, ['unsigned int']], } ], } svcscan_base_x64 = { '_SERVICE_HEADER': [ None, { 'Tag': [ 0x0, ['array', 4, ['unsigned char']]], 'ServiceRecord': [ 0x10, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_LIST_ENTRY' : [ 0x8, { 'Blink' : [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'Flink' : [ 0x10, ['pointer', ['_SERVICE_RECORD']]], } ], '_SERVICE_RECORD' : [ None, { 'ServiceList' : [ 0x0, ['_SERVICE_LIST_ENTRY']], 'ServiceName' : [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName' : [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order' : [ 0x18, ['unsigned int']], 'Tag' : [ 0x20, ['array', 4, ['unsigned char']]], 'DriverName' : [ 0x30, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ServiceProcess' : [ 0x30, ['pointer', ['_SERVICE_PROCESS']]], 'Type' : [ 0x38, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State' : [ 0x3C, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], } ], '_SERVICE_PROCESS': [ None, { 'BinaryPath': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'ProcessId': [ 0x18, ['unsigned int']], } ], } #-------------------------------------------------------------------------------- # object Classes #-------------------------------------------------------------------------------- class _SERVICE_RECORD_LEGACY(obj.CType): "Service records for XP/2003 x86 and x64" @property def Binary(self): "Return the binary path for a service" # No path in memory for services that aren't running # (if needed, query the registry key) if str(self.State) != 'SERVICE_RUNNING': return obj.NoneObject("No path, service isn't running") # Depending on whether the service is for a process # or kernel driver, the binary path is stored differently if 'PROCESS' in str(self.Type): return self.ServiceProcess.BinaryPath.dereference() else: return self.DriverName.dereference() @property def Pid(self): "Return the process ID for a service" if str(self.State) == 'SERVICE_RUNNING': if 'PROCESS' in str(self.Type): return self.ServiceProcess.ProcessId return obj.NoneObject("Cannot get process ID") def is_valid(self): "Check some fields for validity" return obj.CType.is_valid(self) and self.Order > 0 and self.Order < 0xFFFF def traverse(self): rec = self # Include this object in the list while rec and rec.is_valid(): yield rec rec = rec.ServiceList.Blink.dereference() class _SERVICE_RECORD_RECENT(_SERVICE_RECORD_LEGACY): "Service records for 2008, Vista, 7 x86 and x64" def traverse(self): """Generator that walks the singly-linked list""" yield self # Include this object in the list # Make sure we dereference these pointers, or the # is_valid() checks will apply to the pointer and # not the _SERVICE_RECORD object as intended. rec = self.PrevEntry.dereference() while rec and rec.is_valid(): yield rec rec = rec.PrevEntry.dereference() class _SERVICE_HEADER(obj.CType): "Service headers for 2008, Vista, 7 x86 and x64" def is_valid(self): "Check some fields for validity" return (obj.CType.is_valid(self) and self.ServiceRecord.is_valid() and self.ServiceRecord.Order < 0xFFFF) #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class ServiceBase(obj.ProfileModification): """The base applies to XP and 2003 SP0-SP1""" before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_SERVICE_RECORD': _SERVICE_RECORD_LEGACY, '_SERVICE_HEADER': _SERVICE_HEADER, }) profile.merge_overlay({'VOLATILITY_MAGIC': [ None, { 'ServiceTag': [ 0x0, ['VolatilityMagic', dict(value = "sErv")]] }]}) profile.vtypes.update(svcscan_base_x86) class ServiceBasex64(obj.ProfileModification): """This overrides the base x86 vtypes with x64 vtypes""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(svcscan_base_x64) class ServiceVista(obj.ProfileModification): """Override the base with OC's for Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6} def modification(self, profile): profile.object_classes.update({ '_SERVICE_RECORD': _SERVICE_RECORD_RECENT, }) profile.merge_overlay({'VOLATILITY_MAGIC': [ None, { 'ServiceTag': [ 0x0, ['VolatilityMagic', dict(value = "serH")]] }]}) class ServiceVistax86(obj.ProfileModification): """Override the base with vtypes for x86 Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.merge_overlay({'_SERVICE_RECORD': [ None, { 'PrevEntry': [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName': [ 0x4, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName': [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order': [ 0xC, ['unsigned int']], 'ServiceProcess': [ 0x1C, ['pointer', ['_SERVICE_PROCESS']]], 'DriverName': [ 0x1C, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Type' : [ 0x20, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State': [ 0x24, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], }]}) class ServiceVistax64(obj.ProfileModification): """Override the base with vtypes for x64 Vista, 2008, and 7""" before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.merge_overlay({'_SERVICE_RECORD': [ None, { 'PrevEntry': [ 0x0, ['pointer', ['_SERVICE_RECORD']]], 'ServiceName': [ 0x8, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'DisplayName': [ 0x10, ['pointer', ['String', dict(encoding = 'utf16', length = 512)]]], 'Order': [ 0x18, ['unsigned int']], 'ServiceProcess': [ 0x28, ['pointer', ['_SERVICE_PROCESS']]], 'DriverName': [ 0x28, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]], 'Type' : [ 0x30, ['Flags', {'bitmap': SERVICE_TYPE_FLAGS}]], 'State': [ 0x34, ['Enumeration', dict(target = 'long', choices = SERVICE_STATE_ENUM)]], }]}) #-------------------------------------------------------------------------------- # svcscan plugin #-------------------------------------------------------------------------------- class SvcScan(common.AbstractWindowsCommand): "Scan for Windows services" def calculate(self): addr_space = utils.load_as(self._config) # Get the version we're analyzing version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) tag = obj.VolMagic(addr_space).ServiceTag.v() # On systems more recent than XP/2003, the serH marker doesn't # find *all* services, but the ones it does find have linked # lists to the others. We use this variable to track which # ones we've seen so as to not yield duplicates. records = [] for task in tasks.pslist(addr_space): # We only want the Service Control Manager process if str(task.ImageFileName).lower() != "services.exe": continue # Process AS must be valid process_space = task.get_process_address_space() if process_space == None: continue # Find all instances of the record tag for address in task.search_process_memory([tag]): if version <= (5, 2): # Windows XP/2003 rec = obj.Object("_SERVICE_RECORD", offset = address - addr_space.profile.get_obj_offset('_SERVICE_RECORD', 'Tag'), vm = process_space ) # Apply our sanity checks if rec.is_valid(): yield rec else: # Windows Vista, 2008, and 7 svc_hdr = obj.Object('_SERVICE_HEADER', offset = address, vm = process_space) # Apply our sanity checks if svc_hdr.is_valid(): # Since we walk the s-list backwards, if we've seen # an object, then we've also seen all objects that # exist before it, thus we can break at that time. for rec in svc_hdr.ServiceRecord.traverse(): if rec in records: break records.append(rec) yield rec def render_dot(self, outfd, data): """Generate a dot graph of service relationships. This currently only works for XP/2003 profiles, because the linked list was removed after that. """ ## Collect all the service records from calculate() all_services = [d for d in data] ## Abort if we're not using the supported profiles if all_services[0].obj_vm.profile.metadata.get('major', 0) != 5: debug.error("This profile does not support --output=dot format") objects = set() links = set() for svc in all_services: label = "{{ {0:#x} \\n {1} \\n {2} \\n F:{3:#x} B:{4:#x} }}".format( svc.obj_offset, svc.ServiceName.dereference(), str(svc.State), svc.ServiceList.Flink.v(), svc.ServiceList.Blink.v()) objects.add('"{0:#x}" [label="{1}" shape="record"];\n'.format( svc.obj_offset, label)) ## Check the linked list pointers flink = svc.ServiceList.Flink.dereference() blink = svc.ServiceList.Blink.dereference() if flink.is_valid(): links.add('"{0:#x}" -> "{1:#x}" [];\n'.format( svc.obj_offset, flink.obj_offset)) if blink.is_valid(): links.add('"{0:#x}" -> "{1:#x}" [];\n'.format( svc.obj_offset, blink.obj_offset)) ## Now write the graph nodes outfd.write("digraph svctree { \ngraph [rankdir = \"TB\"];\n") for item in objects: outfd.write(item) for link in links: outfd.write(link) outfd.write("}\n") def render_text(self, outfd, data): if self._config.VERBOSE: regapi = registryapi.RegistryApi(self._config) for rec in data: # This can't possibly look neat in a table with columns... outfd.write("Offset: {0:#x}\n".format(rec.obj_offset)) outfd.write("Order: {0}\n".format(rec.Order)) outfd.write("Process ID: {0}\n".format(rec.Pid)) outfd.write("Service Name: {0}\n".format(rec.ServiceName.dereference())) outfd.write("Display Name: {0}\n".format(rec.DisplayName.dereference())) outfd.write("Service Type: {0}\n".format(rec.Type)) outfd.write("Service State: {0}\n".format(rec.State)) outfd.write("Binary Path: {0}\n".format(rec.Binary)) if self._config.VERBOSE: ccs = regapi.reg_get_currentcontrolset() val = regapi.reg_get_value( hive_name = "system", key = "{0}\\services\\{1}\\Parameters".format(ccs, rec.ServiceName.dereference()), value = "ServiceDll") if val is not None: outfd.write("ServiceDll: {0}\n".format(val)) outfd.write("\n") volatility-2.3.1/volatility/plugins/malware/malfind.py0000644000175000017500000006060012227253532023113 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # File-wide pylint filter for protected members, since we have three _BLAH structures #pylint: disable-msg=W0212 import os import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.taskmods as taskmods import volatility.plugins.vadinfo as vadinfo import volatility.plugins.overlays.windows.windows as windows import volatility.constants as constants try: import yara has_yara = True except ImportError: has_yara = False try: import distorm3 has_distorm3 = True except ImportError: has_distorm3 = False #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class MalwareEPROCESS(windows._EPROCESS): """Extension of the default EPROCESS with some helpers""" @property def IsWow64(self): """Returns True if this is a wow64 process""" return hasattr(self, 'Wow64Process') and self.Wow64Process.v() != 0 @property def SessionId(self): """Returns the Session ID of the process""" if self.Session.is_valid(): process_space = self.get_process_address_space() if process_space: return obj.Object("_MM_SESSION_SPACE", offset = self.Session, vm = process_space).SessionId return obj.NoneObject("Cannot find process session") def get_vads(self, vad_filter = None, skip_max_commit = False): """ Generator for MMVADs that match specific metadata. @param vad_filter: a callable that is passed the current MMVAD and applies tests to the MMVAD struct members or nested struct members. @param skip_max_commit: boolean, if true then VADs for Wow64 processes with the MM_MAX_COMMIT flag set will not be yielded. @yields a tuple (mmvad, address_space). Where mmvad is the MMVAD object in kernel AS and address_space is the process address space. """ # We absolutely need a process AS. If this # fails then all else fails process_space = self.get_process_address_space() if not process_space: return for vad in self.VadRoot.traverse(): if not vad.is_valid(): continue # Skip Wow64 MM_MAX_COMMIT range if (skip_max_commit and self.IsWow64 and vad.u.VadFlags.CommitCharge == 0x7ffffffffffff and vad.End > 0x7fffffff): continue # Apply the meta filter if one is supplied if vad_filter: if not vad_filter(vad): continue yield vad, process_space def search_process_memory(self, s): """ Search memory for a simple byte string. FIXME: as of 2.3 this parameter can also be a list to search for mutliple strings concurrently. The single string will be deprecated in 3.0. @param s: the string to search for. @returns every occurrance of the string in process memory (as absolute address). """ # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 # Make sure s in a list. This allows you to search for # multiple strings at once, without changing the API. if type(s) != list: debug.warning("Single strings to search_process_memory is deprecated, use a list instead") s = [s] # All MMVADs that belong to this process. for vad, address_space in self.get_vads(skip_max_commit = True): offset = vad.Start out_of_range = vad.Start + vad.Length while offset < out_of_range: # Read some data and match it. to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset) data = address_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, constants.SCAN_BLOCKSIZE) def _injection_filter(self, vad): """ This is a callback that's executed by get_vads() when searching for injected code / hidden DLLs. This looks for private allocations that are committed, memory-resident, non-empty (not all zeros) and with an original protection that includes write and execute. It is important to note that protections are applied at the allocation granularity (page level). Thus the original protection might not be the current protection, and it also might not apply to all pages in the VAD range. @param vad: an MMVAD object. @returns: True if the MMVAD looks like it might contain injected code. """ protect = vadinfo.PROTECT_FLAGS.get(vad.u.VadFlags.Protection.v(), "") write_exec = "EXECUTE" in protect and "WRITE" in protect # The Write/Execute check applies to everything if not write_exec: return False # This is a typical VirtualAlloc'd injection if vad.u.VadFlags.PrivateMemory == 1 and vad.Tag == "VadS": return True # This is a stuxnet-style injection if (vad.u.VadFlags.PrivateMemory == 0 and protect != "PAGE_EXECUTE_WRITECOPY"): return True return False def _mapped_file_filter(self, vad): """ This is a callback that's executed by get_vads() when searching for memory-mapped files. @param vad: an MMVAD object. @returns: True if the MMVAD looks like it might contain a mapped file. """ return vad.u.VadFlags.PrivateMemory == 0 and vad.ControlArea def environment_variables(self): """Generator for environment variables. The PEB points to our env block - a series of null-terminated unicode strings. Each string cannot be more than 0x7FFF chars. End of the list is a quad-null. """ # Address of the environment block if not self.Peb.ProcessParameters.Environment.is_valid(): return process_space = self.get_process_address_space() if not process_space: return block = self.Peb.ProcessParameters.Environment s = obj.Object("String", offset = block, vm = process_space, encoding = 'utf16', length = 0x7FFF) # The terminator is a quad null while len(s): if s.count(u"=") == 1: yield s.split(u"=") # Scan forward the length of this string plus the null next_offset = s.obj_offset + ((len(s) + 1) * 2) s = obj.Object("String", offset = next_offset, vm = process_space, encoding = 'utf16', length = 0x7FFF) #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class MalwareObjectClasesXP(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_EPROCESS': MalwareEPROCESS, }) #-------------------------------------------------------------------------------- # functions #-------------------------------------------------------------------------------- def Disassemble(data, start, bits = '32bit', stoponret = False): """Dissassemble code with distorm3. @param data: python byte str to decode @param start: address where `data` is found in memory @param bits: use 32bit or 64bit decoding @param stoponret: stop disasm when function end is reached @returns: tuple of (offset, instruction, hex bytes) """ if not has_distorm3: raise StopIteration if bits == '32bit': mode = distorm3.Decode32Bits else: mode = distorm3.Decode64Bits for o, _, i, h in distorm3.DecodeGenerator(start, data, mode): if stoponret and i.startswith("RET"): raise StopIteration yield o, i, h #-------------------------------------------------------------------------------- # scanners by scudette # # unfortunately the existing scanning framework (i.e. scan.BaseScanner) has # some shortcomings that don't allow us to integrate yara easily. # # FIXME: these may need updating after resolving issue 310 which aims to # enhance the scan.BaseScanner to better support things like this #-------------------------------------------------------------------------------- class BaseYaraScanner(object): """An address space scanner for Yara signatures.""" overlap = 1024 def __init__(self, address_space = None, rules = None): self.rules = rules self.address_space = address_space def scan(self, offset, maxlen): # Start scanning from offset until maxlen: i = offset while i < offset + maxlen: # Read some data and match it. to_read = min(constants.SCAN_BLOCKSIZE + self.overlap, offset + maxlen - i) data = self.address_space.zread(i, to_read) if data: for match in self.rules.match(data = data): # We currently don't use name or value from the # yara results but they can be yielded in the # future if necessary. for moffset, _name, _value in match.strings: if moffset < constants.SCAN_BLOCKSIZE: yield match, moffset + i i += constants.SCAN_BLOCKSIZE class VadYaraScanner(BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the Vads. Args: task: The _EPROCESS object for this task. """ self.task = task BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): for vad, self.address_space in self.task.get_vads(skip_max_commit = True): for match in BaseYaraScanner.scan(self, vad.Start, vad.Length): yield match class DiscontigYaraScanner(BaseYaraScanner): """A Scanner for Discontiguous scanning.""" def scan(self, start_offset = 0, maxlen = None): contiguous_offset = 0 total_length = 0 for (offset, length) in self.address_space.get_available_addresses(): # Skip ranges before the start_offset if self.address_space.address_compare(offset, start_offset) == -1: continue # Skip ranges that are too high (if maxlen is specified) if maxlen != None: if self.address_space.address_compare(offset, start_offset + maxlen) > 0: continue # Try to join up adjacent pages as much as possible. if offset == contiguous_offset + total_length: total_length += length else: # Scan the last contiguous range. for match in BaseYaraScanner.scan(self, contiguous_offset, total_length): yield match # Reset the contiguous range. contiguous_offset = offset total_length = length if total_length > 0: # Do the last range. for match in BaseYaraScanner.scan(self, contiguous_offset, total_length): yield match #-------------------------------------------------------------------------------- # yarascan #-------------------------------------------------------------------------------- class YaraScan(taskmods.DllList): "Scan process or kernel memory with Yara signatures" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true', help = 'Scan kernel modules') config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true', help = 'Match wide (unicode) strings') config.add_option('YARA-RULES', short_option = 'Y', default = None, help = 'Yara rules (as a string)') config.add_option('YARA-FILE', short_option = 'y', default = None, help = 'Yara rules (rules file)') config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'Directory in which to dump the files') def _compile_rules(self): """Compile the YARA rules from command-line parameters. @returns: a YARA object on which you can call 'match' This function causes the plugin to exit if the YARA rules have syntax errors or are not supplied correctly. """ rules = None try: if self._config.YARA_RULES: s = self._config.YARA_RULES # Don't wrap hex or regex rules in quotes if s[0] not in ("{", "/"): s = '"' + s + '"' # Scan for unicode strings if self._config.WIDE: s += "wide" rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' }) elif self._config.YARA_FILE: rules = yara.compile(self._config.YARA_FILE) else: debug.error("You must specify a string (-Y) or a rules file (-y)") except yara.SyntaxError, why: debug.error("Cannot compile rules: {0}".format(str(why))) return rules def calculate(self): if not has_yara: debug.error("Please install Yara from code.google.com/p/yara-project") addr_space = utils.load_as(self._config) rules = self._compile_rules() if self._config.KERNEL: # Find KDBG so we know where kernel memory begins. Do not assume # the starting range is 0x80000000 because we may be dealing with # an image with the /3GB boot switch. kdbg = tasks.get_kdbg(addr_space) start = kdbg.MmSystemRangeStart.dereference_as("Pointer") # Modules so we can map addresses to owners mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) # There are multiple views (GUI sessions) of kernel memory. # Since we're scanning virtual memory and not physical, # all sessions must be scanned for full coverage. This # really only has a positive effect if the data you're # searching for is in GUI memory. sessions = [] for proc in tasks.pslist(addr_space): sid = proc.SessionId # Skip sessions we've already seen if sid == None or sid in sessions: continue session_space = proc.get_process_address_space() if session_space == None: continue sessions.append(sid) scanner = DiscontigYaraScanner(address_space = session_space, rules = rules) for hit, address in scanner.scan(start_offset = start): module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address)) yield (module, address, hit, session_space.zread(address, 1024)) else: for task in self.filter_tasks(tasks.pslist(addr_space)): scanner = VadYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 1024)) def render_text(self, outfd, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for o, addr, hit, content in data: outfd.write("Rule: {0}\n".format(hit.rule)) # Find out if the hit is from user or kernel mode if o == None: outfd.write("Owner: (Unknown Kernel Memory)\n") filename = "kernel.{0:#x}.dmp".format(addr) elif o.obj_name == "_EPROCESS": outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName, o.UniqueProcessId)) filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) else: outfd.write("Owner: {0}\n".format(o.BaseDllName)) filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: path = os.path.join(self._config.DUMP_DIR, filename) fh = open(path, "wb") fh.write(content) fh.close() outfd.write("".join( ["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content[0:64]) ])) #-------------------------------------------------------------------------------- # malfind #-------------------------------------------------------------------------------- class Malfind(vadinfo.VADDump): "Find hidden and injected code" def __init__(self, config, *args, **kwargs): vadinfo.VADDump.__init__(self, config, *args, **kwargs) config.remove_option("BASE") def _is_vad_empty(self, vad, address_space): """ Check if a VAD region is either entirely unavailable due to paging, entirely consiting of zeros, or a combination of the two. This helps ignore false positives whose VAD flags match task._injection_filter requirements but there's no data and thus not worth reporting it. @param vad: an MMVAD object in kernel AS @param address_space: the process address space """ PAGE_SIZE = 0x1000 all_zero_page = "\x00" * PAGE_SIZE offset = 0 while offset < vad.Length: next_addr = vad.Start + offset if (address_space.is_valid_address(next_addr) and address_space.read(next_addr, PAGE_SIZE) != all_zero_page): return False offset += PAGE_SIZE return True def render_text(self, outfd, data): if not has_distorm3: debug.warning("For best results please install distorm3") if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for task in data: for vad, address_space in task.get_vads(vad_filter = task._injection_filter): if self._is_vad_empty(vad, address_space): continue content = address_space.zread(vad.Start, 64) outfd.write("Process: {0} Pid: {1} Address: {2:#x}\n".format( task.ImageFileName, task.UniqueProcessId, vad.Start)) outfd.write("Vad Tag: {0} Protection: {1}\n".format( vad.Tag, vadinfo.PROTECT_FLAGS.get(vad.u.VadFlags.Protection.v(), ""))) outfd.write("Flags: {0}\n".format(str(vad.u.VadFlags))) outfd.write("\n") outfd.write("{0}\n".format("\n".join( ["{0:#010x} {1:<48} {2}".format(vad.Start + o, h, ''.join(c)) for o, h, c in utils.Hexdump(content) ]))) outfd.write("\n") outfd.write("\n".join( ["{0:#x} {1:<16} {2}".format(o, h, i) for o, i, h in Disassemble(content, vad.Start) ])) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: filename = os.path.join(self._config.DUMP_DIR, "process.{0:#x}.{1:#x}.dmp".format( task.obj_offset, vad.Start)) self.dump_vad(filename, vad, address_space) outfd.write("\n\n") #-------------------------------------------------------------------------------- # ldrmodules #-------------------------------------------------------------------------------- class LdrModules(taskmods.DllList): "Detect unlinked DLLs" def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "20"), ("Base", "[addrpad]"), ("InLoad", "5"), ("InInit", "5"), ("InMem", "5"), ("MappedPath", "") ]) for task in data: # Build a dictionary for all three PEB lists where the # keys are base address and module objects are the values inloadorder = dict((mod.DllBase.v(), mod) for mod in task.get_load_modules()) ininitorder = dict((mod.DllBase.v(), mod) for mod in task.get_init_modules()) inmemorder = dict((mod.DllBase.v(), mod) for mod in task.get_mem_modules()) # Build a similar dictionary for the mapped files mapped_files = {} for vad, address_space in task.get_vads(vad_filter = task._mapped_file_filter): # Note this is a lot faster than acquiring the full # vad region and then checking the first two bytes. if obj.Object("_IMAGE_DOS_HEADER", offset = vad.Start, vm = address_space).e_magic != 0x5A4D: continue mapped_files[int(vad.Start)] = str(vad.FileObject.FileName or '') # For each base address with a mapped file, print info on # the other PEB lists to spot discrepancies. for base in mapped_files.keys(): # Does the base address exist in the PEB DLL lists? load_mod = inloadorder.get(base, None) init_mod = ininitorder.get(base, None) mem_mod = inmemorder.get(base, None) # Report if the mapped files are in the PEB lists self.table_row(outfd, task.UniqueProcessId, task.ImageFileName, base, str(load_mod != None), str(init_mod != None), str(mem_mod != None), mapped_files[base] ) # Print the full paths and base names in verbose mode if self._config.verbose: if load_mod: outfd.write(" Load Path: {0} : {1}\n".format(load_mod.FullDllName, load_mod.BaseDllName)) if init_mod: outfd.write(" Init Path: {0} : {1}\n".format(init_mod.FullDllName, init_mod.BaseDllName)) if mem_mod: outfd.write(" Mem Path: {0} : {1}\n".format(mem_mod.FullDllName, mem_mod.BaseDllName)) volatility-2.3.1/volatility/plugins/imagecopy.py0000644000175000017500000000627512227253532022036 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.debug as debug import volatility.utils as utils import volatility.plugins.common as common class ImageCopy(common.AbstractWindowsCommand): """Copies a physical address space out as a raw DD image""" def __init__(self, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, *args, **kwargs) self._config.add_option("BLOCKSIZE", short_option = "b", default = 1024 * 1024 * 5, help = "Size (in bytes) of blocks to copy", action = 'store', type = 'int') self._config.add_option("OUTPUT-IMAGE", short_option = "O", default = None, help = "Writes a raw DD image out to OUTPUT-IMAGE", action = 'store', type = 'str') def calculate(self): blocksize = self._config.BLOCKSIZE addr_space = utils.load_as(self._config, astype = 'physical') for s, l in addr_space.get_available_addresses(): for i in range(s, s + l, blocksize): yield i, addr_space.zread(i, min(blocksize, s + l - i)) def human_readable(self, value): for i in ['B', 'KB', 'MB', 'GB']: if value < 800: return "{0:0.2f} {1:s}".format(value, i) value = value / 1024.0 return "{0:0.2f} TB".format(value) def render_text(self, outfd, data): """Renders the file to disk""" if self._config.OUTPUT_IMAGE is None: debug.error("Please provide an output-image filename") if os.path.exists(self._config.OUTPUT_IMAGE) and (os.path.getsize(self._config.OUTPUT_IMAGE) > 1): debug.error("Refusing to overwrite an existing file, please remove it before continuing") outfd.write("Writing data (" + self.human_readable(self._config.BLOCKSIZE) + " chunks): |") f = file(self._config.OUTPUT_IMAGE, "wb+") progress = 0 try: for o, block in data: f.seek(o) f.write(block) f.flush() outfd.write(".") outfd.flush() progress = o except TypeError: debug.error("Error when reading from address space") except BaseException, e: debug.error("Unexpected error ({1}) during copy, recorded data up to offset {0:0x}".format(progress, str(e))) finally: f.close() outfd.write("|\n") volatility-2.3.1/volatility/plugins/gui/0000755000175000017500000000000012234427260020260 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/gui/windowstations.py0000644000175000017500000001230412227253532023727 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.scan as scan import volatility.utils as utils import volatility.plugins.filescan as filescan import volatility.plugins.common as common import volatility.plugins.gui.sessions as sessions class PoolScanWind(scan.PoolScanner): """PoolScanner for window station objects""" def object_offset(self, found, address_space): """ This returns the offset of the object contained within this pool allocation. """ pool_base = found - \ self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag') pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = pool_base) pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() object_base = (pool_base + pool_obj.BlockSize * pool_alignment - common.pool_align(address_space, 'tagWINDOWSTATION', pool_alignment)) return object_base checks = [ ('PoolTagCheck', dict(tag = "Win\xe4")), # seen as 0x98 on xpsp2 and xpsp3, 0x90 on w2k3*, 0xa0 on w7sp0 ('CheckPoolSize', dict(condition = lambda x: x >= 0x90)), # only look in non-paged or free pools ('CheckPoolType', dict(paged = False, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class WndScan(filescan.FileScan, sessions.SessionsMixin): """Pool scanner for tagWINDOWSTATION (window stations)""" def calculate(self): flat_space = utils.load_as(self._config, astype = 'physical') kernel_space = utils.load_as(self._config) # Scan for window station objects for offset in PoolScanWind().scan(flat_space): window_station = obj.Object("tagWINDOWSTATION", offset = offset, vm = flat_space) # Basic sanity checks are included here if not window_station.is_valid(): continue # Find an address space for this window station's session session = self.find_session_space( kernel_space, window_station.dwSessionId) if not session: continue # Reset the object's native VM so pointers are # dereferenced in session space window_station.set_native_vm(session.obj_vm) for winsta in window_station.traverse(): if winsta.is_valid(): yield winsta def render_text(self, outfd, data): seen = [] for window_station in data: offset = window_station.PhysicalAddress if offset in seen: continue seen.append(offset) outfd.write("*" * 50 + "\n") outfd.write("WindowStation: {0:#x}, Name: {1}, Next: {2:#x}\n".format( offset, window_station.Name, window_station.rpwinstaNext.v(), )) outfd.write("SessionId: {0}, AtomTable: {1:#x}, Interactive: {2}\n".format( window_station.dwSessionId, window_station.pGlobalAtomTable, window_station.Interactive, )) outfd.write("Desktops: {0}\n".format( ', '.join([desk.Name for desk in window_station.desktops()]) )) outfd.write("ptiDrawingClipboard: pid {0} tid {1}\n".format( window_station.ptiDrawingClipboard.pEThread.Cid.UniqueProcess, window_station.ptiDrawingClipboard.pEThread.Cid.UniqueThread )) outfd.write("spwndClipOpen: {0:#x}, spwndClipViewer: {1:#x} {2} {3}\n".format( window_station.spwndClipOpen.v(), window_station.spwndClipViewer.v(), str(window_station.LastRegisteredViewer.UniqueProcessId or ""), str(window_station.LastRegisteredViewer.ImageFileName or ""), )) outfd.write("cNumClipFormats: {0}, iClipSerialNumber: {1}\n".format( window_station.cNumClipFormats, window_station.iClipSerialNumber, )) outfd.write("pClipBase: {0:#x}, Formats: {1}\n".format( window_station.pClipBase, ",".join([str(clip.fmt) for clip in window_station.pClipBase.dereference()]), )) volatility-2.3.1/volatility/plugins/gui/eventhooks.py0000644000175000017500000000516112227253532023023 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.sessions as sessions class EventHooks(sessions.Sessions): """Print details on windows event hooks""" def render_text(self, outfd, data): for session in data: shared_info = session.find_shared_info() if not shared_info: continue filters = [lambda x : str(x.bType) == "TYPE_WINEVENTHOOK"] for handle in shared_info.handles(filters): outfd.write("Handle: {0:#x}, Object: {1:#x}, Session: {2}\n".format( handle.phead.h if handle.phead else 0, handle.phead.v(), session.SessionId)) outfd.write("Type: {0}, Flags: {1}, Thread: {2}, Process: {3}\n".format( handle.bType, handle.bFlags, handle.Thread.Cid.UniqueThread, handle.Process.UniqueProcessId, )) event_hook = handle.reference_object() outfd.write("eventMin: {0:#x} {1}\neventMax: {2:#x} {3}\n".format( event_hook.eventMin.v(), str(event_hook.eventMin), event_hook.eventMax.v(), str(event_hook.eventMax), )) outfd.write("Flags: {0}, offPfn: {1:#x}, idProcess: {2}, idThread: {3}\n".format( event_hook.dwFlags, event_hook.offPfn, event_hook.idProcess, event_hook.idThread, )) ## Work out the WindowStation\Desktop path by the handle ## owner (thread or process) outfd.write("ihmod: {0}\n".format(event_hook.ihmod)) outfd.write("\n") volatility-2.3.1/volatility/plugins/gui/userhandles.py0000644000175000017500000000716112227253532023155 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.sessions as sessions import volatility.debug as debug class UserHandles(sessions.Sessions): """Dump the USER handle tables""" def __init__(self, config, *args, **kwargs): sessions.Sessions.__init__(self, config, *args, **kwargs) config.add_option('PID', short_option = 'p', help = 'Pid filter', action = 'store', type = 'int') config.add_option('TYPE', short_option = 't', help = 'Handle type', action = 'store', type = 'string') config.add_option('FREE', short_option = 'F', help = 'Include free handles', action = 'store_true', default = False) def render_text(self, outfd, data): for session in data: shared_info = session.find_shared_info() if not shared_info: debug.debug("Cannot find win32k!gSharedInfo") continue outfd.write("*" * 50 + "\n") outfd.write("SharedInfo: {0:#x}, SessionId: {1} Shared delta: {2}\n".format( shared_info.obj_offset, session.SessionId, shared_info.ulSharedDelta, )) outfd.write("aheList: {0:#x}, Table size: {1:#x}, Entry size: {2:#x}\n".format( shared_info.aheList.v(), shared_info.psi.cbHandleTable, shared_info.HeEntrySize if hasattr(shared_info, 'HeEntrySize') else shared_info.obj_vm.profile.get_obj_size("_HANDLEENTRY"), )) outfd.write("\n") filters = [] # Should we display freed handles if not self._config.FREE: filters.append(lambda x : not x.Free) # Should we filter by process ID if self._config.PID: filters.append(lambda x : x.Process.UniqueProcessId == self._config.PID) # Should we filter by object type if self._config.TYPE: filters.append(lambda x : str(x.bType) == self._config.TYPE) self.table_header(outfd, [("Object(V)", "[addrpad]"), ("Handle", "[addr]"), ("bType", "20"), ("Flags", "^8"), ("Thread", "^8"), ("Process", ""), ]) for handle in shared_info.handles(filters): self.table_row(outfd, handle.phead.v(), handle.phead.h if handle.phead else 0, handle.bType, handle.bFlags, handle.Thread.Cid.UniqueThread, handle.Process.UniqueProcessId) volatility-2.3.1/volatility/plugins/gui/sessions.py0000644000175000017500000001040512227253532022501 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.plugins.common as common import volatility.win32.modules as modules import volatility.win32.tasks as tasks class SessionsMixin(object): """This is a mixin that plugins can inherit for access to the main sessions APIs.""" def session_spaces(self, kernel_space): """ Generators unique _MM_SESSION_SPACE objects referenced by active processes. @param space: a kernel AS for process enumeration @yields _MM_SESSION_SPACE instantiated from the session space native_vm. """ seen = [] for proc in tasks.pslist(kernel_space): if proc.SessionId != None and proc.SessionId.v() not in seen: ps_ad = proc.get_process_address_space() if ps_ad != None: seen.append(proc.SessionId.v()) yield obj.Object("_MM_SESSION_SPACE", offset = proc.Session.v(), vm = ps_ad) def find_session_space(self, kernel_space, session_id): """ Get a session address space by its ID. @param space: a kernel AS for process enumeration @param session_id: the session ID to find. @returns _MM_SESSION_SPACE instantiated from the session space native_vm. """ for proc in tasks.pslist(kernel_space): if proc.SessionId == session_id: ps_ad = proc.get_process_address_space() if ps_ad != None: return obj.Object("_MM_SESSION_SPACE", offset = proc.Session.v(), vm = ps_ad) return obj.NoneObject("Cannot locate a session") class Sessions(common.AbstractWindowsCommand, SessionsMixin): """List details on _MM_SESSION_SPACE (user logon sessions)""" def calculate(self): kernel_space = utils.load_as(self._config) # Once for each unique _MM_SESSION_SPACE for session in self.session_spaces(kernel_space): yield session def render_text(self, outfd, data): # Kernel AS for looking up modules kernel_space = utils.load_as(self._config) # Modules sorted for address lookups mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space)) mod_addrs = sorted(mods.keys()) for session in data: outfd.write("*" * 50 + "\n") outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format( session.obj_offset, session.SessionId, len(list(session.processes())), )) outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format( session.PagedPoolStart, session.PagedPoolEnd, )) for process in session.processes(): outfd.write(" Process: {0} {1} {2}\n".format( process.UniqueProcessId, process.ImageFileName, process.CreateTime, )) for image in session.images(): module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address)) outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format( image.obj_offset, image.Address, str(module and module.BaseDllName or '') )) volatility-2.3.1/volatility/plugins/gui/vtypes/0000755000175000017500000000000012234427260021612 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/gui/vtypes/vista.py0000644000175000017500000001150312227253532023313 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui import volatility.plugins.gui.constants as consts class Vista2008x64GuiVTypes(obj.ProfileModification): before = ["XP2003x64BaseVTypes", "Win32Kx64VTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): # Enough stayed the same between Vista/2008 and Windows 7, ## so we can re-use the Windows 7 types. This is a bit unconventional ## because we typically when we re-use, we do it forward (i.e. use ## an older OS's types for a newer OS). However since the win32k.sys ## vtypes were never public until Windows 7, we're re-using backward. profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types) # We don't want to overlay or HeEntrySize from Win7 will # appear to be a valid member of the Vista structure. profile.vtypes.update({ 'tagSHAREDINFO' : [ 0x238, { 'psi' : [ 0x0, ['pointer64', ['tagSERVERINFO']]], 'aheList' : [ 0x8, ['pointer64', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0x18, ['unsigned long long']], }], }) profile.merge_overlay({ # From Win7SP0x64 'tagDESKTOP' : [ None, { 'pheapDesktop' : [ 0x78, ['pointer64', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x80, ['unsigned long']], }], 'tagTHREADINFO' : [ None, { 'ppi' : [ 0x68, ['pointer64', ['tagPROCESSINFO']]], 'PtiLink' : [ 0x160, ['_LIST_ENTRY']], }], 'tagHOOK': [ None, { 'flags': [ None, ['Flags', {'bitmap': consts.HOOK_FLAGS}]] }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], }], 'tagWINDOWSTATION' : [ None, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagCLIP': [ None, { 'fmt' : [ 0x0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }], }) class Vista2008x86GuiVTypes(obj.ProfileModification): before = ["XP2003x86BaseVTypes", "Win32Kx86VTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} def modification(self, profile): profile.merge_overlay({ # The size is very important since we carve from bottom up 'tagWINDOWSTATION' : [ 0x54, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagDESKTOP' : [ None, { 'PtiList' : [ 0x64, ['_LIST_ENTRY']], 'hsectionDesktop' : [ 0x3c, ['pointer', ['void']]], 'pheapDesktop' : [ 0x40, ['pointer', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x44, ['unsigned long']], }], 'tagTHREADINFO' : [ None, { # same as win2003x86 'PtiLink' : [ 0xB0, ['_LIST_ENTRY']], 'fsHooks' : [ 0x9C, ['unsigned long']], 'aphkStart' : [ 0xF8, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 0x4, ['unsigned long']], 'cbHandleTable' : [ 0x1c8, ['unsigned long']], }], 'tagSHAREDINFO' : [ 0x11c, { # From Win7SP0x86 'psi' : [ 0x0, ['pointer', ['tagSERVERINFO']]], 'aheList' : [ 0x4, ['pointer', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0xC, ['unsigned long']], }], 'tagCLIP' : [ 16, { # just a size change }]}) volatility-2.3.1/volatility/plugins/gui/vtypes/win7_sp0_x64_vtypes_gui.py0000644000175000017500000041454712033140535026622 0ustar mikemike00000000000000win32k_types = { '_HANDLEENTRY': [0x18, { 'pOwner': [8, ['pointer64', ['void']]], 'phead': [0, ['pointer64', ['_HEAD']]], 'bFlags': [17, ['unsigned char']], 'wUniq': [18, ['unsigned short']], 'bType': [16, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x50, { 'dwcInputs': [24, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [28, ['unsigned long']], 'TouchInput': [32, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x60, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [56, ['unsigned long long']], 'flags': [64, ['unsigned long']], 'fLastHookHung': [88, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'nTimeout': [88, ['BitField', {'end_bit': 7, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'ihmod': [68, ['long']], 'iHook': [48, ['long']], 'ptiHooked': [72, ['pointer64', ['tagTHREADINFO']]], 'phkNext': [40, ['pointer64', ['tagHOOK']]], 'rpdesk': [80, ['pointer64', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '_W32THREAD': [0x150, { 'pRBRecursionCount': [96, ['unsigned long']], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'pdcoRender': [304, ['pointer64', ['void']]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pdcoAA': [296, ['pointer64', ['void']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'ptlW32': [16, ['pointer64', ['_TL']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'bIncludeSprites': [321, ['unsigned char']], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'pProxyPort': [64, ['pointer64', ['void']]], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pClientID': [72, ['pointer64', ['void']]], }], 'tagPROPLIST': [0x18, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x40, { 'head': [0, ['_THROBJHEAD']], 'next': [24, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [32, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [48, ['pointer64', ['tagWND']]], 'afCmd': [40, ['unsigned long']], 'pcii': [56, ['pointer64', ['void']]], }], 'tagDESKTOPINFO': [0xf0, { 'spwndProgman': [192, ['pointer64', ['tagWND']]], 'pvwplMessagePPHandler': [224, ['pointer64', ['VWPL']]], 'pvDesktopLimit': [8, ['pointer64', ['void']]], 'fComposited': [232, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndGestureEngine': [216, ['pointer64', ['tagWND']]], 'pvDesktopBase': [0, ['pointer64', ['void']]], 'spwndShell': [160, ['pointer64', ['tagWND']]], 'ppiShellProcess': [168, ['pointer64', ['tagPROCESSINFO']]], 'pvwplShellHook': [200, ['pointer64', ['VWPL']]], 'fIsDwmDesktop': [232, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndTaskman': [184, ['pointer64', ['tagWND']]], 'aphkStart': [32, ['array', 16, ['pointer64', ['tagHOOK']]]], 'fsHooks': [24, ['unsigned long']], 'cntMBox': [208, ['long']], 'spwndBkGnd': [176, ['pointer64', ['tagWND']]], 'spwnd': [16, ['pointer64', ['tagWND']]], }], 'tagDISPLAYINFO': [0xa8, { 'hDev': [0, ['pointer64', ['void']]], 'SpatialListHead': [144, ['_KLIST_ENTRY']], 'BitCountMax': [130, ['unsigned short']], 'cyGray': [60, ['long']], 'hdcBits': [32, ['pointer64', ['HDC__']]], 'fDesktopIsRect': [132, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'hbmGray': [48, ['pointer64', ['HBITMAP__']]], 'pmdev': [8, ['pointer64', ['void']]], 'cFullScreen': [160, ['short']], 'cxGray': [56, ['long']], 'dmLogPixels': [128, ['unsigned short']], 'hDevInfo': [16, ['pointer64', ['void']]], 'fAnyPalette': [132, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'pspbFirst': [72, ['pointer64', ['tagSPB']]], 'pMonitorPrimary': [88, ['pointer64', ['tagMONITOR']]], 'Spare0': [162, ['short']], 'pMonitorFirst': [96, ['pointer64', ['tagMONITOR']]], 'hdcGray': [40, ['pointer64', ['HDC__']]], 'hrgnScreenReal': [120, ['pointer64', ['HRGN__']]], 'cMonitors': [80, ['unsigned long']], 'hdcScreen': [24, ['pointer64', ['HDC__']]], 'DockThresholdMax': [136, ['unsigned long']], 'rcScreenReal': [104, ['tagRECT']], 'pdceFirst': [64, ['pointer64', ['tagDCE']]], }], '__unnamed_1261': [0x20, { 'Buffer': [24, ['pointer64', ['void']]], 'ProviderId': [0, ['unsigned long long']], 'BufferSize': [16, ['unsigned long']], 'DataPath': [8, ['pointer64', ['void']]], }], '__unnamed_1263': [0x20, { 'Argument4': [24, ['pointer64', ['void']]], 'Argument2': [8, ['pointer64', ['void']]], 'Argument3': [16, ['pointer64', ['void']]], 'Argument1': [0, ['pointer64', ['void']]], }], '__unnamed_1265': [0x20, { 'DeviceIoControl': [0, ['__unnamed_121d']], 'QuerySecurity': [0, ['__unnamed_121f']], 'ReadWriteConfig': [0, ['__unnamed_123d']], 'Create': [0, ['__unnamed_11ff']], 'SetSecurity': [0, ['__unnamed_1221']], 'Write': [0, ['__unnamed_1209']], 'VerifyVolume': [0, ['__unnamed_1225']], 'WMI': [0, ['__unnamed_1261']], 'CreateMailslot': [0, ['__unnamed_1207']], 'FilterResourceRequirements': [0, ['__unnamed_123b']], 'SetFile': [0, ['__unnamed_1213']], 'MountVolume': [0, ['__unnamed_1225']], 'FileSystemControl': [0, ['__unnamed_1219']], 'UsageNotification': [0, ['__unnamed_124b']], 'Scsi': [0, ['__unnamed_1229']], 'WaitWake': [0, ['__unnamed_124f']], 'QueryFile': [0, ['__unnamed_1211']], 'QueryDeviceText': [0, ['__unnamed_1247']], 'CreatePipe': [0, ['__unnamed_1203']], 'Power': [0, ['__unnamed_125b']], 'QueryDeviceRelations': [0, ['__unnamed_122d']], 'Read': [0, ['__unnamed_1209']], 'StartDevice': [0, ['__unnamed_125f']], 'QueryDirectory': [0, ['__unnamed_120d']], 'PowerSequence': [0, ['__unnamed_1253']], 'QueryId': [0, ['__unnamed_1243']], 'LockControl': [0, ['__unnamed_121b']], 'NotifyDirectory': [0, ['__unnamed_120f']], 'QueryInterface': [0, ['__unnamed_1233']], 'Others': [0, ['__unnamed_1263']], 'QueryVolume': [0, ['__unnamed_1217']], 'SetLock': [0, ['__unnamed_123f']], 'DeviceCapabilities': [0, ['__unnamed_1237']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x90, { 'hDev': [80, ['pointer64', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [88, ['pointer64', ['void']]], 'rcWorkReal': [44, ['tagRECT']], 'dwMONFlags': [24, ['unsigned long']], 'Spare0': [72, ['short']], 'rcMonitorReal': [28, ['tagRECT']], 'pMonitorNext': [16, ['pointer64', ['tagMONITOR']]], 'Flink': [128, ['pointer64', ['tagMONITOR']]], 'Blink': [136, ['pointer64', ['tagMONITOR']]], 'hrgnMonitorReal': [64, ['pointer64', ['HRGN__']]], 'cWndStack': [74, ['short']], 'DockTargets': [96, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_123b': [0x8, { 'IoResourceRequirementList': [0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x28, { 'cExcludeRequest': [32, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [36, ['unsigned long']], 'cUsagePageRequest': [28, ['unsigned long']], 'usUsagePage': [16, ['unsigned short']], 'cDevices': [20, ['unsigned long']], 'cDirectRequest': [24, ['unsigned long']], 'usUsage': [18, ['unsigned short']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x1b0, { 'TargetMode': [360, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x158, { 'hwndDblClk': [112, ['pointer64', ['HWND__']]], 'timeDblClk': [108, ['unsigned long']], 'spwndFocus': [72, ['pointer64', ['tagWND']]], 'ExtraInfo': [328, ['long long']], 'cLockCount': [322, ['unsigned short']], 'iCursorLevel': [312, ['long']], 'ptiSysLock': [24, ['pointer64', ['tagTHREADINFO']]], 'caret': [232, ['tagCARET']], 'ptiMouse': [48, ['pointer64', ['tagTHREADINFO']]], 'spwndActivePrev': [88, ['pointer64', ['tagWND']]], 'ptMouseMove': [128, ['tagPOINT']], 'msgDblClk': [100, ['unsigned long']], 'msgJournal': [324, ['unsigned long']], 'ptiKeyboard': [56, ['pointer64', ['tagTHREADINFO']]], 'cThreads': [320, ['unsigned short']], 'QF_flags': [316, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [80, ['pointer64', ['tagWND']]], 'codeCapture': [96, ['unsigned long']], 'idSysLock': [32, ['unsigned long long']], 'spcurCurrent': [304, ['pointer64', ['tagCURSOR']]], 'ulEtwReserved1': [336, ['unsigned long']], 'ptDblClk': [120, ['tagPOINT']], 'xbtnDblClk': [104, ['unsigned short']], 'afKeyRecentDown': [136, ['array', 32, ['unsigned char']]], 'afKeyState': [168, ['array', 64, ['unsigned char']]], 'spwndCapture': [64, ['pointer64', ['tagWND']]], 'idSysPeek': [40, ['unsigned long long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '__unnamed_1805': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x70, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0x18, { 'cMsgs': [16, ['unsigned long']], 'pqmsgRead': [0, ['pointer64', ['tagQMSG']]], 'pqmsgWriteLast': [8, ['pointer64', ['tagQMSG']]], }], '__unnamed_122d': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], 'tagMENUSTATE': [0x90, { 'fDragAndDrop': [8, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fInsideMenuLoop': [8, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'cxAni': [116, ['long']], 'pGlobalPopupMenu': [0, ['pointer64', ['tagPOPUPMENU']]], 'uDraggingIndex': [88, ['unsigned long']], 'uDraggingHitArea': [80, ['unsigned long long']], 'fNotifyByPos': [8, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'fButtonDown': [8, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'ixAni': [108, ['long']], 'fInCallHandleMenuMessages': [8, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'mnFocus': [20, ['long']], 'iyAni': [112, ['long']], 'dwLockCount': [40, ['unsigned long']], 'fAutoDismiss': [8, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'fIsSysMenu': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'dwAniStartTime': [104, ['unsigned long']], 'pmnsPrev': [48, ['pointer64', ['tagMENUSTATE']]], 'fInEndMenu': [8, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'hbmAni': [128, ['pointer64', ['HBITMAP__']]], 'fIgnoreButtonUp': [8, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptButtonDown': [56, ['tagPOINT']], 'hdcWndAni': [96, ['pointer64', ['HDC__']]], 'fAboutToAutoDismiss': [8, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fMenuStarted': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'uDraggingFlags': [92, ['unsigned long']], 'fUnderline': [8, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fInDoDragDrop': [8, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'ptiMenuStateOwner': [32, ['pointer64', ['tagTHREADINFO']]], 'uButtonDownIndex': [72, ['unsigned long']], 'fModelessMenu': [8, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'cyAni': [120, ['long']], 'uButtonDownHitArea': [64, ['unsigned long long']], 'fButtonAlwaysDown': [8, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'iAniDropDir': [8, ['BitField', {'end_bit': 24, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptMouseLast': [12, ['tagPOINT']], 'hdcAni': [136, ['pointer64', ['HDC__']]], 'vkButtonDown': [76, ['long']], 'fSetCapture': [8, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fDragging': [8, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fActiveNoForeground': [8, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fMouseOffMenu': [8, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'cmdLast': [24, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x10, { 'DataOrTag': [0, ['unsigned long long']], 'pwnd': [8, ['pointer64', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x10, { 'pszName': [0, ['pointer64', ['unsigned char']]], 'fInternal': [8, ['unsigned char']], 'fDefined': [9, ['unsigned char']], }], 'tagCLIP': [0x18, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [16, ['long']], 'hData': [8, ['pointer64', ['void']]], }], '__unnamed_1229': [0x8, { 'Srb': [0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], }], '_HEAD': [0x10, { 'h': [0, ['pointer64', ['void']]], 'cLockObj': [8, ['unsigned long']], }], '__unnamed_1221': [0x10, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [8, ['pointer64', ['void']]], }], '__unnamed_11e6': [0x10, { 'AsynchronousParameters': [0, ['__unnamed_11e4']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], 'tagQMSG': [0x68, { 'FromPen': [84, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'pti': [88, ['pointer64', ['tagTHREADINFO']]], 'ExtraInfo': [64, ['long long']], 'Wow64Message': [84, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pqmsgPrev': [8, ['pointer64', ['tagQMSG']]], 'NoCoalesce': [84, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'Padding': [80, ['BitField', {'end_bit': 32, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'ptMouseReal': [72, ['tagPOINT']], 'pqmsgNext': [0, ['pointer64', ['tagQMSG']]], 'dwQEvent': [80, ['BitField', {'end_bit': 30, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'MsgPPInfo': [96, ['tagMSGPPINFO']], 'FromTouch': [84, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'msg': [16, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x20, { 'pPrev': [8, ['pointer64', ['tagWin32PoolHead']]], 'pTrace': [24, ['pointer64', ['pointer64', ['void']]]], 'pNext': [16, ['pointer64', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long long']], }], 'tagTOUCHINPUT': [0x30, { 'hSource': [8, ['pointer64', ['void']]], 'dwExtraInfo': [32, ['unsigned long long']], 'cxContact': [40, ['unsigned long']], 'dwMask': [24, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [16, ['unsigned long']], 'cyContact': [44, ['unsigned long']], 'dwTime': [28, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_CALLBACKWND': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'pActCtx': [16, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'pwnd': [8, ['pointer64', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x10, { 'pVkToWchars': [0, ['pointer64', ['_VK_TO_WCHARS1']]], 'cbSize': [9, ['unsigned char']], 'nModifications': [8, ['unsigned char']], }], '__unnamed_1153': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 61, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 25, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Region': [8, ['BitField', {'end_bit': 64, 'start_bit': 61, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [0, ['BitField', {'end_bit': 64, 'start_bit': 25, 'native_type': 'unsigned long long'}]], }], '__unnamed_1158': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], }], '_TL': [0x18, { 'pfnFree': [16, ['pointer64', ['void']]], 'pobj': [8, ['pointer64', ['void']]], 'next': [0, ['pointer64', ['_TL']]], }], 'tagTHREADINFO': [0x3a8, { 'pstrAppName': [416, ['pointer64', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [520, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long long'}]], 'ptl': [336, ['pointer64', ['_TL']]], 'timeLast': [448, ['long']], 'DontJournalAttach': [516, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'ppi': [344, ['pointer64', ['tagPROCESSINFO']]], 'SendMnuDblClk': [516, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'DDENoSync': [520, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long long'}]], 'EditNoMouseHide': [520, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long long'}]], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'OpenGLEMF': [520, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long long'}]], 'dwCompatFlags': [516, ['unsigned long']], 'hTouchInputCurrent': [888, ['pointer64', ['HTOUCHINPUT__']]], 'psmsSent': [424, ['pointer64', ['tagSMS']]], 'cVisWindows': [728, ['unsigned long']], 'hPrevHidData': [880, ['pointer64', ['void']]], 'fsHooks': [552, ['unsigned long']], 'qwCompatFlags2': [520, ['unsigned long long']], 'NoPaddedBorder': [520, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long long'}]], 'NoDrawPatRect': [520, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long long'}]], 'ForceTTGrapchis': [516, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'GetDeviceCaps': [516, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'pq': [352, ['pointer64', ['tagQ']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'dwExpWinVer': [512, ['unsigned long']], 'NoSoftCursOnMoveSize': [520, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long long'}]], 'psmsReceiveList': [440, ['pointer64', ['tagSMS']]], 'sphkCurrent': [560, ['pointer64', ['tagHOOK']]], 'No50ExStyles': [520, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'IgnoreFaults': [516, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'pClientInfo': [400, ['pointer64', ['tagCLIENTINFO']]], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pEventQueueServer': [600, ['pointer64', ['_KEVENT']]], 'DealyHwndShakeChk': [516, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'amdesk': [720, ['unsigned long']], 'fsChangeBitsRemoved': [704, ['unsigned short']], 'psmsCurrent': [432, ['pointer64', ['tagSMS']]], 'NoBatching': [520, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long long'}]], 'StrictLLHook': [520, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long long'}]], 'pdcoRender': [304, ['pointer64', ['void']]], 'NoShadow': [520, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long long'}]], 'EnumHelv': [516, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fPack': [928, ['BitField', {'end_bit': 28, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'CallTTDevice': [516, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fsReserveKeys': [708, ['unsigned long']], 'Winver31': [516, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'DisableDBCSProp': [516, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'Win30AvgWidth': [516, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptlW32': [16, ['pointer64', ['_TL']]], 'AlwaysSendSyncPaint': [516, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'IgnoreNoDiscard': [516, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'NoTimeCbProtect': [520, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long long'}]], 'MsShellDlg': [520, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'hEventQueueClient': [592, ['pointer64', ['void']]], 'cPaintsReady': [480, ['long']], 'SubtractClips': [516, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'PtiLink': [608, ['_LIST_ENTRY']], 'DpiAware': [520, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long long'}]], 'spklActive': [360, ['pointer64', ['tagKL']]], 'bIncludeSprites': [321, ['unsigned char']], 'mlPost': [680, ['tagMLIST']], 'ptLastReal': [636, ['tagPOINT']], 'fThreadCleanupFinished': [928, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'MultipleBands': [516, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'Random31Ux': [516, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'HackWinFlags': [516, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'pProxyPort': [64, ['pointer64', ['void']]], 'KCOff': [520, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'wParamHkCurrent': [576, ['unsigned long long']], 'readyHead': [912, ['_LIST_ENTRY']], 'UsePrintingEscape': [516, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'NoInitFlagsOnFocus': [520, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long long'}]], 'ForceTextBand': [516, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'ptdb': [496, ['pointer64', ['tagTDB']]], 'SpareCompatFlags2': [520, ['BitField', {'end_bit': 64, 'start_bit': 33, 'native_type': 'unsigned long long'}]], 'cWindows': [724, ['unsigned long']], 'cEnterCount': [672, ['long']], 'fETWReserved': [928, ['BitField', {'end_bit': 32, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'dwCompatFlags2': [520, ['unsigned long']], 'NoEMFSpooling': [516, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'pMenuState': [488, ['pointer64', ['tagMENUSTATE']]], 'pRBRecursionCount': [96, ['unsigned long']], 'SmoothScrolling': [516, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'Win31DevModeSize': [516, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'pwinsta': [496, ['pointer64', ['tagWINDOWSTATION']]], 'pSBTrack': [584, ['pointer64', ['tagSBTRACK']]], 'ActiveMenus': [520, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long long'}]], 'spwndDefaultIme': [648, ['pointer64', ['tagWND']]], 'NoCustomPaperSize': [520, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long long'}]], 'wchInjected': [706, ['wchar']], 'cTimersReady': [484, ['unsigned long']], 'EditSetTextMunge': [516, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'fgfSwitchInProgressSetter': [928, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'iCursorLevel': [624, ['long']], 'NoScrollBarCtxMenu': [516, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], 'ulClientDelta': [392, ['unsigned long long']], 'pdcoAA': [296, ['pointer64', ['void']]], 'cNestedStableVisRgn': [908, ['unsigned long']], 'TryExceptCallWndProc': [520, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'cti': [864, ['tagCLIENTTHREADINFO']], 'NcCalcSizeOnMove': [516, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'DisableFontAssoc': [516, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'pcti': [368, ['pointer64', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [904, ['tagMSGPPINFO']], 'DDE': [520, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long long'}]], 'ulThreadFlags2': [928, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'NoCharDeadKey': [520, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long long'}]], 'pqAttach': [528, ['pointer64', ['tagQ']]], 'TTIgnoreRasterDupe': [516, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'aphkStart': [736, ['array', 16, ['pointer64', ['tagHOOK']]]], 'DefaultCharset': [520, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long long'}]], 'idLast': [456, ['unsigned long long']], 'rpdesk': [376, ['pointer64', ['tagDESKTOP']]], 'NoWindowArrangement': [520, ['BitField', {'end_bit': 33, 'start_bit': 32, 'native_type': 'unsigned long long'}]], 'AnimationOff': [520, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'No50ExStyleBits': [520, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long long'}]], 'TransparentBltMirror': [520, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long long'}]], 'DDENoAsyncReg': [520, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long long'}]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pDeskInfo': [384, ['pointer64', ['tagDESKTOPINFO']]], 'hdesk': [472, ['pointer64', ['HDESK__']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'MoreExtraWndWords': [516, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'hklPrev': [664, ['pointer64', ['HKL__']]], 'NoGhost': [520, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long long'}]], 'IgnoreTopMost': [516, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'pmsd': [544, ['pointer64', ['_MOVESIZEDATA']]], 'NoHRGN1': [516, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'exitCode': [464, ['long']], 'NoDDETrackDying': [520, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long long'}]], 'ptLast': [628, ['tagPOINT']], 'hGestureInfoCurrent': [896, ['pointer64', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'FontSubs': [520, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long long'}]], 'GiveUpForegound': [520, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long long'}]], 'spDefaultImc': [656, ['pointer64', ['tagIMC']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'TIF_flags': [408, ['unsigned long']], 'apEvent': [712, ['pointer64', ['pointer64', ['_KEVENT']]]], 'HardwareMixer': [520, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long long'}]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'EnumTTNotDevice': [516, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'lParamHkCurrent': [568, ['long long']], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'ptiSibling': [536, ['pointer64', ['tagTHREADINFO']]], 'psiiList': [504, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [520, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long long'}]], 'fSpecialInitialization': [928, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'IncreaseStack': [516, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'pClientID': [72, ['pointer64', ['void']]], }], '_MOVESIZEDATA': [0xf0, { 'fmsKbd': [164, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'fMoveFromMax': [164, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fSnapMoving': [164, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'ptRestore': [156, ['tagPOINT']], 'fUsePreviewRect': [164, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'ptStartHitWindowRelative': [208, ['tagPOINT']], 'CurrentHitTarget': [192, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [164, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'fCheckPtForcefullyRestored': [164, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSnapMovingTemporaryAllowed': [164, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'Unused': [164, ['BitField', {'end_bit': 32, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fOffScreen': [164, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'fWindowWasSuperMaximized': [164, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'StartCurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [164, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fIsMoveSizeLoop': [164, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'rcPreviewCursor': [56, ['tagRECT']], 'dyMouse': [140, ['long']], 'fVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'fTrackCancelled': [164, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'impx': [148, ['long']], 'impy': [152, ['long']], 'fLockWindowUpdate': [164, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fStartVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptMinTrack': [88, ['tagPOINT']], 'pMonitorCurrentHitTarget': [184, ['pointer64', ['tagMONITOR']]], 'rcWindow': [104, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [168, ['pointer64', ['tagMONITOR']]], 'cmd': [144, ['long']], 'ptMaxTrack': [96, ['tagPOINT']], 'fForceSizing': [164, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fThresholdSelector': [164, ['BitField', {'end_bit': 18, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'MoveRectStyle': [196, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [164, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fForeground': [164, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfLeftRightTarget': [228, ['unsigned long']], 'ptLastTrack': [216, ['tagPOINT']], 'frcNormalCheckPtValid': [164, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'fIsHitPtOffScreen': [164, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fSnapSizingTemporaryAllowed': [164, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fInitSize': [164, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'dxMouse': [136, ['long']], 'fStartVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfTopTarget': [224, ['unsigned long']], 'fVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'spwnd': [0, ['pointer64', ['tagWND']]], 'fHasPreviewRect': [164, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'rcPreview': [40, ['tagRECT']], 'rcDragCursor': [24, ['tagRECT']], 'Flags': [164, ['unsigned long']], 'ptHitWindowRelative': [200, ['tagPOINT']], 'rcParent': [72, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [232, ['unsigned long']], 'rcNormalStartCheckPt': [120, ['tagRECT']], 'rcDrag': [8, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0x10, { 'Buffer': [8, ['pointer64', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], }], 'VSC_LPWSTR': [0x10, { 'vsc': [0, ['unsigned char']], 'pwsz': [8, ['pointer64', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], }], '__unnamed_115b': [0x10, { 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], }], '_THROBJHEAD': [0x18, { 'h': [0, ['pointer64', ['void']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x68, { 'spwndSBNotify': [24, ['pointer64', ['tagWND']]], 'hTimerSB': [64, ['unsigned long long']], 'cmdSB': [56, ['unsigned long']], 'xxxpfnSB': [48, ['pointer64', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'posNew': [84, ['long']], 'posOld': [80, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'rcTrack': [32, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'spwndSB': [16, ['pointer64', ['tagWND']]], 'spwndTrack': [8, ['pointer64', ['tagWND']]], 'dpxThumb': [72, ['long']], 'pxOld': [76, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'pSBCalc': [96, ['pointer64', ['tagSBCALC']]], 'nBar': [88, ['long']], }], '_DMA_ADAPTER': [0x10, { 'Version': [0, ['unsigned short']], 'DmaOperations': [8, ['pointer64', ['_DMA_OPERATIONS']]], 'Size': [2, ['unsigned short']], }], '__unnamed_1217': [0x10, { 'FsInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], 'tagDPISERVERINFO': [0x28, { 'hMsgFont': [16, ['pointer64', ['HFONT__']]], 'hCaptionFont': [8, ['pointer64', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [24, ['long']], 'wMaxBtnSize': [32, ['unsigned long']], 'cyMsgFontChar': [28, ['long']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x50, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '__unnamed_16c1': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long long']], }], '__unnamed_127c': [0x48, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a1': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '__unnamed_16ca': [0x10, { 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], 'cbData': [8, ['unsigned long long']], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x1b8, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [360, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], 'tagIMEINFOEX': [0x160, { 'fSysWow64Only': [348, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'wszImeFile': [188, ['array', 80, ['wchar']]], 'fLoadFlag': [76, ['long']], 'hkl': [0, ['pointer64', ['HKL__']]], 'dwImeWinVersion': [84, ['unsigned long']], 'dwProdVersion': [80, ['unsigned long']], 'wszImeDescription': [88, ['array', 50, ['wchar']]], 'fCUASLayer': [348, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'ImeInfo': [8, ['tagIMEINFO']], 'wszUIClass': [36, ['array', 16, ['wchar']]], 'fInitOpen': [72, ['long']], 'fdwInitConvMode': [68, ['unsigned long']], }], '__unnamed_12e0': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3, 'native_type': 'unsigned long'}]], }], '_SCATTER_GATHER_ELEMENT': [0x18, { 'Length': [8, ['unsigned long']], 'Reserved': [16, ['unsigned long long']], 'Address': [0, ['_LARGE_INTEGER']], }], 'tagWND': [0x128, { 'bEraseBackground': [40, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'spwndOwner': [104, ['pointer64', ['tagWND']]], 'bWS_EX_LAYERED': [48, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWS_CLIPCHILDREN': [52, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bMaximizeButtonDown': [44, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'cbwndExtra': [232, ['long']], 'bMakeVisibleWhenUnghosted': [48, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bUIStateActive': [48, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'hMod16': [64, ['unsigned short']], 'bWS_TABSTOP': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused8': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_NOPARENTNOTIFY': [48, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bForceFullNCPaintClipRgn': [44, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bDialogWindow': [40, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'lpfnWndProc': [144, ['pointer64', ['void']]], 'bWS_EX_RTLREADING': [48, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bMinimizeButtonDown': [44, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bUnused2': [48, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bUnused3': [48, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bUnused4': [48, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bHasMeun': [40, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bUnused6': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused7': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_SIZEBOX': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'style': [52, ['unsigned long']], 'ppropList': [168, ['pointer64', ['tagPROPLIST']]], 'hrgnNewFrame': [208, ['pointer64', ['HRGN__']]], 'bHasOverlay': [288, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bUnused9': [52, ['BitField', {'end_bit': 19, 'start_bit': 16, 'native_type': 'long'}]], 'bClipboardListener': [288, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarLineDownBtnDown': [44, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bReserved3': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bRedirectedForPrint': [288, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bWS_EX_RIGHT': [48, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bStartPaint': [44, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bHasCreatestructName': [40, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bWS_EX_COMPOSITED': [48, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bFullScreen': [44, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'spwndLastActive': [240, ['pointer64', ['tagWND']]], 'hrgnUpdate': [160, ['pointer64', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [288, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bHiddenPopup': [40, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'hrgnClip': [200, ['pointer64', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [48, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_TOPMOST': [48, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendEraseBackground': [40, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bScrollBarLineUpBtnDown': [44, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWin50Compat': [44, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bRecievedQuerySuspendMsg': [40, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bMaximizeMonitorRegion': [44, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bLayeredLimbo': [288, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bRedrawIfHung': [40, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'FullScreenMode': [44, ['BitField', {'end_bit': 27, 'start_bit': 24, 'native_type': 'long'}]], 'bLayeredInvalidate': [288, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bVerticallyMaximizedLeft': [288, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_POPUP': [52, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bWS_EX_CONTEXTHELP': [48, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'dwUserData': [256, ['unsigned long long']], 'bDisabled': [52, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bAnsiWindowProc': [40, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWin40Compat': [44, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bWS_EX_NOINHERITLAYOUT': [48, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'rcClient': [128, ['tagRECT']], 'bAnsiCreator': [40, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bAnyScrollButtonDown': [44, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bWS_EX_LAYOUTRTL': [48, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bUIStateKbdAccelHidden': [48, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bSendSizeMoveMsgs': [40, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'spwndParent': [88, ['pointer64', ['tagWND']]], 'bLinked': [288, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendNCPaint': [40, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bToggleTopmost': [40, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bInternalPaint': [40, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bDestroyed': [40, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bHasClientEdge': [44, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bServerSideWindowProc': [40, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bCaptionTextTruncated': [44, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'rcWindow': [112, ['tagRECT']], 'bEndPaintInvalidate': [44, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasPalette': [40, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bHasHorizontalScrollbar': [40, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bUIStateFocusRectHidden': [48, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bReserved1': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_COMPOSITEDCompositing': [48, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_MDICHILD': [48, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bHasVerticalScrollbar': [40, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bReserved2': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWMCreateMsgProcessed': [44, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bMinimized': [52, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bWS_EX_NOACTIVATE': [48, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bWS_EX_APPWINDOW': [48, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'pSBInfo': [176, ['pointer64', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [44, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bNoNCPaint': [40, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bCloseButtonDown': [44, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bUnused1': [48, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasSPB': [40, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_MINIMIZEBOX': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bMaximized': [52, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bScrollBarVerticalTracking': [44, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bWS_CHILD': [52, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bReserved5': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_DLGMODALFRAME': [48, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_TRANSPARENT': [48, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenu': [192, ['pointer64', ['tagMENU']]], 'bWS_THICKFRAME': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bPaintNotProcessed': [40, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bSyncPaintPending': [40, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pcls': [152, ['pointer64', ['tagCLS']]], 'bLayeredForDWM': [288, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bMsgBox': [40, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bShellHookRegistered': [44, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'spwndChild': [96, ['pointer64', ['tagWND']]], 'bUnused5': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bHelpButtonDown': [44, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bInDestroy': [44, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'state': [40, ['unsigned long']], 'strName': [216, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [80, ['pointer64', ['tagWND']]], 'bRedrawFrameIfHung': [40, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_LEFTSCROLLBAR': [48, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bWS_EX_TOOLWINDOW': [48, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_VSCROLL': [52, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bMaximizesToMonitor': [40, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bNoMinmaxAnimatedRects': [44, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'fnid': [66, ['unsigned short']], 'ExStyle': [48, ['unsigned long']], 'bRedirected': [48, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bActiveFrame': [40, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bReserved4': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_WINDOWEDGE': [48, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bReserved6': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bReserved7': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_CLIPSIBLINGS': [52, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bWS_EX_ACCEPTFILE': [48, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bWS_HSCROLL': [52, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bUpdateDirty': [40, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bBeingActivated': [40, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'state2': [44, ['unsigned long']], 'spwndNext': [72, ['pointer64', ['tagWND']]], 'bScrollBarPageDownBtnDown': [44, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bWS_BORDER': [52, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bWMPaintSent': [44, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarPageUpBtnDown': [44, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'pTransform': [272, ['pointer64', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bVisible': [52, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bVerticallyMaximizedRight': [288, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWin31Compat': [44, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWS_EX_STATICEDGE': [48, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bForceMenuDraw': [40, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bForceNCPaint': [44, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'ExStyle2': [288, ['unsigned long']], 'bOldUI': [44, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bWS_DLGFRAME': [52, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bHIGHDPI_UNAWARE_Unused': [288, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bWS_SYSMENU': [52, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'spwndClipboardListenerNext': [280, ['pointer64', ['tagWND']]], 'hModule': [56, ['pointer64', ['void']]], 'bWS_EX_NOPADDEDBORDER': [48, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pActCtx': [264, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [44, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenuSys': [184, ['pointer64', ['tagMENU']]], 'bRecievedSuspendMsg': [40, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bWS_EX_CLIENTEDGE': [48, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bHasCaption': [40, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'hImc': [248, ['pointer64', ['HIMC__']]], 'bChildNoActivate': [288, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bWS_GROUP': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x40, { 'restrictions': [24, ['unsigned long']], 'Job': [8, ['pointer64', ['_EJOB']]], 'ughCrt': [48, ['unsigned long']], 'pgh': [56, ['pointer64', ['unsigned long long']]], 'ppiTable': [40, ['pointer64', ['pointer64', ['tagPROCESSINFO']]]], 'ughMax': [52, ['unsigned long']], 'pAtomTable': [16, ['pointer64', ['void']]], 'uProcessCount': [28, ['unsigned long']], 'uMaxProcesses': [32, ['unsigned long']], 'pNext': [0, ['pointer64', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x48, { 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], '__unnamed_124f': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_124b': [0x10, { 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagDESKTOP': [0xe0, { 'spmenuVScroll': [80, ['pointer64', ['tagMENU']]], 'dwMouseHoverTime': [212, ['unsigned long']], 'rpwinstaParent': [32, ['pointer64', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [64, ['pointer64', ['tagMENU']]], 'spwndForeground': [88, ['pointer64', ['tagWND']]], 'spmenuHScroll': [72, ['pointer64', ['tagMENU']]], 'spwndTooltip': [112, ['pointer64', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [8, ['pointer64', ['tagDESKTOPINFO']]], 'spwndMessage': [104, ['pointer64', ['tagWND']]], 'cciConsole': [144, ['_CONSOLE_CARET_INFO']], 'PtiList': [168, ['_LIST_ENTRY']], 'spwndTray': [96, ['pointer64', ['tagWND']]], 'rpdeskNext': [24, ['pointer64', ['tagDESKTOP']]], 'dwDTFlags': [40, ['unsigned long']], 'pMagInputTransform': [216, ['pointer64', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [184, ['pointer64', ['tagWND']]], 'htEx': [192, ['long']], 'ulHeapSize': [136, ['unsigned long']], 'pheapDesktop': [128, ['pointer64', ['tagWIN32HEAP']]], 'hsectionDesktop': [120, ['pointer64', ['void']]], 'rcMouseHover': [196, ['tagRECT']], 'dwDesktopId': [48, ['unsigned long long']], 'spmenuSys': [56, ['pointer64', ['tagMENU']]], 'pDispInfo': [16, ['pointer64', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x40, { 'ExtraData': [0, ['pointer64', ['void']]], 'trace': [16, ['array', 6, ['pointer64', ['void']]]], 'size': [8, ['unsigned long long']], }], 'tagSPB': [0x40, { 'hbm': [16, ['pointer64', ['HBITMAP__']]], 'hrgn': [40, ['pointer64', ['HRGN__']]], 'ulSaveId': [56, ['unsigned long long']], 'flags': [48, ['unsigned long']], 'rc': [24, ['tagRECT']], 'pspbNext': [0, ['pointer64', ['tagSPB']]], 'spwnd': [8, ['pointer64', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned char'}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned char'}]], 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned char'}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x10, { 'Flink': [0, ['pointer64', ['_KLIST_ENTRY']]], 'Blink': [8, ['pointer64', ['_KLIST_ENTRY']]], }], '__unnamed_1247': [0x10, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [8, ['unsigned long']], }], 'tagPROP': [0x10, { 'fs': [10, ['unsigned short']], 'hData': [0, ['pointer64', ['void']]], 'atomKey': [8, ['unsigned short']], }], '__unnamed_1243': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_123d': [0x20, { 'Buffer': [8, ['pointer64', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [24, ['unsigned long']], 'Offset': [16, ['unsigned long']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x20, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [24, ['pointer64', ['unsigned short']]], 'NumOfMouseVKey': [16, ['long']], 'pVkToF': [8, ['pointer64', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11ff': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'EaLength': [24, ['unsigned long']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'FileAttributes': [16, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x68, { 'UsagePageLast': [96, ['unsigned short']], 'fExclusiveMouseSink': [100, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'fRawKeyboardSink': [100, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'fAppKeys': [100, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'fCaptureMouse': [100, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'fNoLegacyMouse': [100, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'UsageLast': [98, ['unsigned short']], 'fRawKeyboard': [100, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'fNoLegacyKeyboard': [100, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'nSinks': [80, ['long']], 'fNoHotKeys': [100, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'spwndTargetMouse': [64, ['pointer64', ['tagWND']]], 'spwndTargetKbd': [72, ['pointer64', ['tagWND']]], 'UsagePageList': [32, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [100, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'pLastRequest': [88, ['pointer64', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [48, ['_LIST_ENTRY']], 'fRawMouse': [100, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'fRawMouseSink': [100, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'InclusionList': [16, ['_LIST_ENTRY']], }], '__unnamed_1809': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '_KFLOATING_SAVE': [0x4, { 'Dummy': [0, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_1807': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0xa8, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [144, ['pointer64', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [48, ['pointer64', ['void']]], 'pfnTransparentBlt': [112, ['pointer64', ['void']]], 'pfnPaint': [64, ['pointer64', ['void']]], 'pfnFillPath': [56, ['pointer64', ['void']]], 'pfnStretchBltROP': [152, ['pointer64', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [128, ['pointer64', ['void']]], 'pfnCopyBits': [80, ['pointer64', ['void']]], 'pState': [32, ['pointer64', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [96, ['pointer64', ['void']]], 'pfnDrawStream': [160, ['pointer64', ['void']]], 'pfnStrokeAndFillPath': [40, ['pointer64', ['void']]], 'pfnLineTo': [104, ['pointer64', ['void']]], 'pfnStretchBlt': [88, ['pointer64', ['void']]], 'pfnGradientFill': [136, ['pointer64', ['void']]], 'pfnAlphaBlend': [120, ['pointer64', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [72, ['pointer64', ['void']]], }], 'tagSMS': [0x70, { 'wParam': [72, ['unsigned long long']], 'lParam': [80, ['long long']], 'lRet': [56, ['long long']], 'psmsReceiveNext': [8, ['pointer64', ['tagSMS']]], 'tSent': [64, ['unsigned long']], 'psmsNext': [0, ['pointer64', ['tagSMS']]], 'ptiCallBackSender': [48, ['pointer64', ['tagTHREADINFO']]], 'ptiReceiver': [24, ['pointer64', ['tagTHREADINFO']]], 'lpResultCallBack': [32, ['pointer64', ['void']]], 'message': [88, ['unsigned long']], 'dwData': [40, ['unsigned long long']], 'ptiSender': [16, ['pointer64', ['tagTHREADINFO']]], 'flags': [68, ['unsigned long']], 'pvCapture': [104, ['pointer64', ['void']]], 'spwnd': [96, ['pointer64', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f8': [0x58, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer64', ['void']]], 'Overlay': [0, ['__unnamed_11f5']], }], '__unnamed_18bf': [0x4, { 'BaseMiddle': [0, ['unsigned char']], 'BaseHigh': [3, ['unsigned char']], 'Flags1': [1, ['unsigned char']], 'Flags2': [2, ['unsigned char']], }], '__unnamed_11f5': [0x50, { 'AuxiliaryBuffer': [40, ['pointer64', ['unsigned char']]], 'Thread': [32, ['pointer64', ['_ETHREAD']]], 'OriginalFileObject': [72, ['pointer64', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [64, ['unsigned long']], 'CurrentStackLocation': [64, ['pointer64', ['_IO_STACK_LOCATION']]], 'ListEntry': [48, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer64', ['void']]]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0x18, { 'ulClientDelta': [16, ['unsigned long long']], 'pdesk': [8, ['pointer64', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer64', ['tagDESKTOPVIEW']]], }], '__unnamed_180b': [0x10, { 'Translated': [0, ['__unnamed_1807']], 'Raw': [0, ['__unnamed_1809']], }], '__unnamed_180d': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'MODIFIERS': [0x10, { 'wMaxModBits': [8, ['unsigned short']], 'pVkToBit': [0, ['pointer64', ['VK_TO_BIT']]], 'ModNumber': [10, ['array', 0, ['unsigned char']]], }], '__unnamed_120f': [0x10, { 'CompletionFilter': [8, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_120d': [0x20, { 'Length': [0, ['unsigned long']], 'FileIndex': [24, ['unsigned long']], 'FileInformationClass': [16, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [8, ['pointer64', ['_UNICODE_STRING']]], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1e0, { 'PathAndTargetModeSerialization': [48, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x40, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [48, ['unsigned long long']], 'wType': [56, ['unsigned short']], 'spcpdNext': [40, ['pointer64', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0xb8, { 'pfnDispatchDefWindowProc': [160, ['pointer64', ['void']]], 'pfnStaticWndProc': [112, ['pointer64', ['void']]], 'pfnDispatchHook': [152, ['pointer64', ['void']]], 'pfnDesktopWndProc': [24, ['pointer64', ['void']]], 'pfnImeWndProc': [120, ['pointer64', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer64', ['void']]], 'pfnEditWndProc': [88, ['pointer64', ['void']]], 'pfnGhostWndProc': [128, ['pointer64', ['void']]], 'pfnMessageWindowProc': [40, ['pointer64', ['void']]], 'pfnSwitchWindowProc': [48, ['pointer64', ['void']]], 'pfnComboListBoxProc': [72, ['pointer64', ['void']]], 'pfnComboBoxWndProc': [64, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [104, ['pointer64', ['void']]], 'pfnDialogWndProc': [80, ['pointer64', ['void']]], 'pfnHkINLPCWPSTRUCT': [136, ['pointer64', ['void']]], 'pfnTitleWndProc': [8, ['pointer64', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [144, ['pointer64', ['void']]], 'pfnButtonWndProc': [56, ['pointer64', ['void']]], 'pfnMenuWndProc': [16, ['pointer64', ['void']]], 'pfnListBoxWndProc': [96, ['pointer64', ['void']]], 'pfnDispatchMessage': [168, ['pointer64', ['void']]], 'pfnDefWindowProc': [32, ['pointer64', ['void']]], 'pfnMDIActivateDlgProc': [176, ['pointer64', ['void']]], }], '_THRDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x60, { 'Origin': [84, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [68, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [88, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x88, { 'rt': [58, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [112, ['pointer64', ['HBITMAP__']]], 'cx': [124, ['unsigned long']], 'xHotspot': [68, ['short']], 'hbmColor': [80, ['pointer64', ['HBITMAP__']]], 'pcurNext': [32, ['pointer64', ['tagCURSOR']]], 'CURSORF_flags': [64, ['unsigned long']], 'hbmMask': [72, ['pointer64', ['HBITMAP__']]], 'bpp': [120, ['unsigned long']], 'cy': [128, ['unsigned long']], 'strName': [40, ['_UNICODE_STRING']], 'rcBounds': [96, ['tagRECT']], 'atomModName': [56, ['unsigned short']], 'hbmAlpha': [88, ['pointer64', ['HBITMAP__']]], 'yHotspot': [70, ['short']], }], '__unnamed_1203': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], '__unnamed_1207': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1209': [0x18, { 'Length': [0, ['unsigned long']], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], 'tagDCE': [0x60, { 'hrgnClipPublic': [48, ['pointer64', ['HRGN__']]], 'pdceNext': [0, ['pointer64', ['tagDCE']]], 'hrgnSavedVis': [56, ['pointer64', ['HRGN__']]], 'pwndRedirect': [32, ['pointer64', ['tagWND']]], 'pMonitor': [88, ['pointer64', ['tagMONITOR']]], 'ppiOwner': [80, ['pointer64', ['tagPROCESSINFO']]], 'pwndOrg': [16, ['pointer64', ['tagWND']]], 'hrgnClip': [40, ['pointer64', ['HRGN__']]], 'hdc': [8, ['pointer64', ['HDC__']]], 'ptiOwner': [72, ['pointer64', ['tagTHREADINFO']]], 'DCX_flags': [64, ['unsigned long']], 'pwndClip': [24, ['pointer64', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x28, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [20, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'spwndTarget': [32, ['pointer64', ['tagWND']]], 'fSinkable': [20, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pTLCInfo': [24, ['pointer64', ['tagHID_TLC_INFO']]], 'fDevNotify': [20, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'fExSinkable': [20, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'usUsage': [18, ['unsigned short']], 'ptr': [24, ['pointer64', ['void']]], 'pPORequest': [24, ['pointer64', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [16, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x28, { 'idParentProcess': [24, ['unsigned long']], 'pwtiNext': [0, ['pointer64', ['tagWOWTHREADINFO']]], 'idTask': [8, ['unsigned long']], 'pIdleEvent': [32, ['pointer64', ['_KEVENT']]], 'idWaitObject': [16, ['unsigned long long']], }], '__unnamed_1962': [0x18, { 'Dma': [0, ['__unnamed_1956']], 'Generic': [0, ['__unnamed_1950']], 'Memory': [0, ['__unnamed_1950']], 'BusNumber': [0, ['__unnamed_1958']], 'Memory48': [0, ['__unnamed_195e']], 'Memory40': [0, ['__unnamed_195c']], 'DevicePrivate': [0, ['__unnamed_180f']], 'ConfigData': [0, ['__unnamed_195a']], 'Memory64': [0, ['__unnamed_1960']], 'Interrupt': [0, ['__unnamed_1954']], 'Port': [0, ['__unnamed_1950']], }], '__unnamed_1960': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], '__unnamed_1233': [0x20, { 'Interface': [16, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData': [24, ['pointer64', ['void']]], 'Version': [10, ['unsigned short']], 'InterfaceType': [0, ['pointer64', ['_GUID']]], 'Size': [8, ['unsigned short']], }], '__unnamed_1237': [0x8, { 'Capabilities': [0, ['pointer64', ['_DEVICE_CAPABILITIES']]], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_18a1']], }], '_PROCMARKHEAD': [0x20, { 'h': [0, ['pointer64', ['void']]], 'ppi': [24, ['pointer64', ['tagPROCESSINFO']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], 'tagKBDFILE': [0x78, { 'head': [0, ['_HEAD']], 'awchDllName': [56, ['array', 32, ['wchar']]], 'pKbdTbl': [32, ['pointer64', ['tagKbdLayer']]], 'pkfNext': [16, ['pointer64', ['tagKBDFILE']]], 'pKbdNlsTbl': [48, ['pointer64', ['tagKbdNlsLayer']]], 'hBase': [24, ['pointer64', ['void']]], 'Size': [40, ['unsigned long']], }], 'tagCLIENTINFO': [0xd8, { 'msgDbcsCB': [160, ['tagMSG']], 'dwCompatFlags': [20, ['unsigned long']], 'achDbcsCF': [154, ['array', 2, ['unsigned char']]], 'dwTIFlags': [28, ['unsigned long']], 'pClientThreadInfo': [96, ['pointer64', ['tagCLIENTTHREADINFO']]], 'CodePage': [152, ['unsigned short']], 'dwKeyCache': [112, ['unsigned long']], 'dwHookCurrent': [88, ['unsigned long']], 'afAsyncKeyStateRecentDown': [136, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [24, ['unsigned long']], 'fsHooks': [56, ['unsigned long']], 'ulClientDelta': [40, ['unsigned long long']], 'pDeskInfo': [32, ['pointer64', ['tagDESKTOPINFO']]], 'dwExpWinVer': [16, ['unsigned long']], 'dwHookData': [104, ['unsigned long long']], 'afAsyncKeyState': [128, ['array', 8, ['unsigned char']]], 'CallbackWnd': [64, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [208, ['pointer64', ['unsigned long']]], 'cInDDEMLCallback': [92, ['long']], 'cSpins': [8, ['unsigned long long']], 'hKL': [144, ['pointer64', ['HKL__']]], 'dwAsyncKeyCache': [124, ['unsigned long']], 'afKeyState': [116, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long long']], 'phkCurrent': [48, ['pointer64', ['tagHOOK']]], }], 'tagCLS': [0xa0, { 'spcur': [120, ['pointer64', ['tagCURSOR']]], 'cbwndExtra': [100, ['long']], 'pclsClone': [72, ['pointer64', ['tagCLS']]], 'lpszClientAnsiMenuName': [40, ['pointer64', ['unsigned char']]], 'pclsBase': [64, ['pointer64', ['tagCLS']]], 'atomNVClassName': [10, ['unsigned short']], 'style': [84, ['unsigned long']], 'pclsNext': [0, ['pointer64', ['tagCLS']]], 'CSF_flags': [34, ['unsigned short']], 'lpfnWndProc': [88, ['pointer64', ['void']]], 'lpszAnsiClassName': [144, ['pointer64', ['unsigned char']]], 'spcpdFirst': [56, ['pointer64', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [48, ['pointer64', ['unsigned short']]], 'cbclsExtra': [96, ['long']], 'lpszMenuName': [136, ['pointer64', ['unsigned short']]], 'spicnSm': [152, ['pointer64', ['tagCURSOR']]], 'hTaskWow': [32, ['unsigned short']], 'cWndReferenceCount': [80, ['long']], 'hbrBackground': [128, ['pointer64', ['HBRUSH__']]], 'spicn': [112, ['pointer64', ['tagCURSOR']]], 'fnid': [12, ['unsigned short']], 'pdce': [24, ['pointer64', ['tagDCE']]], 'hModule': [104, ['pointer64', ['void']]], 'rpdeskParent': [16, ['pointer64', ['tagDESKTOP']]], 'atomClassName': [8, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x18, { 'usUsagePage': [16, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [20, ['unsigned long']], }], 'tagWINDOWSTATION': [0x98, { 'pClipBase': [88, ['pointer64', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [96, ['unsigned long']], 'luidUser': [136, ['_LUID']], 'pGlobalAtomTable': [120, ['pointer64', ['void']]], 'ptiClipLock': [48, ['pointer64', ['tagTHREADINFO']]], 'dwWSF_Flags': [32, ['unsigned long']], 'rpdeskList': [16, ['pointer64', ['tagDESKTOP']]], 'spklList': [40, ['pointer64', ['tagKL']]], 'spwndClipOpen': [64, ['pointer64', ['tagWND']]], 'luidEndSession': [128, ['_LUID']], 'pTerm': [24, ['pointer64', ['tagTERMINAL']]], 'rpwinstaNext': [8, ['pointer64', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [112, ['pointer64', ['tagWND']]], 'spwndClipViewer': [72, ['pointer64', ['tagWND']]], 'iClipSequenceNumber': [104, ['unsigned long']], 'ptiDrawingClipboard': [56, ['pointer64', ['tagTHREADINFO']]], 'spwndClipOwner': [80, ['pointer64', ['tagWND']]], 'psidUser': [144, ['pointer64', ['void']]], 'iClipSerialNumber': [100, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'UserApcContext': [8, ['pointer64', ['void']]], 'UserApcRoutine': [0, ['pointer64', ['void']]], 'IssuingProcess': [0, ['pointer64', ['void']]], }], 'tagPROFILEVALUEINFO': [0x10, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer64', ['wchar']]], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], '_WNDMSG': [0x10, { 'abMsgs': [8, ['pointer64', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x28, { 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'TDB_Flags': [34, ['unsigned short']], 'hTaskWow': [32, ['unsigned short']], 'pwti': [24, ['pointer64', ['tagWOWTHREADINFO']]], 'nEvents': [8, ['long']], 'nPriority': [12, ['long']], 'ptdbNext': [0, ['pointer64', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x168, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '__unnamed_1253': [0x8, { 'PowerSequence': [0, ['pointer64', ['_POWER_SEQUENCE']]], }], '_PROCDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], }], '__unnamed_1958': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], '_CONSOLE_CARET_INFO': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'rc': [8, ['tagRECT']], }], 'tagPROCESSINFO': [0x300, { 'fHasMagContext': [736, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'hwinsta': [608, ['pointer64', ['HWINSTA__']]], 'ptiList': [256, ['pointer64', ['tagTHREADINFO']]], 'pHidTable': [744, ['pointer64', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [12, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'dwhmodLibLoadedMask': [340, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'hdeskStartup': [328, ['pointer64', ['HDESK__']]], 'dwImeCompatFlags': [696, ['unsigned long']], 'dwRegisteredClasses': [752, ['unsigned long']], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'usi': [708, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32Pid': [56, ['unsigned long']], 'bmHandleFlags': [648, ['_RTL_BITMAP']], 'UserHandleCountPeak': [72, ['unsigned long']], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'cSysExpunge': [336, ['unsigned long']], 'pdvList': [632, ['pointer64', ['tagDESKTOPVIEW']]], 'pwpi': [296, ['pointer64', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [312, ['pointer64', ['tagPROCESSINFO']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'pCursorCache': [664, ['pointer64', ['tagCURSOR']]], 'pClientBase': [672, ['pointer64', ['void']]], 'dwLpkEntryPoints': [680, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], 'DxProcess': [248, ['pointer64', ['void']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'RefCount': [8, ['unsigned long']], 'dwLayout': [740, ['unsigned long']], 'pclsPublicList': [288, ['pointer64', ['tagCLS']]], 'Unused': [736, ['BitField', {'end_bit': 32, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'hMonitor': [624, ['pointer64', ['HMONITOR__']]], 'ptiMainThread': [264, ['pointer64', ['tagTHREADINFO']]], 'pvwplWndGCList': [760, ['pointer64', ['VWPL']]], 'pW32Job': [688, ['pointer64', ['tagW32JOB']]], 'luidSession': [700, ['_LUID']], 'GDIHandleCount': [60, ['long']], 'cThreads': [320, ['unsigned long']], 'rpdeskStartup': [272, ['pointer64', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'pclsPrivateList': [280, ['pointer64', ['tagCLS']]], 'GDIHandleCountPeak': [64, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'ppiNext': [304, ['pointer64', ['tagPROCESSINFO']]], 'Flags': [736, ['unsigned long']], 'dwHotkey': [620, ['unsigned long']], 'amwinsta': [616, ['unsigned long']], 'rpwinsta': [600, ['pointer64', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [344, ['array', 32, ['pointer64', ['void']]]], 'iClipSerialNumber': [640, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'pDCAttrList': [40, ['pointer64', ['void']]], }], '__unnamed_181b': [0x10, { 'Dma': [0, ['__unnamed_180d']], 'MessageInterrupt': [0, ['__unnamed_180b']], 'Generic': [0, ['__unnamed_1805']], 'Memory': [0, ['__unnamed_1805']], 'BusNumber': [0, ['__unnamed_1811']], 'DeviceSpecificData': [0, ['__unnamed_1813']], 'Memory48': [0, ['__unnamed_1817']], 'Memory40': [0, ['__unnamed_1815']], 'DevicePrivate': [0, ['__unnamed_180f']], 'Memory64': [0, ['__unnamed_1819']], 'Interrupt': [0, ['__unnamed_1807']], 'Port': [0, ['__unnamed_1805']], }], '__unnamed_195e': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195c': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195a': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_125f': [0x10, { 'AllocatedResources': [0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [8, ['pointer64', ['_CM_RESOURCE_LIST']]], }], '__unnamed_125b': [0x20, { 'State': [16, ['_POWER_STATE']], 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], 'tagKbdLayer': [0x68, { 'pVkToWcharTable': [8, ['pointer64', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [48, ['pointer64', ['unsigned short']]], 'fLocaleFlags': [80, ['unsigned long']], 'pKeyNamesExt': [32, ['pointer64', ['VSC_LPWSTR']]], 'dwSubType': [100, ['unsigned long']], 'pDeadKey': [16, ['pointer64', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer64', ['MODIFIERS']]], 'pKeyNamesDead': [40, ['pointer64', ['pointer64', ['unsigned short']]]], 'bMaxVSCtoVK': [56, ['unsigned char']], 'pKeyNames': [24, ['pointer64', ['VSC_LPWSTR']]], 'dwType': [96, ['unsigned long']], 'pLigature': [88, ['pointer64', ['_LIGATURE1']]], 'nLgMax': [84, ['unsigned char']], 'pVSCtoVK_E1': [72, ['pointer64', ['_VSC_VK']]], 'pVSCtoVK_E0': [64, ['pointer64', ['_VSC_VK']]], 'cbLgEntry': [85, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x20, { 'dwMaxAlloc': [16, ['unsigned long']], 'pHead': [24, ['pointer64', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long long']], 'dwCrtMem': [8, ['unsigned long long']], 'dwCrtAlloc': [20, ['unsigned long']], }], '__unnamed_18c5': [0x4, { 'DefaultBig': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'BaseMiddle': [0, ['BitField', {'end_bit': 8, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Granularity': [0, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'LimitHigh': [0, ['BitField', {'end_bit': 20, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'BaseHigh': [0, ['BitField', {'end_bit': 32, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'Dpl': [0, ['BitField', {'end_bit': 15, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'Type': [0, ['BitField', {'end_bit': 13, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'System': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'Present': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'LongMode': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], }], '__unnamed_1817': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1815': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1813': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], }], '__unnamed_1811': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], '__unnamed_1956': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], '__unnamed_1954': [0x18, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long long']], }], 'tagMSG': [0x30, { 'wParam': [16, ['unsigned long long']], 'lParam': [24, ['long long']], 'pt': [36, ['tagPOINT']], 'hwnd': [0, ['pointer64', ['HWND__']]], 'time': [32, ['unsigned long']], 'message': [8, ['unsigned long']], }], '__unnamed_1819': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x48, { 'ptdbHead': [16, ['pointer64', ['tagTDB']]], 'lpfnWowExitTask': [24, ['pointer64', ['void']]], 'CSOwningThread': [56, ['pointer64', ['tagTHREADINFO']]], 'ptiScheduled': [8, ['pointer64', ['tagTHREADINFO']]], 'nSendLock': [48, ['unsigned long']], 'nRecvLock': [52, ['unsigned long']], 'CSLockCount': [64, ['long']], 'hEventWowExecClient': [40, ['pointer64', ['void']]], 'pwpiNext': [0, ['pointer64', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [32, ['pointer64', ['_KEVENT']]], }], 'tagMENU': [0x98, { 'iItem': [44, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [132, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [52, ['unsigned long']], 'pParentMenus': [88, ['pointer64', ['tagMENULIST']]], 'fFlags': [40, ['unsigned long']], 'cxMenu': [56, ['unsigned long']], 'dwContextHelpId': [96, ['unsigned long']], 'hbrBack': [112, ['pointer64', ['HBRUSH__']]], 'cxTextAlign': [64, ['unsigned long']], 'cAlloced': [48, ['unsigned long']], 'spwndNotify': [72, ['pointer64', ['tagWND']]], 'dwArrowsOn': [128, ['BitField', {'end_bit': 2, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'iMaxTop': [124, ['long']], 'dwMenuData': [104, ['unsigned long long']], 'cyMenu': [60, ['unsigned long']], 'rgItems': [80, ['pointer64', ['tagITEM']]], 'iTop': [120, ['long']], 'cyMax': [100, ['unsigned long']], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], 'tagPOPUPMENU': [0x58, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'posDropped': [84, ['unsigned long']], 'spwndNextPopup': [24, ['pointer64', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndPrevPopup': [32, ['pointer64', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndActivePopup': [56, ['pointer64', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'posSelectedItem': [80, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'ppmDelayedFree': [72, ['pointer64', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'spmenuAlternate': [48, ['pointer64', ['tagMENU']]], 'spmenu': [40, ['pointer64', ['tagMENU']]], 'spwndPopupMenu': [16, ['pointer64', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'ppopupmenuRoot': [64, ['pointer64', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'spwndNotify': [8, ['pointer64', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '_VK_VALUES_STRINGS': [0x10, { 'fReserved': [8, ['unsigned char']], 'pszMultiNames': [0, ['pointer64', ['unsigned char']]], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x68, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [96, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1211': [0x10, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_1213': [0x20, { 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [25, ['unsigned char']], 'ClusterCount': [24, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [24, ['pointer64', ['void']]], 'ReplaceIfExists': [24, ['unsigned char']], 'FileObject': [16, ['pointer64', ['_FILE_OBJECT']]], }], '__unnamed_1219': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_1950': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], 'tagITEM': [0x90, { 'ulX': [84, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [56, ['unsigned long long']], 'cyItem': [76, ['unsigned long']], 'hbmpChecked': [24, ['pointer64', ['void']]], 'xItem': [64, ['unsigned long']], 'spSubMenu': [16, ['pointer64', ['tagMENU']]], 'hbmpUnchecked': [32, ['pointer64', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [80, ['unsigned long']], 'hbmp': [96, ['pointer64', ['HBITMAP__']]], 'yItem': [68, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [112, ['tagUAHMENUITEMMETRICS']], 'cch': [48, ['unsigned long']], 'ulWidth': [88, ['unsigned long']], 'cyBmp': [108, ['long']], 'cxBmp': [104, ['long']], 'lpstr': [40, ['pointer64', ['unsigned short']]], 'cxItem': [72, ['unsigned long']], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '__unnamed_123f': [0x1, { 'Lock': [0, ['unsigned char']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x18, { 'Length': [0, ['pointer64', ['_LARGE_INTEGER']]], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], '__unnamed_121d': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_121f': [0x10, { 'Length': [8, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x38, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [8, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0x18, { 'Data': [16, ['__unnamed_182e']], 'DataSize': [8, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x100, { 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'DxProcess': [248, ['pointer64', ['void']]], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'RefCount': [8, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32PF_Flags': [12, ['unsigned long']], 'GDIHandleCount': [60, ['long']], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'UserHandleCountPeak': [72, ['unsigned long']], 'W32Pid': [56, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'pDCAttrList': [40, ['pointer64', ['void']]], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [64, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0x1220, { 'uiShellMsg': [912, ['unsigned long']], 'atomSysClass': [852, ['array', 25, ['unsigned short']]], 'dtScroll': [2800, ['unsigned long']], 'dwKeyCache': [2952, ['unsigned long']], 'atomIconSmProp': [1356, ['unsigned short']], 'argbSystemUnmatched': [2268, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [1360, ['unsigned short']], 'cySysFontChar': [2832, ['long']], 'mpFnid_serverCBWndProc': [328, ['array', 31, ['unsigned short']]], 'PUSIFlags': [4476, ['unsigned long']], 'dtLBSearch': [2804, ['unsigned long']], 'tmSysFont': [2836, ['tagTEXTMETRICW']], 'ahbrSystem': [2520, ['array', 31, ['pointer64', ['HBRUSH__']]]], 'dwDefaultHeapSize': [908, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [4473, ['unsigned char']], 'wMaxLeftOverlapChars': [2820, ['long']], 'dwLastSystemRITEventTickCountUpdate': [4488, ['unsigned long']], 'dpiSystem': [2896, ['tagDPISERVERINFO']], 'hIcoWindows': [2944, ['pointer64', ['HICON__']]], 'dwAsyncKeyCache': [2956, ['unsigned long']], 'dwTagCount': [4632, ['unsigned long']], 'adwDBGTAGFlags': [4492, ['array', 35, ['unsigned long']]], 'aiSysMet': [1880, ['array', 97, ['long']]], 'acAnsiToOem': [1620, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [272, ['array', 7, ['pointer64', ['void']]]], 'dwLastRITEventTickCount': [2792, ['unsigned long']], 'cbHandleTable': [848, ['unsigned long']], 'atomFrostedWindowProp': [1362, ['unsigned short']], 'ucWheelScrollLines': [2812, ['unsigned long']], 'ptCursorReal': [2784, ['tagPOINT']], 'ucWheelScrollChars': [2816, ['unsigned long']], 'acOemToAnsi': [1364, ['array', 256, ['unsigned char']]], 'hbrGray': [2768, ['pointer64', ['HBRUSH__']]], 'BitCount': [4468, ['unsigned short']], 'argbSystem': [2392, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2808, ['unsigned long']], 'dwInstalledEventHooks': [1876, ['unsigned long']], 'cxSysFontChar': [2828, ['long']], 'wMaxRightOverlapChars': [2824, ['long']], 'oembmi': [2964, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [760, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [904, ['unsigned long']], 'apfnClientA': [392, ['_PFNCLIENT']], 'dmLogPixels': [4470, ['unsigned short']], 'nEvents': [2796, ['long']], 'atomIconProp': [1358, ['unsigned short']], 'Planes': [4472, ['unsigned char']], 'apfnClientW': [576, ['_PFNCLIENT']], 'MBStrings': [916, ['array', 11, ['tagMBSTRING']]], 'UILangID': [4484, ['unsigned short']], 'dwRIPFlags': [4636, ['unsigned long']], 'uCaretWidth': [4480, ['unsigned long']], 'cCaptures': [2960, ['unsigned long']], 'cHandleEntries': [8, ['unsigned long long']], 'ptCursor': [2776, ['tagPOINT']], 'hIconSmWindows': [2936, ['pointer64', ['HICON__']]], 'mpFnidPfn': [16, ['array', 32, ['pointer64', ['void']]]], 'rcScreenReal': [4452, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x38, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [40, ['unsigned long long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11df': [0x8, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer64', ['void']]], 'MasterIrp': [0, ['pointer64', ['_IRP']]], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x30, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [40, ['long']], 'magFactorY': [44, ['long']], 'ptiMagThreadInfo': [32, ['pointer64', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_16c1']], }], '_PFNCLIENTWORKER': [0x58, { 'pfnComboBoxWndProc': [8, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [48, ['pointer64', ['void']]], 'pfnDialogWndProc': [24, ['pointer64', ['void']]], 'pfnStaticWndProc': [56, ['pointer64', ['void']]], 'pfnCtfHookProc': [80, ['pointer64', ['void']]], 'pfnButtonWndProc': [0, ['pointer64', ['void']]], 'pfnImeWndProc': [64, ['pointer64', ['void']]], 'pfnEditWndProc': [32, ['pointer64', ['void']]], 'pfnListBoxWndProc': [40, ['pointer64', ['void']]], 'pfnGhostWndProc': [72, ['pointer64', ['void']]], 'pfnComboListBoxProc': [16, ['pointer64', ['void']]], }], '_DMA_OPERATIONS': [0x80, { 'PutDmaAdapter': [8, ['pointer64', ['void']]], 'FreeMapRegisters': [56, ['pointer64', ['void']]], 'MapTransfer': [64, ['pointer64', ['void']]], 'FreeCommonBuffer': [24, ['pointer64', ['void']]], 'ReadDmaCounter': [80, ['pointer64', ['void']]], 'AllocateCommonBuffer': [16, ['pointer64', ['void']]], 'PutScatterGatherList': [96, ['pointer64', ['void']]], 'CalculateScatterGatherList': [104, ['pointer64', ['void']]], 'BuildMdlFromScatterGatherList': [120, ['pointer64', ['void']]], 'GetScatterGatherList': [88, ['pointer64', ['void']]], 'AllocateAdapterChannel': [32, ['pointer64', ['void']]], 'FreeAdapterChannel': [48, ['pointer64', ['void']]], 'GetDmaAlignment': [72, ['pointer64', ['void']]], 'FlushAdapterBuffers': [40, ['pointer64', ['void']]], 'BuildScatterGatherList': [112, ['pointer64', ['void']]], 'Size': [0, ['unsigned long']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '__unnamed_1225': [0x10, { 'DeviceObject': [8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer64', ['_VPB']]], }], '_SM_VALUES_STRINGS': [0x18, { 'StorageType': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer64', ['unsigned char']]], 'ulValue': [8, ['unsigned long']], 'RangeType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x40, { 'spwndDesktopOwner': [8, ['pointer64', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [32, ['unsigned long']], 'pqDesktop': [24, ['pointer64', ['tagQ']]], 'pEventInputReady': [56, ['pointer64', ['_KEVENT']]], 'rpdeskDestroy': [48, ['pointer64', ['tagDESKTOP']]], 'ptiDesktop': [16, ['pointer64', ['tagTHREADINFO']]], 'pEventTermInit': [40, ['pointer64', ['_KEVENT']]], }], '_SCATTER_GATHER_LIST': [0x10, { 'Elements': [16, ['array', 0, ['_SCATTER_GATHER_ELEMENT']]], 'Reserved': [8, ['unsigned long long']], 'NumberOfElements': [0, ['unsigned long']], }], 'tagMENULIST': [0x10, { 'pMenu': [8, ['pointer64', ['tagMENU']]], 'pNext': [0, ['pointer64', ['tagMENULIST']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x238, { 'psi': [0, ['pointer64', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [552, ['_WNDMSG']], 'awmControl': [40, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [32, ['unsigned long long']], 'pDispInfo': [24, ['pointer64', ['tagDISPLAYINFO']]], 'aheList': [8, ['pointer64', ['_HANDLEENTRY']]], 'DefWindowMsgs': [536, ['_WNDMSG']], 'HeEntrySize': [16, ['unsigned long']], }], 'tagIMC': [0x40, { 'dwClientImcData': [48, ['unsigned long long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [56, ['pointer64', ['HWND__']]], 'pImcNext': [40, ['pointer64', ['tagIMC']]], }], 'tagKL': [0x78, { 'uNumTbl': [88, ['unsigned long']], 'pklPrev': [24, ['pointer64', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [16, ['pointer64', ['tagKL']]], 'spkfPrimary': [56, ['pointer64', ['tagKBDFILE']]], 'dwFontSigs': [64, ['unsigned long']], 'dwLastKbdType': [104, ['unsigned long']], 'CodePage': [72, ['unsigned short']], 'dwKL_Flags': [32, ['unsigned long']], 'iBaseCharset': [68, ['unsigned long']], 'dwKLID': [112, ['unsigned long']], 'spkf': [48, ['pointer64', ['tagKBDFILE']]], 'piiex': [80, ['pointer64', ['tagIMEINFOEX']]], 'hkl': [40, ['pointer64', ['HKL__']]], 'pspkfExtra': [96, ['pointer64', ['pointer64', ['tagKBDFILE']]]], 'wchDiacritic': [74, ['wchar']], 'dwLastKbdSubType': [108, ['unsigned long']], }], '__unnamed_182e': [0x8, { 'pRgb256x3x16': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer64', ['void']]], 'pDxgi1': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], 'tagCARET': [0x48, { 'iHideLevel': [12, ['long']], 'yOwnDc': [56, ['long']], 'y': [20, ['long']], 'cy': [24, ['long']], 'cx': [28, ['long']], 'hBitmap': [32, ['pointer64', ['HBITMAP__']]], 'cyOwnDc': [64, ['long']], 'fOn': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'hTimer': [40, ['unsigned long long']], 'xOwnDc': [52, ['long']], 'fVisible': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'cxOwnDc': [60, ['long']], 'tid': [48, ['unsigned long']], 'x': [16, ['long']], 'spwnd': [0, ['pointer64', ['tagWND']]], }], } volatility-2.3.1/volatility/plugins/gui/vtypes/xp.py0000644000175000017500000003771612227253532022632 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts class XP2003x86BaseVTypes(obj.ProfileModification): """Applies to everything x86 before Windows 7""" def check(self, profile): m = profile.metadata version = (m.get('major', 0), m.get('minor', 0)) return (m.get('os', None) == 'windows' and version < (6, 1) and m.get('memory_model', '32bit') == '32bit') def modification(self, profile): profile.vtypes.update({ 'tagWINDOWSTATION' : [ 0x5C, { 'dwSessionId' : [ 0x0, ['unsigned long']], 'rpwinstaNext' : [ 0x4, ['pointer', ['tagWINDOWSTATION']]], 'rpdeskList' : [ 0x8, ['pointer', ['tagDESKTOP']]], 'dwWSF_Flags' : [ 0x10, ['unsigned long']], 'ptiDrawingClipboard' : [ 0x1C, ['pointer', ['tagTHREADINFO']]], 'spwndClipOpen' : [ 0x20, ['pointer', ['tagWND']]], 'spwndClipViewer' : [ 0x24, ['pointer', ['tagWND']]], 'spwndClipOwner' : [ 0x28, ['pointer', ['tagWND']]], 'pClipBase' : [ 0x2C, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], 'cNumClipFormats' : [ 0x30, ['unsigned int']], 'iClipSerialNumber' : [ 0x34, ['unsigned int']], 'iClipSequenceNumber' : [ 0x38, ['unsigned int']], #'spwndClipboardListener' : [ 0x3C, ['pointer', ['tagWND']]], 'pGlobalAtomTable' : [ 0x40, ['pointer', ['void']]], }], ## This is defined in Windows 7 'tagCLIP' : [ 12, { 'fmt' : [ 0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], 'hData' : [ 4, ['unsigned int']], 'fGlobalHandle' : [ 8, ['unsigned int']], }], 'tagDESKTOP' : [ 0x84, { 'dwSessionId' : [ 0x0, ['unsigned long']], 'pDeskInfo' : [ 0x4, ['pointer', ['tagDESKTOPINFO']]], 'rpdeskNext' : [ 0xc, ['pointer', ['tagDESKTOP']]], 'rpwinstaParent' : [ 0x10, ['pointer', ['tagWINDOWSTATION']]], 'hsectionDesktop' : [ 0x40, ['pointer', ['void']]], 'pheapDesktop' : [ 0x44, ['pointer', ['tagWIN32HEAP']]], 'PtiList' : [ 0x64, ['_LIST_ENTRY']], }], 'tagTHREADINFO' : [ None, { # Same as Win32Thread 'pEThread' : [ 0x00, ['pointer', ['_ETHREAD']]], 'ppi' : [ 0x2C, ['pointer', ['tagPROCESSINFO']]], 'pq' : [ 0x30, ['pointer', ['tagQ']]], 'pDeskInfo' : [ 0x40, ['pointer', ['tagDESKTOPINFO']]], 'PtiLink' : [ 0xAC, ['_LIST_ENTRY']], 'fsHooks' : [ 0x98, ['unsigned long']], 'aphkStart' : [ 0xF4, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagQ' : [ None, { 'mlInput' : [ 0x00, ['tagMLIST']], }], 'tagMLIST' : [ None, { 'pqmsgRead' : [ 0x00, ['pointer', ['tagQMSG']]], 'cMsgs' : [ 0x08, ['unsigned long']], }], 'tagQMSG' : [ None, { 'pqmsgNext' : [ 0x00, ['pointer', ['tagQMSG']]], 'pqmsgPrev' : [ 0x04, ['pointer', ['tagQMSG']]], 'msg' : [ 0x08, ['tagMSG']], }], 'tagMSG' : [ None, { 'hwnd' : [ 0x00, ['unsigned long']], 'message' : [ 0x04, ['unsigned long']], 'wParam' : [ 0x08, ['unsigned long']], 'lParam' : [ 0x0C, ['unsigned long']], 'time' : [ 0x10, ['unsigned long']], 'pt' : [ 0x14, ['tagPOINT']], }], 'tagPOINT' : [ None, { 'x' : [ 0x00, ['long']], 'y' : [ 0x04, ['long']], }], 'tagHOOK' : [ None, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'phkNext' : [ 0x14, ['pointer', ['tagHOOK']]], 'iHook' : [ 0x18, ['long']], 'offPfn' : [ 0x1c, ['unsigned long']], 'flags': [ 0x20, ['Flags', {'bitmap': consts.HOOK_FLAGS}]], 'ihmod' : [ 0x24, ['long']], 'ptiHooked' : [ 0x28, ['pointer', ['tagTHREADINFO']]], 'rpdesk' : [ 0x2c, ['pointer', ['tagDESKTOP']]], }], 'tagDESKTOPINFO' : [ None, { 'pvDesktopBase' : [ 0x0, ['pointer', ['void']]], 'pvDesktopLimit' : [ 0x4, ['pointer', ['void']]], 'spwnd' : [ 0x08, ['pointer', ['tagWND']]], 'fsHooks' : [ 0x0c, ['unsigned long']], 'aphkStart' : [ 0x10, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagSERVERINFO' : [ 0xffc, { 'cHandleEntries' : [ 8, ['unsigned long']], 'cbHandleTable' : [ 0x1bc, ['unsigned long']], }], 'tagSHAREDINFO' : [ 0x11c, { # From Win7SP0x86 'psi' : [ 0x0, ['pointer', ['tagSERVERINFO']]], 'aheList' : [ 0x4, ['pointer', ['_HANDLEENTRY']]], 'ulSharedDelta' : [ 0xC, ['unsigned long']], }], '_HANDLEENTRY' : [ 0xc, { # From Win7SP0x86 'phead' : [ 0x0, ['pointer', ['_HEAD']]], 'pOwner' : [ 0x4, ['pointer', ['void']]], 'bType': [ 8, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], 'bFlags' : [ 0x9, ['unsigned char']], 'wUniq' : [ 0xa, ['unsigned short']], }], '_HEAD' : [ 0x8, { # From Win7SP0x86 'h' : [ 0x0, ['pointer', ['void']]], 'cLockObj' : [ 0x4, ['unsigned long']], }], 'tagPROCESSINFO' : [ None, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], }], '_THRDESKHEAD' : [ 0x14, { 'h' : [ 0x0, ['pointer', ['void']]], 'cLockObj' : [ 0x4, ['unsigned long']], 'pti' : [ 0x8, ['pointer', ['tagTHREADINFO']]], 'rpdesk' : [ 0xc, ['pointer', ['tagDESKTOP']]], 'pSelf' : [ 0x10, ['pointer', ['unsigned char']]], }], 'tagCLS' : [ 0x5c, { 'pclsNext' : [ 0x0, ['pointer', ['tagCLS']]], 'atomClassName' : [ 0x4, ['unsigned short']], 'atomNVClassName' : [ 0x6, ['unsigned short']], }], 'tagRECT' : [ 0x10, { 'left' : [ 0x0, ['long']], 'top' : [ 0x4, ['long']], 'right' : [ 0x8, ['long']], 'bottom' : [ 0xc, ['long']], }], 'tagWND' : [ 0x90, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'ExStyle' : [ 0x1c, ['unsigned long']], 'style' : [ 0x20, ['unsigned long']], 'hModule' : [ 0x24, ['pointer', ['void']]], 'spwndNext' : [ 0x2c, ['pointer', ['tagWND']]], 'spwndPrev' : [ 0x30, ['pointer', ['tagWND']]], 'spwndParent' : [ 0x34, ['pointer', ['tagWND']]], 'spwndChild' : [ 0x38, ['pointer', ['tagWND']]], 'spwndOwner' : [ 0x3c, ['pointer', ['tagWND']]], 'rcWindow' : [ 0x40, ['tagRECT']], 'rcClient' : [ 0x50, ['tagRECT']], 'lpfnWndProc' : [ 0x60, ['pointer', ['void']]], 'pcls' : [ 0x64, ['pointer', ['tagCLS']]], 'strName' : [ 0x80, ['_LARGE_UNICODE_STRING']], 'cbwndExtra' : [ 0x8C, ['long']], 'dwUserData' : [ 0x98, ['unsigned long']], }], '_LARGE_UNICODE_STRING' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'MaximumLength' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31)]], 'bAnsi' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32)]], 'Buffer' : [ 0x8, ['pointer', ['unsigned short']]], }], }) class XP2003x64BaseVTypes(obj.ProfileModification): """Applies to Windows XP and 2003 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x < 6} def modification(self, profile): profile.vtypes.update({ 'tagWINDOWSTATION' : [ 0x90, { # !poolfind Wind is 100h 'dwSessionId' : [ 0x0, ['unsigned long']], 'rpwinstaNext' : [ 0x8, ['pointer64', ['tagWINDOWSTATION']]], # FreeWindowStation 'rpdeskList' : [ 0x10, ['pointer64', ['tagDESKTOP']]], 'dwWSF_Flags' : [ 0x20, ['unsigned long']], # FreeWindowStation 'ptiDrawingClipboard' : [ 0x38, ['pointer64', ['tagTHREADINFO']]], # xxxDrawClipboard 'spwndClipOpen' : [ 0x40, ['pointer64', ['tagWND']]], 'spwndClipViewer' : [ 0x48, ['pointer64', ['tagWND']]], 'spwndClipOwner' : [ 0x50, ['pointer64', ['tagWND']]], 'pClipBase' : [ 0x58, ['pointer64', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], # InternalSetClipboardData 'cNumClipFormats' : [ 0x60, ['unsigned int']], # InternalSetClipboardData 'iClipSerialNumber' : [ 0x64, ['unsigned int']], # InternalSetClipboardData 'iClipSequenceNumber' : [ 0x68, ['unsigned int']], # InternalSetClipboardData 'pGlobalAtomTable' : [ 0x70, ['pointer64', ['void']]], }], # From Windows 7 'tagCLIP' : [ 0x18, { 'fmt' : [ 0x0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], 'hData' : [ 0x8, ['pointer64', ['void']]], 'fGlobalHandle' : [ 0x10, ['long']], }], 'tagDESKTOP' : [ 0xd0, { # !poolfind Desk is 140h 'dwSessionId' : [ 0x0, ['unsigned long']], 'pDeskInfo' : [ 0x8, ['pointer64', ['tagDESKTOPINFO']]], # xxxCreateDesktop 'rpdeskNext' : [ 0x18, ['pointer64', ['tagDESKTOP']]], # ParseDesktop 'rpwinstaParent' : [ 0x20, ['pointer64', ['tagWINDOWSTATION']]], 'hsectionDesktop' : [ 0x70, ['pointer64', ['void']]], # MapDesktop 'pheapDesktop' : [ 0x78, ['pointer64', ['tagWIN32HEAP']]], # DesktopAlloc 'PtiList' : [ 0xa0, ['_LIST_ENTRY']], # zzzJournalAttach }], 'tagTHREADINFO' : [ None, { 'pEThread' : [ 0x00, ['pointer', ['_ETHREAD']]], 'ppi' : [ 0x68, ['pointer64', ['tagPROCESSINFO']]], # xxxSetThreadDesktop #'pq' : [ 0x30, ['pointer', ['tagQ']]], 'pDeskInfo' : [ 0x90, ['pointer64', ['tagDESKTOPINFO']]], # xxxDesktopThread 'PtiLink' : [ 0x160, ['_LIST_ENTRY']], 'fsHooks' : [ 0x138, ['unsigned long']], # xxxSetThreadDesktop, CheckWHFBits 'aphkStart' : [ 0x140, ['array', 16, ['pointer64', ['tagHOOK']]]], }], 'tagDESKTOPINFO' : [ None, { 'pvDesktopBase' : [ 0x0, ['pointer64', ['void']]], 'pvDesktopLimit' : [ 0x8, ['pointer64', ['void']]], 'spwnd' : [ 0x10, ['pointer64', ['tagWND']]], 'fsHooks' : [ 0x18, ['unsigned long']], # CheckWHFBits 'aphkStart' : [ 0x20, ['array', 16, ['pointer64', ['tagHOOK']]]], }], 'tagWND' : [ None, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'ExStyle' : [ 0x30, ['unsigned long']], # xxxCreateWindowEx 'style' : [ 0x34, ['unsigned long']], # xxxCreateWindowEx 'spwndNext' : [ 0x48, ['pointer64', ['tagWND']]], 'spwndPrev' : [ 0x50, ['pointer64', ['tagWND']]], 'spwndParent' : [ 0x58, ['pointer64', ['tagWND']]], 'spwndChild' : [ 0x60, ['pointer64', ['tagWND']]], 'spwndOwner' : [ 0x68, ['pointer64', ['tagWND']]], 'rcWindow' : [ 0x70, ['tagRECT']], 'rcClient' : [ 0x80, ['tagRECT']], 'lpfnWndProc' : [ 0x90, ['pointer64', ['void']]], 'pcls' : [ 0x98, ['pointer64', ['tagCLS']]], # HMChangeOwnerThread 'strName' : [ 0xd0, ['_LARGE_UNICODE_STRING']], }], 'tagRECT' : [ 0x10, { 'left' : [ 0x0, ['long']], 'top' : [ 0x4, ['long']], 'right' : [ 0x8, ['long']], 'bottom' : [ 0xc, ['long']], }], 'tagCLS' : [ None, { 'pclsNext' : [ 0x0, ['pointer64', ['tagCLS']]], 'atomClassName' : [ 0x8, ['unsigned short']], # HMChangeOwnerThread 'atomNVClassName' : [ 0xA, ['unsigned short']], }], # From Win7 x64 '_LARGE_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MaximumLength' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 31, native_type = 'unsigned long')]], 'bAnsi' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type = 'unsigned long')]], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], }], # From Win7 x64 '_THRDESKHEAD' : [ 0x28, { 'h' : [ 0x0, ['pointer64', ['void']]], 'cLockObj' : [ 0x8, ['unsigned long']], 'pti' : [ 0x10, ['pointer64', ['tagTHREADINFO']]], 'rpdesk' : [ 0x18, ['pointer64', ['tagDESKTOP']]], 'pSelf' : [ 0x20, ['pointer64', ['unsigned char']]], }], # From Win7 x64 'tagSHAREDINFO' : [ None, { 'psi' : [ 0x0, ['pointer64', ['tagSERVERINFO']]], 'aheList' : [ 0x8, ['pointer64', ['_HANDLEENTRY']]], #'HeEntrySize' : [ 0x10, ['unsigned long']], #'pDispInfo' : [ 0x18, ['pointer64', ['tagDISPLAYINFO']]], 'ulSharedDelta' : [ 0x18, ['unsigned long long']], #'awmControl' : [ 0x28, ['array', 31, ['_WNDMSG']]], #'DefWindowMsgs' : [ 0x218, ['_WNDMSG']], #'DefWindowSpecMsgs' : [ 0x228, ['_WNDMSG']], }], # From Win7 x64 '_HANDLEENTRY' : [ 0x18, { 'phead' : [ 0x0, ['pointer64', ['_HEAD']]], 'pOwner' : [ 0x8, ['pointer64', ['void']]], 'bType': [ 0x10, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]], 'bFlags' : [ 0x11, ['unsigned char']], 'wUniq' : [ 0x12, ['unsigned short']], }], # From Win7 x64 '_HEAD' : [ 0x10, { 'h' : [ 0x0, ['pointer64', ['void']]], 'cLockObj' : [ 0x8, ['unsigned long']], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 8, ['unsigned long']], 'cbHandleTable' : [ 0x330, ['unsigned long']], # HMInitHandleTable }], 'tagPROCESSINFO' : [ None, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], }], # From Win7 x64 'tagHOOK' : [ 0x60, { 'head' : [ 0x0, ['_THRDESKHEAD']], 'phkNext' : [ 0x28, ['pointer64', ['tagHOOK']]], 'iHook' : [ 0x30, ['long']], 'offPfn' : [ 0x38, ['unsigned long long']], 'flags': [ 0x40, ['Flags', {'bitmap': consts.HOOK_FLAGS}]], 'ihmod' : [ 0x44, ['long']], 'ptiHooked' : [ 0x48, ['pointer64', ['tagTHREADINFO']]], 'rpdesk' : [ 0x50, ['pointer64', ['tagDESKTOP']]], 'nTimeout' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 7, native_type = 'unsigned long')]], 'fLastHookHung' : [ 0x58, ['BitField', dict(start_bit = 7, end_bit = 8, native_type = 'long')]], }], }) volatility-2.3.1/volatility/plugins/gui/vtypes/win7.py0000644000175000017500000002007512227253532023055 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts import volatility.plugins.gui.win32k_core as win32k_core import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp0_x86_vtypes_gui as win7_sp0_x86_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp1_x64_vtypes_gui as win7_sp1_x64_vtypes_gui import volatility.plugins.gui.vtypes.win7_sp1_x86_vtypes_gui as win7_sp1_x86_vtypes_gui class Win7SP0x64GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP0 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7600} def modification(self, profile): profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types) class Win7SP1x64GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP1 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7601} def modification(self, profile): profile.vtypes.update(win7_sp1_x64_vtypes_gui.win32k_types) class Win7SP0x86GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP0 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7600} def modification(self, profile): profile.vtypes.update(win7_sp0_x86_vtypes_gui.win32k_types) class Win7SP1x86GuiVTypes(obj.ProfileModification): """Apply the base vtypes for Windows 7 SP1 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x : x == 7601} def modification(self, profile): profile.vtypes.update(win7_sp1_x86_vtypes_gui.win32k_types) class Win7GuiOverlay(obj.ProfileModification): """Apply general overlays for Windows 7""" before = ['Win7SP0x64GuiVTypes', 'Win7SP1x64GuiVTypes', 'Win7SP0x86GuiVTypes', 'Win7SP1x86GuiVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): profile.merge_overlay({ 'tagHOOK': [ None, { 'flags': [ None, ['Flags', {'bitmap': consts.HOOK_FLAGS}]] }], '_HANDLEENTRY': [ None, { 'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM_SEVEN)]], }], 'tagWINDOWSTATION' : [ None, { 'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], }], 'tagCLIP': [ None, { 'fmt' : [ None, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]], }]}) class Win7Vista2008x64Timers(obj.ProfileModification): """Apply the tagTIMER for Windows 7, Vista, and 2008 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x >= 6} def modification(self, profile): # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 profile.vtypes.update({ 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'spwnd' : [ 0x28, ['pointer', ['tagWND']]], 'pti' : [ 0x30, ['pointer', ['tagTHREADINFO']]], 'nID' : [ 0x38, ['unsigned short']], 'cmsCountdown' : [ 0x40, ['unsigned int']], 'cmsRate' : [ 0x44, ['unsigned int']], 'flags' : [ 0x48, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x50, ['pointer', ['void']]], }]}) class Win7Vista2008x86Timers(obj.ProfileModification): """Apply the tagTIMER for Windows 7, Vista, and 2008 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x >= 6} def modification(self, profile): profile.vtypes.update({ 'tagTIMER' : [ None, { 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'pti' : [ 0x18, ['pointer', ['tagTHREADINFO']]], 'spwnd' : [ 0x14, ['pointer', ['tagWND']]], #?? 'nID' : [ 0x1C, ['unsigned short']], 'cmsCountdown' : [ 0x20, ['unsigned int']], 'cmsRate' : [ 0x24, ['unsigned int']], 'flags' : [ 0x28, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x2C, ['pointer', ['void']]], }]}) class _MM_SESSION_SPACE(win32k_core._MM_SESSION_SPACE): #pylint: disable-msg=W0212 """A class for session spaces on Windows 7""" def find_shared_info(self): """The way we find win32k!gSharedInfo on Windows 7 is different than before. For each DWORD in the win32k.sys module's .data section (DWORD-aligned) we check if its the HeEntrySize member of a possible tagSHAREDINFO structure. This should equal the size of a _HANDLEENTRY. The HeEntrySize member didn't exist before Windows 7 thus the need for separate methods.""" handle_table_size = self.obj_vm.profile.\ get_obj_size("_HANDLEENTRY") handle_entry_offset = self.obj_vm.profile.\ get_obj_offset("tagSHAREDINFO", "HeEntrySize") for chunk in self._section_chunks(".data"): if chunk != handle_table_size: continue shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset - handle_entry_offset, vm = self.obj_vm) if shared_info.is_valid(): return shared_info return obj.NoneObject("Cannot find win32k!gSharedInfo") class tagSHAREDINFO(win32k_core.tagSHAREDINFO): """A class for shared info blocks on Windows 7""" def is_valid(self): """Sanity checks for tagSHAREDINFO""" if not obj.CType.is_valid(self): return False if self.ulSharedDelta != 0: return False if not self.psi.is_valid(): return False return self.psi.cbHandleTable / self.HeEntrySize == self.psi.cHandleEntries class Win7Win32KCoreClasses(obj.ProfileModification): """Apply the core object classes for Windows 7""" before = ["WindowsObjectClasses", "Win32KCoreClasses"] conditions = {'os': lambda x: x == 'windows', 'major' : lambda x : x == 6, 'minor' : lambda x : x == 1} def modification(self, profile): profile.object_classes.update({ '_MM_SESSION_SPACE': _MM_SESSION_SPACE, 'tagSHAREDINFO': tagSHAREDINFO, }) volatility-2.3.1/volatility/plugins/gui/vtypes/__init__.py0000644000175000017500000000000012033140535023703 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/gui/vtypes/win7_sp1_x64_vtypes_gui.py0000644000175000017500000041450712033140535026617 0ustar mikemike00000000000000win32k_types = { '_HANDLEENTRY': [0x18, { 'pOwner': [8, ['pointer64', ['void']]], 'phead': [0, ['pointer64', ['_HEAD']]], 'bFlags': [17, ['unsigned char']], 'wUniq': [18, ['unsigned short']], 'bType': [16, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x50, { 'dwcInputs': [24, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [28, ['unsigned long']], 'TouchInput': [32, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x60, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [56, ['unsigned long long']], 'flags': [64, ['unsigned long']], 'fLastHookHung': [88, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'nTimeout': [88, ['BitField', {'end_bit': 7, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'ihmod': [68, ['long']], 'iHook': [48, ['long']], 'ptiHooked': [72, ['pointer64', ['tagTHREADINFO']]], 'phkNext': [40, ['pointer64', ['tagHOOK']]], 'rpdesk': [80, ['pointer64', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '_W32THREAD': [0x150, { 'pRBRecursionCount': [96, ['unsigned long']], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'pdcoRender': [304, ['pointer64', ['void']]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pdcoAA': [296, ['pointer64', ['void']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'ptlW32': [16, ['pointer64', ['_TL']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'bIncludeSprites': [321, ['unsigned char']], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'pProxyPort': [64, ['pointer64', ['void']]], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pClientID': [72, ['pointer64', ['void']]], }], 'tagPROPLIST': [0x18, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x40, { 'head': [0, ['_THROBJHEAD']], 'next': [24, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [32, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [48, ['pointer64', ['tagWND']]], 'afCmd': [40, ['unsigned long']], 'pcii': [56, ['pointer64', ['void']]], }], 'tagDESKTOPINFO': [0xf0, { 'spwndProgman': [192, ['pointer64', ['tagWND']]], 'pvwplMessagePPHandler': [224, ['pointer64', ['VWPL']]], 'pvDesktopLimit': [8, ['pointer64', ['void']]], 'fComposited': [232, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndGestureEngine': [216, ['pointer64', ['tagWND']]], 'pvDesktopBase': [0, ['pointer64', ['void']]], 'spwndShell': [160, ['pointer64', ['tagWND']]], 'ppiShellProcess': [168, ['pointer64', ['tagPROCESSINFO']]], 'pvwplShellHook': [200, ['pointer64', ['VWPL']]], 'fIsDwmDesktop': [232, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndTaskman': [184, ['pointer64', ['tagWND']]], 'aphkStart': [32, ['array', 16, ['pointer64', ['tagHOOK']]]], 'fsHooks': [24, ['unsigned long']], 'cntMBox': [208, ['long']], 'spwndBkGnd': [176, ['pointer64', ['tagWND']]], 'spwnd': [16, ['pointer64', ['tagWND']]], }], 'tagDISPLAYINFO': [0xa8, { 'hDev': [0, ['pointer64', ['void']]], 'SpatialListHead': [144, ['_KLIST_ENTRY']], 'BitCountMax': [130, ['unsigned short']], 'cyGray': [60, ['long']], 'hdcBits': [32, ['pointer64', ['HDC__']]], 'fDesktopIsRect': [132, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'hbmGray': [48, ['pointer64', ['HBITMAP__']]], 'pmdev': [8, ['pointer64', ['void']]], 'cFullScreen': [160, ['short']], 'cxGray': [56, ['long']], 'dmLogPixels': [128, ['unsigned short']], 'hDevInfo': [16, ['pointer64', ['void']]], 'fAnyPalette': [132, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'pspbFirst': [72, ['pointer64', ['tagSPB']]], 'pMonitorPrimary': [88, ['pointer64', ['tagMONITOR']]], 'Spare0': [162, ['short']], 'pMonitorFirst': [96, ['pointer64', ['tagMONITOR']]], 'hdcGray': [40, ['pointer64', ['HDC__']]], 'hrgnScreenReal': [120, ['pointer64', ['HRGN__']]], 'cMonitors': [80, ['unsigned long']], 'hdcScreen': [24, ['pointer64', ['HDC__']]], 'DockThresholdMax': [136, ['unsigned long']], 'rcScreenReal': [104, ['tagRECT']], 'pdceFirst': [64, ['pointer64', ['tagDCE']]], }], '__unnamed_1261': [0x20, { 'Buffer': [24, ['pointer64', ['void']]], 'ProviderId': [0, ['unsigned long long']], 'BufferSize': [16, ['unsigned long']], 'DataPath': [8, ['pointer64', ['void']]], }], '__unnamed_1263': [0x20, { 'Argument4': [24, ['pointer64', ['void']]], 'Argument2': [8, ['pointer64', ['void']]], 'Argument3': [16, ['pointer64', ['void']]], 'Argument1': [0, ['pointer64', ['void']]], }], '__unnamed_1265': [0x20, { 'DeviceIoControl': [0, ['__unnamed_121d']], 'QuerySecurity': [0, ['__unnamed_121f']], 'ReadWriteConfig': [0, ['__unnamed_123d']], 'Create': [0, ['__unnamed_11ff']], 'SetSecurity': [0, ['__unnamed_1221']], 'Write': [0, ['__unnamed_1209']], 'VerifyVolume': [0, ['__unnamed_1225']], 'WMI': [0, ['__unnamed_1261']], 'CreateMailslot': [0, ['__unnamed_1207']], 'FilterResourceRequirements': [0, ['__unnamed_123b']], 'SetFile': [0, ['__unnamed_1213']], 'MountVolume': [0, ['__unnamed_1225']], 'FileSystemControl': [0, ['__unnamed_1219']], 'UsageNotification': [0, ['__unnamed_124b']], 'Scsi': [0, ['__unnamed_1229']], 'WaitWake': [0, ['__unnamed_124f']], 'QueryFile': [0, ['__unnamed_1211']], 'QueryDeviceText': [0, ['__unnamed_1247']], 'CreatePipe': [0, ['__unnamed_1203']], 'Power': [0, ['__unnamed_125b']], 'QueryDeviceRelations': [0, ['__unnamed_122d']], 'Read': [0, ['__unnamed_1209']], 'StartDevice': [0, ['__unnamed_125f']], 'QueryDirectory': [0, ['__unnamed_120d']], 'PowerSequence': [0, ['__unnamed_1253']], 'QueryId': [0, ['__unnamed_1243']], 'LockControl': [0, ['__unnamed_121b']], 'NotifyDirectory': [0, ['__unnamed_120f']], 'QueryInterface': [0, ['__unnamed_1233']], 'Others': [0, ['__unnamed_1263']], 'QueryVolume': [0, ['__unnamed_1217']], 'SetLock': [0, ['__unnamed_123f']], 'DeviceCapabilities': [0, ['__unnamed_1237']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x90, { 'hDev': [80, ['pointer64', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [88, ['pointer64', ['void']]], 'rcWorkReal': [44, ['tagRECT']], 'dwMONFlags': [24, ['unsigned long']], 'Spare0': [72, ['short']], 'rcMonitorReal': [28, ['tagRECT']], 'pMonitorNext': [16, ['pointer64', ['tagMONITOR']]], 'Flink': [128, ['pointer64', ['tagMONITOR']]], 'Blink': [136, ['pointer64', ['tagMONITOR']]], 'hrgnMonitorReal': [64, ['pointer64', ['HRGN__']]], 'cWndStack': [74, ['short']], 'DockTargets': [96, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_123b': [0x8, { 'IoResourceRequirementList': [0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x28, { 'cExcludeRequest': [32, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [36, ['unsigned long']], 'cUsagePageRequest': [28, ['unsigned long']], 'usUsagePage': [16, ['unsigned short']], 'cDevices': [20, ['unsigned long']], 'cDirectRequest': [24, ['unsigned long']], 'usUsage': [18, ['unsigned short']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x1b0, { 'TargetMode': [360, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x158, { 'hwndDblClk': [112, ['pointer64', ['HWND__']]], 'timeDblClk': [108, ['unsigned long']], 'spwndFocus': [72, ['pointer64', ['tagWND']]], 'ExtraInfo': [328, ['long long']], 'cLockCount': [322, ['unsigned short']], 'iCursorLevel': [312, ['long']], 'ptiSysLock': [24, ['pointer64', ['tagTHREADINFO']]], 'caret': [232, ['tagCARET']], 'ptiMouse': [48, ['pointer64', ['tagTHREADINFO']]], 'spwndActivePrev': [88, ['pointer64', ['tagWND']]], 'ptMouseMove': [128, ['tagPOINT']], 'msgDblClk': [100, ['unsigned long']], 'msgJournal': [324, ['unsigned long']], 'ptiKeyboard': [56, ['pointer64', ['tagTHREADINFO']]], 'cThreads': [320, ['unsigned short']], 'QF_flags': [316, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [80, ['pointer64', ['tagWND']]], 'codeCapture': [96, ['unsigned long']], 'idSysLock': [32, ['unsigned long long']], 'spcurCurrent': [304, ['pointer64', ['tagCURSOR']]], 'ulEtwReserved1': [336, ['unsigned long']], 'ptDblClk': [120, ['tagPOINT']], 'xbtnDblClk': [104, ['unsigned short']], 'afKeyRecentDown': [136, ['array', 32, ['unsigned char']]], 'afKeyState': [168, ['array', 64, ['unsigned char']]], 'spwndCapture': [64, ['pointer64', ['tagWND']]], 'idSysPeek': [40, ['unsigned long long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '__unnamed_1805': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x70, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0x18, { 'cMsgs': [16, ['unsigned long']], 'pqmsgRead': [0, ['pointer64', ['tagQMSG']]], 'pqmsgWriteLast': [8, ['pointer64', ['tagQMSG']]], }], '__unnamed_122d': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], 'tagMENUSTATE': [0x90, { 'fDragAndDrop': [8, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fInsideMenuLoop': [8, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'cxAni': [116, ['long']], 'pGlobalPopupMenu': [0, ['pointer64', ['tagPOPUPMENU']]], 'uDraggingIndex': [88, ['unsigned long']], 'uDraggingHitArea': [80, ['unsigned long long']], 'fNotifyByPos': [8, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'fButtonDown': [8, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'ixAni': [108, ['long']], 'fInCallHandleMenuMessages': [8, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'mnFocus': [20, ['long']], 'iyAni': [112, ['long']], 'dwLockCount': [40, ['unsigned long']], 'fAutoDismiss': [8, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'fIsSysMenu': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'dwAniStartTime': [104, ['unsigned long']], 'pmnsPrev': [48, ['pointer64', ['tagMENUSTATE']]], 'fInEndMenu': [8, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'hbmAni': [128, ['pointer64', ['HBITMAP__']]], 'fIgnoreButtonUp': [8, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptButtonDown': [56, ['tagPOINT']], 'hdcWndAni': [96, ['pointer64', ['HDC__']]], 'fAboutToAutoDismiss': [8, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fMenuStarted': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'uDraggingFlags': [92, ['unsigned long']], 'fUnderline': [8, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fInDoDragDrop': [8, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'ptiMenuStateOwner': [32, ['pointer64', ['tagTHREADINFO']]], 'uButtonDownIndex': [72, ['unsigned long']], 'fModelessMenu': [8, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'cyAni': [120, ['long']], 'uButtonDownHitArea': [64, ['unsigned long long']], 'fButtonAlwaysDown': [8, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'iAniDropDir': [8, ['BitField', {'end_bit': 24, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptMouseLast': [12, ['tagPOINT']], 'hdcAni': [136, ['pointer64', ['HDC__']]], 'vkButtonDown': [76, ['long']], 'fSetCapture': [8, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fDragging': [8, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fActiveNoForeground': [8, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fMouseOffMenu': [8, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'cmdLast': [24, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x10, { 'DataOrTag': [0, ['unsigned long long']], 'pwnd': [8, ['pointer64', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x10, { 'pszName': [0, ['pointer64', ['unsigned char']]], 'fInternal': [8, ['unsigned char']], 'fDefined': [9, ['unsigned char']], }], 'tagCLIP': [0x18, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [16, ['long']], 'hData': [8, ['pointer64', ['void']]], }], '__unnamed_1229': [0x8, { 'Srb': [0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], }], '_HEAD': [0x10, { 'h': [0, ['pointer64', ['void']]], 'cLockObj': [8, ['unsigned long']], }], '__unnamed_1221': [0x10, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [8, ['pointer64', ['void']]], }], '__unnamed_11e6': [0x10, { 'AsynchronousParameters': [0, ['__unnamed_11e4']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], 'tagQMSG': [0x68, { 'FromPen': [84, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'pti': [88, ['pointer64', ['tagTHREADINFO']]], 'ExtraInfo': [64, ['long long']], 'Wow64Message': [84, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pqmsgPrev': [8, ['pointer64', ['tagQMSG']]], 'NoCoalesce': [84, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'Padding': [80, ['BitField', {'end_bit': 32, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'ptMouseReal': [72, ['tagPOINT']], 'pqmsgNext': [0, ['pointer64', ['tagQMSG']]], 'dwQEvent': [80, ['BitField', {'end_bit': 30, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'MsgPPInfo': [96, ['tagMSGPPINFO']], 'FromTouch': [84, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'msg': [16, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x20, { 'pPrev': [8, ['pointer64', ['tagWin32PoolHead']]], 'pTrace': [24, ['pointer64', ['pointer64', ['void']]]], 'pNext': [16, ['pointer64', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long long']], }], 'tagTOUCHINPUT': [0x30, { 'hSource': [8, ['pointer64', ['void']]], 'dwExtraInfo': [32, ['unsigned long long']], 'cxContact': [40, ['unsigned long']], 'dwMask': [24, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [16, ['unsigned long']], 'cyContact': [44, ['unsigned long']], 'dwTime': [28, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_CALLBACKWND': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'pActCtx': [16, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'pwnd': [8, ['pointer64', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x10, { 'pVkToWchars': [0, ['pointer64', ['_VK_TO_WCHARS1']]], 'cbSize': [9, ['unsigned char']], 'nModifications': [8, ['unsigned char']], }], '__unnamed_1153': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 61, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 25, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Region': [8, ['BitField', {'end_bit': 64, 'start_bit': 61, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [0, ['BitField', {'end_bit': 64, 'start_bit': 25, 'native_type': 'unsigned long long'}]], }], '__unnamed_1158': [0x10, { 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'Init': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], }], '_TL': [0x18, { 'pfnFree': [16, ['pointer64', ['void']]], 'pobj': [8, ['pointer64', ['void']]], 'next': [0, ['pointer64', ['_TL']]], }], 'tagTHREADINFO': [0x3a8, { 'pstrAppName': [416, ['pointer64', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [520, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long long'}]], 'ptl': [336, ['pointer64', ['_TL']]], 'timeLast': [448, ['long']], 'DontJournalAttach': [516, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'ppi': [344, ['pointer64', ['tagPROCESSINFO']]], 'SendMnuDblClk': [516, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'DDENoSync': [520, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long long'}]], 'EditNoMouseHide': [520, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long long'}]], 'pDevHTInfo': [280, ['pointer64', ['void']]], 'OpenGLEMF': [520, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long long'}]], 'dwCompatFlags': [516, ['unsigned long']], 'hTouchInputCurrent': [888, ['pointer64', ['HTOUCHINPUT__']]], 'psmsSent': [424, ['pointer64', ['tagSMS']]], 'cVisWindows': [728, ['unsigned long']], 'hPrevHidData': [880, ['pointer64', ['void']]], 'fsHooks': [552, ['unsigned long']], 'qwCompatFlags2': [520, ['unsigned long long']], 'NoPaddedBorder': [520, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long long'}]], 'NoDrawPatRect': [520, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long long'}]], 'ForceTTGrapchis': [516, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'GetDeviceCaps': [516, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'pgdiBrushAttr': [32, ['pointer64', ['void']]], 'pq': [352, ['pointer64', ['tagQ']]], 'ulWindowSystemRendering': [324, ['unsigned long']], 'dwExpWinVer': [512, ['unsigned long']], 'NoSoftCursOnMoveSize': [520, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long long'}]], 'psmsReceiveList': [440, ['pointer64', ['tagSMS']]], 'sphkCurrent': [560, ['pointer64', ['tagHOOK']]], 'No50ExStyles': [520, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long long'}]], 'IgnoreFaults': [516, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'pClientInfo': [400, ['pointer64', ['tagCLIENTINFO']]], 'pdcoSrc': [312, ['pointer64', ['void']]], 'pEventQueueServer': [600, ['pointer64', ['_KEVENT']]], 'DealyHwndShakeChk': [516, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'amdesk': [720, ['unsigned long']], 'fsChangeBitsRemoved': [704, ['unsigned short']], 'psmsCurrent': [432, ['pointer64', ['tagSMS']]], 'NoBatching': [520, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long long'}]], 'StrictLLHook': [520, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long long'}]], 'pdcoRender': [304, ['pointer64', ['void']]], 'NoShadow': [520, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long long'}]], 'EnumHelv': [516, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'fPack': [928, ['BitField', {'end_bit': 28, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'CallTTDevice': [516, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fsReserveKeys': [708, ['unsigned long']], 'Winver31': [516, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'DisableDBCSProp': [516, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'Win30AvgWidth': [516, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'ptlW32': [16, ['pointer64', ['_TL']]], 'AlwaysSendSyncPaint': [516, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'IgnoreNoDiscard': [516, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'NoTimeCbProtect': [520, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long long'}]], 'MsShellDlg': [520, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'hEventQueueClient': [592, ['pointer64', ['void']]], 'cPaintsReady': [480, ['long']], 'SubtractClips': [516, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'PtiLink': [608, ['_LIST_ENTRY']], 'DpiAware': [520, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long long'}]], 'spklActive': [360, ['pointer64', ['tagKL']]], 'bIncludeSprites': [321, ['unsigned char']], 'mlPost': [680, ['tagMLIST']], 'ptLastReal': [636, ['tagPOINT']], 'fThreadCleanupFinished': [928, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'MultipleBands': [516, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'Random31Ux': [516, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'HackWinFlags': [516, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'pProxyPort': [64, ['pointer64', ['void']]], 'KCOff': [520, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'wParamHkCurrent': [576, ['unsigned long long']], 'readyHead': [912, ['_LIST_ENTRY']], 'UsePrintingEscape': [516, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'NoInitFlagsOnFocus': [520, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long long'}]], 'ForceTextBand': [516, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'pEThread': [0, ['pointer64', ['_ETHREAD']]], 'ptdb': [496, ['pointer64', ['tagTDB']]], 'SpareCompatFlags2': [520, ['BitField', {'end_bit': 64, 'start_bit': 33, 'native_type': 'unsigned long long'}]], 'cWindows': [724, ['unsigned long']], 'cEnterCount': [672, ['long']], 'fETWReserved': [928, ['BitField', {'end_bit': 32, 'start_bit': 29, 'native_type': 'unsigned long'}]], 'dwCompatFlags2': [520, ['unsigned long']], 'NoEMFSpooling': [516, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'pMenuState': [488, ['pointer64', ['tagMENUSTATE']]], 'pRBRecursionCount': [96, ['unsigned long']], 'SmoothScrolling': [516, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long'}]], 'iVisRgnUniqueness': [328, ['unsigned long']], 'RefCount': [8, ['unsigned long']], 'Win31DevModeSize': [516, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'pwinsta': [496, ['pointer64', ['tagWINDOWSTATION']]], 'pSBTrack': [584, ['pointer64', ['tagSBTRACK']]], 'ActiveMenus': [520, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long long'}]], 'spwndDefaultIme': [648, ['pointer64', ['tagWND']]], 'NoCustomPaperSize': [520, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long long'}]], 'wchInjected': [706, ['wchar']], 'cTimersReady': [484, ['unsigned long']], 'EditSetTextMunge': [516, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'pUMPDHeap': [48, ['pointer64', ['void']]], 'fgfSwitchInProgressSetter': [928, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'iCursorLevel': [624, ['long']], 'NoScrollBarCtxMenu': [516, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], 'ulClientDelta': [392, ['unsigned long long']], 'pdcoAA': [296, ['pointer64', ['void']]], 'cNestedStableVisRgn': [908, ['unsigned long']], 'TryExceptCallWndProc': [520, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long long'}]], 'cti': [864, ['tagCLIENTTHREADINFO']], 'NcCalcSizeOnMove': [516, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'DisableFontAssoc': [516, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'pcti': [368, ['pointer64', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [904, ['tagMSGPPINFO']], 'DDE': [520, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long long'}]], 'ulThreadFlags2': [928, ['unsigned long']], 'tlSpriteState': [104, ['_TLSPRITESTATE']], 'NoCharDeadKey': [520, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long long'}]], 'pqAttach': [528, ['pointer64', ['tagQ']]], 'TTIgnoreRasterDupe': [516, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'aphkStart': [736, ['array', 16, ['pointer64', ['tagHOOK']]]], 'DefaultCharset': [520, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long long'}]], 'idLast': [456, ['unsigned long long']], 'rpdesk': [376, ['pointer64', ['tagDESKTOP']]], 'NoWindowArrangement': [520, ['BitField', {'end_bit': 33, 'start_bit': 32, 'native_type': 'unsigned long long'}]], 'AnimationOff': [520, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'No50ExStyleBits': [520, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long long'}]], 'TransparentBltMirror': [520, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long long'}]], 'DDENoAsyncReg': [520, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long long'}]], 'bEnableEngUpdateDeviceSurface': [320, ['unsigned char']], 'pDeskInfo': [384, ['pointer64', ['tagDESKTOPINFO']]], 'hdesk': [472, ['pointer64', ['HDESK__']]], 'pNonRBRecursionCount': [100, ['unsigned long']], 'MoreExtraWndWords': [516, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'hklPrev': [664, ['pointer64', ['HKL__']]], 'NoGhost': [520, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long long'}]], 'IgnoreTopMost': [516, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'pmsd': [544, ['pointer64', ['_MOVESIZEDATA']]], 'NoHRGN1': [516, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'exitCode': [464, ['long']], 'NoDDETrackDying': [520, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long long'}]], 'ptLast': [628, ['tagPOINT']], 'hGestureInfoCurrent': [896, ['pointer64', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [80, ['_LIST_ENTRY']], 'pUMPDObjs': [40, ['pointer64', ['void']]], 'FontSubs': [520, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long long'}]], 'GiveUpForegound': [520, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long long'}]], 'spDefaultImc': [656, ['pointer64', ['tagIMC']]], 'pgdiDcattr': [24, ['pointer64', ['void']]], 'TIF_flags': [408, ['unsigned long']], 'apEvent': [712, ['pointer64', ['pointer64', ['_KEVENT']]]], 'HardwareMixer': [520, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'unsigned long long'}]], 'pUMPDObj': [56, ['pointer64', ['void']]], 'pSpriteState': [272, ['pointer64', ['void']]], 'EnumTTNotDevice': [516, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'lParamHkCurrent': [568, ['long long']], 'ulDevHTInfoUniqueness': [288, ['unsigned long']], 'ptiSibling': [536, ['pointer64', ['tagTHREADINFO']]], 'psiiList': [504, ['pointer64', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [520, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long long'}]], 'fSpecialInitialization': [928, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'IncreaseStack': [516, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'pClientID': [72, ['pointer64', ['void']]], }], '_MOVESIZEDATA': [0xf0, { 'fmsKbd': [164, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'fMoveFromMax': [164, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fSnapMoving': [164, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'ptRestore': [156, ['tagPOINT']], 'fUsePreviewRect': [164, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'unsigned long'}]], 'ptStartHitWindowRelative': [208, ['tagPOINT']], 'CurrentHitTarget': [192, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [164, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'unsigned long'}]], 'fCheckPtForcefullyRestored': [164, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSnapMovingTemporaryAllowed': [164, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'Unused': [164, ['BitField', {'end_bit': 32, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fOffScreen': [164, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'fWindowWasSuperMaximized': [164, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], 'StartCurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [164, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fIsMoveSizeLoop': [164, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'rcPreviewCursor': [56, ['tagRECT']], 'dyMouse': [140, ['long']], 'fVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'fTrackCancelled': [164, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'impx': [148, ['long']], 'impy': [152, ['long']], 'fLockWindowUpdate': [164, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fStartVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'ptMinTrack': [88, ['tagPOINT']], 'pMonitorCurrentHitTarget': [184, ['pointer64', ['tagMONITOR']]], 'rcWindow': [104, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [168, ['pointer64', ['tagMONITOR']]], 'cmd': [144, ['long']], 'ptMaxTrack': [96, ['tagPOINT']], 'fForceSizing': [164, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fThresholdSelector': [164, ['BitField', {'end_bit': 18, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'MoveRectStyle': [196, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [164, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'fForeground': [164, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfLeftRightTarget': [228, ['unsigned long']], 'ptLastTrack': [216, ['tagPOINT']], 'frcNormalCheckPtValid': [164, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'fIsHitPtOffScreen': [164, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fSnapSizingTemporaryAllowed': [164, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fInitSize': [164, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'dxMouse': [136, ['long']], 'fStartVerticallyMaximizedRight': [164, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'ulCountDragOutOfTopTarget': [224, ['unsigned long']], 'fVerticallyMaximizedLeft': [164, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'spwnd': [0, ['pointer64', ['tagWND']]], 'fHasPreviewRect': [164, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'unsigned long'}]], 'rcPreview': [40, ['tagRECT']], 'rcDragCursor': [24, ['tagRECT']], 'Flags': [164, ['unsigned long']], 'ptHitWindowRelative': [200, ['tagPOINT']], 'rcParent': [72, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [232, ['unsigned long']], 'rcNormalStartCheckPt': [120, ['tagRECT']], 'rcDrag': [8, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0x10, { 'Buffer': [8, ['pointer64', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'unsigned long'}]], }], 'VSC_LPWSTR': [0x10, { 'vsc': [0, ['unsigned char']], 'pwsz': [8, ['pointer64', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], }], '__unnamed_115b': [0x10, { 'NextEntry': [8, ['BitField', {'end_bit': 64, 'start_bit': 4, 'native_type': 'unsigned long long'}]], 'Depth': [0, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Reserved': [8, ['BitField', {'end_bit': 4, 'start_bit': 1, 'native_type': 'unsigned long long'}]], 'HeaderType': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long long'}]], 'Sequence': [0, ['BitField', {'end_bit': 64, 'start_bit': 16, 'native_type': 'unsigned long long'}]], }], '_THROBJHEAD': [0x18, { 'h': [0, ['pointer64', ['void']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x68, { 'spwndSBNotify': [24, ['pointer64', ['tagWND']]], 'hTimerSB': [64, ['unsigned long long']], 'cmdSB': [56, ['unsigned long']], 'xxxpfnSB': [48, ['pointer64', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'posNew': [84, ['long']], 'posOld': [80, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'rcTrack': [32, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'spwndSB': [16, ['pointer64', ['tagWND']]], 'spwndTrack': [8, ['pointer64', ['tagWND']]], 'dpxThumb': [72, ['long']], 'pxOld': [76, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'pSBCalc': [96, ['pointer64', ['tagSBCALC']]], 'nBar': [88, ['long']], }], '_DMA_ADAPTER': [0x10, { 'Version': [0, ['unsigned short']], 'DmaOperations': [8, ['pointer64', ['_DMA_OPERATIONS']]], 'Size': [2, ['unsigned short']], }], '__unnamed_1217': [0x10, { 'FsInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], 'tagDPISERVERINFO': [0x28, { 'hMsgFont': [16, ['pointer64', ['HFONT__']]], 'hCaptionFont': [8, ['pointer64', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [24, ['long']], 'wMaxBtnSize': [32, ['unsigned long']], 'cyMsgFontChar': [28, ['long']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x50, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [8, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '__unnamed_16c1': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long long']], }], '__unnamed_127c': [0x48, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a1': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '__unnamed_16ca': [0x10, { 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], 'cbData': [8, ['unsigned long long']], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x1b8, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [360, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], 'tagIMEINFOEX': [0x160, { 'fSysWow64Only': [348, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'wszImeFile': [188, ['array', 80, ['wchar']]], 'fLoadFlag': [76, ['long']], 'hkl': [0, ['pointer64', ['HKL__']]], 'dwImeWinVersion': [84, ['unsigned long']], 'dwProdVersion': [80, ['unsigned long']], 'wszImeDescription': [88, ['array', 50, ['wchar']]], 'fCUASLayer': [348, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'ImeInfo': [8, ['tagIMEINFO']], 'wszUIClass': [36, ['array', 16, ['wchar']]], 'fInitOpen': [72, ['long']], 'fdwInitConvMode': [68, ['unsigned long']], }], '__unnamed_12e0': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3, 'native_type': 'unsigned long'}]], }], '_SCATTER_GATHER_ELEMENT': [0x18, { 'Length': [8, ['unsigned long']], 'Reserved': [16, ['unsigned long long']], 'Address': [0, ['_LARGE_INTEGER']], }], 'tagWND': [0x128, { 'bEraseBackground': [40, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'spwndOwner': [104, ['pointer64', ['tagWND']]], 'bWS_EX_LAYERED': [48, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWS_CLIPCHILDREN': [52, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bMaximizeButtonDown': [44, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'cbwndExtra': [232, ['long']], 'bMakeVisibleWhenUnghosted': [48, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bUIStateActive': [48, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'hMod16': [64, ['unsigned short']], 'bWS_TABSTOP': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused8': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_NOPARENTNOTIFY': [48, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bForceFullNCPaintClipRgn': [44, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bDialogWindow': [40, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'lpfnWndProc': [144, ['pointer64', ['void']]], 'bWS_EX_RTLREADING': [48, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bMinimizeButtonDown': [44, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bUnused2': [48, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bUnused3': [48, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bUnused4': [48, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bHasMeun': [40, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bUnused6': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bUnused7': [52, ['BitField', {'end_bit': 18, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_SIZEBOX': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'style': [52, ['unsigned long']], 'ppropList': [168, ['pointer64', ['tagPROPLIST']]], 'hrgnNewFrame': [208, ['pointer64', ['HRGN__']]], 'bHasOverlay': [288, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bUnused9': [52, ['BitField', {'end_bit': 19, 'start_bit': 16, 'native_type': 'long'}]], 'bClipboardListener': [288, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarLineDownBtnDown': [44, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bReserved3': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bRedirectedForPrint': [288, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bWS_EX_RIGHT': [48, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bStartPaint': [44, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bHasCreatestructName': [40, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bWS_EX_COMPOSITED': [48, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bFullScreen': [44, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'spwndLastActive': [240, ['pointer64', ['tagWND']]], 'hrgnUpdate': [160, ['pointer64', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [288, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bHiddenPopup': [40, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'hrgnClip': [200, ['pointer64', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [48, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWS_EX_TOPMOST': [48, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendEraseBackground': [40, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bScrollBarLineUpBtnDown': [44, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bWin50Compat': [44, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'bRecievedQuerySuspendMsg': [40, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bMaximizeMonitorRegion': [44, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bLayeredLimbo': [288, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bRedrawIfHung': [40, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'FullScreenMode': [44, ['BitField', {'end_bit': 27, 'start_bit': 24, 'native_type': 'long'}]], 'bLayeredInvalidate': [288, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bVerticallyMaximizedLeft': [288, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_POPUP': [52, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bWS_EX_CONTEXTHELP': [48, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'dwUserData': [256, ['unsigned long long']], 'bDisabled': [52, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bAnsiWindowProc': [40, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'bWin40Compat': [44, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bWS_EX_NOINHERITLAYOUT': [48, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'rcClient': [128, ['tagRECT']], 'bAnsiCreator': [40, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bAnyScrollButtonDown': [44, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bWS_EX_LAYOUTRTL': [48, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bUIStateKbdAccelHidden': [48, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bSendSizeMoveMsgs': [40, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'spwndParent': [88, ['pointer64', ['tagWND']]], 'bLinked': [288, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bSendNCPaint': [40, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bToggleTopmost': [40, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bInternalPaint': [40, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bDestroyed': [40, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bHasClientEdge': [44, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bServerSideWindowProc': [40, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bCaptionTextTruncated': [44, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'rcWindow': [112, ['tagRECT']], 'bEndPaintInvalidate': [44, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasPalette': [40, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bHasHorizontalScrollbar': [40, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'bUIStateFocusRectHidden': [48, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bReserved1': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_COMPOSITEDCompositing': [48, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_MDICHILD': [48, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bHasVerticalScrollbar': [40, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bReserved2': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWMCreateMsgProcessed': [44, ['BitField', {'end_bit': 32, 'start_bit': 31, 'native_type': 'long'}]], 'bMinimized': [52, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bWS_EX_NOACTIVATE': [48, ['BitField', {'end_bit': 28, 'start_bit': 27, 'native_type': 'long'}]], 'bWS_EX_APPWINDOW': [48, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'pSBInfo': [176, ['pointer64', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [44, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bNoNCPaint': [40, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bCloseButtonDown': [44, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'long'}]], 'bUnused1': [48, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'bHasSPB': [40, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_MINIMIZEBOX': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bMaximized': [52, ['BitField', {'end_bit': 25, 'start_bit': 24, 'native_type': 'long'}]], 'bScrollBarVerticalTracking': [44, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bWS_CHILD': [52, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bReserved5': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_DLGMODALFRAME': [48, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_TRANSPARENT': [48, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenu': [192, ['pointer64', ['tagMENU']]], 'bWS_THICKFRAME': [52, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bPaintNotProcessed': [40, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bSyncPaintPending': [40, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pcls': [152, ['pointer64', ['tagCLS']]], 'bLayeredForDWM': [288, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bMsgBox': [40, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'bShellHookRegistered': [44, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'spwndChild': [96, ['pointer64', ['tagWND']]], 'bUnused5': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bHelpButtonDown': [44, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bInDestroy': [44, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'state': [40, ['unsigned long']], 'strName': [216, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [80, ['pointer64', ['tagWND']]], 'bRedrawFrameIfHung': [40, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bWS_EX_LEFTSCROLLBAR': [48, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'long'}]], 'bWS_EX_TOOLWINDOW': [48, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'bWS_VSCROLL': [52, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'long'}]], 'bMaximizesToMonitor': [40, ['BitField', {'end_bit': 31, 'start_bit': 30, 'native_type': 'long'}]], 'bNoMinmaxAnimatedRects': [44, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'fnid': [66, ['unsigned short']], 'ExStyle': [48, ['unsigned long']], 'bRedirected': [48, ['BitField', {'end_bit': 30, 'start_bit': 29, 'native_type': 'long'}]], 'bActiveFrame': [40, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bReserved4': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_EX_WINDOWEDGE': [48, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bReserved6': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bReserved7': [52, ['BitField', {'end_bit': 16, 'start_bit': 0, 'native_type': 'long'}]], 'bWS_CLIPSIBLINGS': [52, ['BitField', {'end_bit': 27, 'start_bit': 26, 'native_type': 'long'}]], 'bWS_EX_ACCEPTFILE': [48, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'bWS_HSCROLL': [52, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'bUpdateDirty': [40, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'long'}]], 'bBeingActivated': [40, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'long'}]], 'state2': [44, ['unsigned long']], 'spwndNext': [72, ['pointer64', ['tagWND']]], 'bScrollBarPageDownBtnDown': [44, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'long'}]], 'bWS_BORDER': [52, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'bWMPaintSent': [44, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'bScrollBarPageUpBtnDown': [44, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'pTransform': [272, ['pointer64', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [52, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'long'}]], 'bVisible': [52, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'long'}]], 'bVerticallyMaximizedRight': [288, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWin31Compat': [44, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'bWS_EX_STATICEDGE': [48, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], 'bForceMenuDraw': [40, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'long'}]], 'bForceNCPaint': [44, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'ExStyle2': [288, ['unsigned long']], 'bOldUI': [44, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'bWS_DLGFRAME': [52, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'long'}]], 'bHIGHDPI_UNAWARE_Unused': [288, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'bWS_SYSMENU': [52, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'long'}]], 'spwndClipboardListenerNext': [280, ['pointer64', ['tagWND']]], 'hModule': [56, ['pointer64', ['void']]], 'bWS_EX_NOPADDEDBORDER': [48, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'long'}]], 'pActCtx': [264, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [44, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'spmenuSys': [184, ['pointer64', ['tagMENU']]], 'bRecievedSuspendMsg': [40, ['BitField', {'end_bit': 26, 'start_bit': 25, 'native_type': 'long'}]], 'bWS_EX_CLIENTEDGE': [48, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'bHasCaption': [40, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'hImc': [248, ['pointer64', ['HIMC__']]], 'bChildNoActivate': [288, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'long'}]], 'bWS_GROUP': [52, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'long'}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x40, { 'restrictions': [24, ['unsigned long']], 'Job': [8, ['pointer64', ['_EJOB']]], 'ughCrt': [48, ['unsigned long']], 'pgh': [56, ['pointer64', ['unsigned long long']]], 'ppiTable': [40, ['pointer64', ['pointer64', ['tagPROCESSINFO']]]], 'ughMax': [52, ['unsigned long']], 'pAtomTable': [16, ['pointer64', ['void']]], 'uProcessCount': [28, ['unsigned long']], 'uMaxProcesses': [32, ['unsigned long']], 'pNext': [0, ['pointer64', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x48, { 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], '__unnamed_124f': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_124b': [0x10, { 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagDESKTOP': [0xe0, { 'spmenuVScroll': [80, ['pointer64', ['tagMENU']]], 'dwMouseHoverTime': [212, ['unsigned long']], 'rpwinstaParent': [32, ['pointer64', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [64, ['pointer64', ['tagMENU']]], 'spwndForeground': [88, ['pointer64', ['tagWND']]], 'spmenuHScroll': [72, ['pointer64', ['tagMENU']]], 'spwndTooltip': [112, ['pointer64', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [8, ['pointer64', ['tagDESKTOPINFO']]], 'spwndMessage': [104, ['pointer64', ['tagWND']]], 'cciConsole': [144, ['_CONSOLE_CARET_INFO']], 'PtiList': [168, ['_LIST_ENTRY']], 'spwndTray': [96, ['pointer64', ['tagWND']]], 'rpdeskNext': [24, ['pointer64', ['tagDESKTOP']]], 'dwDTFlags': [40, ['unsigned long']], 'pMagInputTransform': [216, ['pointer64', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [184, ['pointer64', ['tagWND']]], 'htEx': [192, ['long']], 'ulHeapSize': [136, ['unsigned long']], 'pheapDesktop': [128, ['pointer64', ['tagWIN32HEAP']]], 'hsectionDesktop': [120, ['pointer64', ['void']]], 'rcMouseHover': [196, ['tagRECT']], 'dwDesktopId': [48, ['unsigned long long']], 'spmenuSys': [56, ['pointer64', ['tagMENU']]], 'pDispInfo': [16, ['pointer64', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x40, { 'ExtraData': [0, ['pointer64', ['void']]], 'trace': [16, ['array', 6, ['pointer64', ['void']]]], 'size': [8, ['unsigned long long']], }], 'tagSPB': [0x40, { 'hbm': [16, ['pointer64', ['HBITMAP__']]], 'hrgn': [40, ['pointer64', ['HRGN__']]], 'ulSaveId': [56, ['unsigned long long']], 'flags': [48, ['unsigned long']], 'rc': [24, ['tagRECT']], 'pspbNext': [0, ['pointer64', ['tagSPB']]], 'spwnd': [8, ['pointer64', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned char'}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned char'}]], 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned char'}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x10, { 'Flink': [0, ['pointer64', ['_KLIST_ENTRY']]], 'Blink': [8, ['pointer64', ['_KLIST_ENTRY']]], }], '__unnamed_1247': [0x10, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [8, ['unsigned long']], }], 'tagPROP': [0x10, { 'fs': [10, ['unsigned short']], 'hData': [0, ['pointer64', ['void']]], 'atomKey': [8, ['unsigned short']], }], '__unnamed_1243': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_123d': [0x20, { 'Buffer': [8, ['pointer64', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [24, ['unsigned long']], 'Offset': [16, ['unsigned long']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x20, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [24, ['pointer64', ['unsigned short']]], 'NumOfMouseVKey': [16, ['long']], 'pVkToF': [8, ['pointer64', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11ff': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'EaLength': [24, ['unsigned long']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'FileAttributes': [16, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x68, { 'UsagePageLast': [96, ['unsigned short']], 'fExclusiveMouseSink': [100, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'fRawKeyboardSink': [100, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'long'}]], 'fAppKeys': [100, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'long'}]], 'fCaptureMouse': [100, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'long'}]], 'fNoLegacyMouse': [100, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'UsageLast': [98, ['unsigned short']], 'fRawKeyboard': [100, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'long'}]], 'fNoLegacyKeyboard': [100, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'long'}]], 'nSinks': [80, ['long']], 'fNoHotKeys': [100, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'long'}]], 'spwndTargetMouse': [64, ['pointer64', ['tagWND']]], 'spwndTargetKbd': [72, ['pointer64', ['tagWND']]], 'UsagePageList': [32, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [100, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'long'}]], 'pLastRequest': [88, ['pointer64', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [48, ['_LIST_ENTRY']], 'fRawMouse': [100, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'fRawMouseSink': [100, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'InclusionList': [16, ['_LIST_ENTRY']], }], '__unnamed_1809': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '_KFLOATING_SAVE': [0x4, { 'Dummy': [0, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_1807': [0x10, { 'Affinity': [8, ['unsigned long long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0xa8, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [144, ['pointer64', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [48, ['pointer64', ['void']]], 'pfnTransparentBlt': [112, ['pointer64', ['void']]], 'pfnPaint': [64, ['pointer64', ['void']]], 'pfnFillPath': [56, ['pointer64', ['void']]], 'pfnStretchBltROP': [152, ['pointer64', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [128, ['pointer64', ['void']]], 'pfnCopyBits': [80, ['pointer64', ['void']]], 'pState': [32, ['pointer64', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [96, ['pointer64', ['void']]], 'pfnDrawStream': [160, ['pointer64', ['void']]], 'pfnStrokeAndFillPath': [40, ['pointer64', ['void']]], 'pfnLineTo': [104, ['pointer64', ['void']]], 'pfnStretchBlt': [88, ['pointer64', ['void']]], 'pfnGradientFill': [136, ['pointer64', ['void']]], 'pfnAlphaBlend': [120, ['pointer64', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [72, ['pointer64', ['void']]], }], 'tagSMS': [0x70, { 'wParam': [72, ['unsigned long long']], 'lParam': [80, ['long long']], 'lRet': [56, ['long long']], 'psmsReceiveNext': [8, ['pointer64', ['tagSMS']]], 'tSent': [64, ['unsigned long']], 'psmsNext': [0, ['pointer64', ['tagSMS']]], 'ptiCallBackSender': [48, ['pointer64', ['tagTHREADINFO']]], 'ptiReceiver': [24, ['pointer64', ['tagTHREADINFO']]], 'lpResultCallBack': [32, ['pointer64', ['void']]], 'message': [88, ['unsigned long']], 'dwData': [40, ['unsigned long long']], 'ptiSender': [16, ['pointer64', ['tagTHREADINFO']]], 'flags': [68, ['unsigned long']], 'pvCapture': [104, ['pointer64', ['void']]], 'spwnd': [96, ['pointer64', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f8': [0x58, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer64', ['void']]], 'Overlay': [0, ['__unnamed_11f5']], }], '__unnamed_18bf': [0x4, { 'BaseMiddle': [0, ['unsigned char']], 'BaseHigh': [3, ['unsigned char']], 'Flags1': [1, ['unsigned char']], 'Flags2': [2, ['unsigned char']], }], '__unnamed_11f5': [0x50, { 'AuxiliaryBuffer': [40, ['pointer64', ['unsigned char']]], 'Thread': [32, ['pointer64', ['_ETHREAD']]], 'OriginalFileObject': [72, ['pointer64', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [64, ['unsigned long']], 'CurrentStackLocation': [64, ['pointer64', ['_IO_STACK_LOCATION']]], 'ListEntry': [48, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer64', ['void']]]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0x18, { 'ulClientDelta': [16, ['unsigned long long']], 'pdesk': [8, ['pointer64', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer64', ['tagDESKTOPVIEW']]], }], '__unnamed_180b': [0x10, { 'Translated': [0, ['__unnamed_1807']], 'Raw': [0, ['__unnamed_1809']], }], '__unnamed_180d': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], '__unnamed_180f': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'MODIFIERS': [0x10, { 'wMaxModBits': [8, ['unsigned short']], 'pVkToBit': [0, ['pointer64', ['VK_TO_BIT']]], 'ModNumber': [10, ['array', 0, ['unsigned char']]], }], '__unnamed_120f': [0x10, { 'CompletionFilter': [8, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_120d': [0x20, { 'Length': [0, ['unsigned long']], 'FileIndex': [24, ['unsigned long']], 'FileInformationClass': [16, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [8, ['pointer64', ['_UNICODE_STRING']]], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1e0, { 'PathAndTargetModeSerialization': [48, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x40, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [48, ['unsigned long long']], 'wType': [56, ['unsigned short']], 'spcpdNext': [40, ['pointer64', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0xb8, { 'pfnDispatchDefWindowProc': [160, ['pointer64', ['void']]], 'pfnStaticWndProc': [112, ['pointer64', ['void']]], 'pfnDispatchHook': [152, ['pointer64', ['void']]], 'pfnDesktopWndProc': [24, ['pointer64', ['void']]], 'pfnImeWndProc': [120, ['pointer64', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer64', ['void']]], 'pfnEditWndProc': [88, ['pointer64', ['void']]], 'pfnGhostWndProc': [128, ['pointer64', ['void']]], 'pfnMessageWindowProc': [40, ['pointer64', ['void']]], 'pfnSwitchWindowProc': [48, ['pointer64', ['void']]], 'pfnComboListBoxProc': [72, ['pointer64', ['void']]], 'pfnComboBoxWndProc': [64, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [104, ['pointer64', ['void']]], 'pfnDialogWndProc': [80, ['pointer64', ['void']]], 'pfnHkINLPCWPSTRUCT': [136, ['pointer64', ['void']]], 'pfnTitleWndProc': [8, ['pointer64', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [144, ['pointer64', ['void']]], 'pfnButtonWndProc': [56, ['pointer64', ['void']]], 'pfnMenuWndProc': [16, ['pointer64', ['void']]], 'pfnListBoxWndProc': [96, ['pointer64', ['void']]], 'pfnDispatchMessage': [168, ['pointer64', ['void']]], 'pfnDefWindowProc': [32, ['pointer64', ['void']]], 'pfnMDIActivateDlgProc': [176, ['pointer64', ['void']]], }], '_THRDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x60, { 'Origin': [84, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [8, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [68, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [88, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x88, { 'rt': [58, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [112, ['pointer64', ['HBITMAP__']]], 'cx': [124, ['unsigned long']], 'xHotspot': [68, ['short']], 'hbmColor': [80, ['pointer64', ['HBITMAP__']]], 'pcurNext': [32, ['pointer64', ['tagCURSOR']]], 'CURSORF_flags': [64, ['unsigned long']], 'hbmMask': [72, ['pointer64', ['HBITMAP__']]], 'bpp': [120, ['unsigned long']], 'cy': [128, ['unsigned long']], 'strName': [40, ['_UNICODE_STRING']], 'rcBounds': [96, ['tagRECT']], 'atomModName': [56, ['unsigned short']], 'hbmAlpha': [88, ['pointer64', ['HBITMAP__']]], 'yHotspot': [70, ['short']], }], '__unnamed_1203': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], '__unnamed_1207': [0x20, { 'ShareAccess': [18, ['unsigned short']], 'Reserved': [16, ['unsigned short']], 'SecurityContext': [0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options': [8, ['unsigned long']], 'Parameters': [24, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1209': [0x18, { 'Length': [0, ['unsigned long']], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], 'tagDCE': [0x60, { 'hrgnClipPublic': [48, ['pointer64', ['HRGN__']]], 'pdceNext': [0, ['pointer64', ['tagDCE']]], 'hrgnSavedVis': [56, ['pointer64', ['HRGN__']]], 'pwndRedirect': [32, ['pointer64', ['tagWND']]], 'pMonitor': [88, ['pointer64', ['tagMONITOR']]], 'ppiOwner': [80, ['pointer64', ['tagPROCESSINFO']]], 'pwndOrg': [16, ['pointer64', ['tagWND']]], 'hrgnClip': [40, ['pointer64', ['HRGN__']]], 'hdc': [8, ['pointer64', ['HDC__']]], 'ptiOwner': [72, ['pointer64', ['tagTHREADINFO']]], 'DCX_flags': [64, ['unsigned long']], 'pwndClip': [24, ['pointer64', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x28, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [20, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'long'}]], 'spwndTarget': [32, ['pointer64', ['tagWND']]], 'fSinkable': [20, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'long'}]], 'pTLCInfo': [24, ['pointer64', ['tagHID_TLC_INFO']]], 'fDevNotify': [20, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'long'}]], 'fExSinkable': [20, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'long'}]], 'usUsage': [18, ['unsigned short']], 'ptr': [24, ['pointer64', ['void']]], 'pPORequest': [24, ['pointer64', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [16, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x30, { 'pwtiNext': [0, ['pointer64', ['tagWOWTHREADINFO']]], 'pIdleEvent': [32, ['pointer64', ['_KEVENT']]], 'idParentProcess': [24, ['unsigned long']], 'fAssigned': [40, ['long']], 'idWaitObject': [16, ['unsigned long long']], 'idTask': [8, ['unsigned long']], }], '__unnamed_1962': [0x18, { 'Dma': [0, ['__unnamed_1956']], 'Generic': [0, ['__unnamed_1950']], 'Memory': [0, ['__unnamed_1950']], 'BusNumber': [0, ['__unnamed_1958']], 'Memory48': [0, ['__unnamed_195e']], 'Memory40': [0, ['__unnamed_195c']], 'DevicePrivate': [0, ['__unnamed_180f']], 'ConfigData': [0, ['__unnamed_195a']], 'Memory64': [0, ['__unnamed_1960']], 'Interrupt': [0, ['__unnamed_1954']], 'Port': [0, ['__unnamed_1950']], }], '__unnamed_1960': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], '__unnamed_1233': [0x20, { 'Interface': [16, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData': [24, ['pointer64', ['void']]], 'Version': [10, ['unsigned short']], 'InterfaceType': [0, ['pointer64', ['_GUID']]], 'Size': [8, ['unsigned short']], }], '__unnamed_1237': [0x8, { 'Capabilities': [0, ['pointer64', ['_DEVICE_CAPABILITIES']]], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_18a1']], }], '_PROCMARKHEAD': [0x20, { 'h': [0, ['pointer64', ['void']]], 'ppi': [24, ['pointer64', ['tagPROCESSINFO']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], 'tagKBDFILE': [0x78, { 'head': [0, ['_HEAD']], 'awchDllName': [56, ['array', 32, ['wchar']]], 'pKbdTbl': [32, ['pointer64', ['tagKbdLayer']]], 'pkfNext': [16, ['pointer64', ['tagKBDFILE']]], 'pKbdNlsTbl': [48, ['pointer64', ['tagKbdNlsLayer']]], 'hBase': [24, ['pointer64', ['void']]], 'Size': [40, ['unsigned long']], }], 'tagCLIENTINFO': [0xd8, { 'msgDbcsCB': [160, ['tagMSG']], 'dwCompatFlags': [20, ['unsigned long']], 'achDbcsCF': [154, ['array', 2, ['unsigned char']]], 'dwTIFlags': [28, ['unsigned long']], 'pClientThreadInfo': [96, ['pointer64', ['tagCLIENTTHREADINFO']]], 'CodePage': [152, ['unsigned short']], 'dwKeyCache': [112, ['unsigned long']], 'dwHookCurrent': [88, ['unsigned long']], 'afAsyncKeyStateRecentDown': [136, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [24, ['unsigned long']], 'fsHooks': [56, ['unsigned long']], 'ulClientDelta': [40, ['unsigned long long']], 'pDeskInfo': [32, ['pointer64', ['tagDESKTOPINFO']]], 'dwExpWinVer': [16, ['unsigned long']], 'dwHookData': [104, ['unsigned long long']], 'afAsyncKeyState': [128, ['array', 8, ['unsigned char']]], 'CallbackWnd': [64, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [208, ['pointer64', ['unsigned long']]], 'cInDDEMLCallback': [92, ['long']], 'cSpins': [8, ['unsigned long long']], 'hKL': [144, ['pointer64', ['HKL__']]], 'dwAsyncKeyCache': [124, ['unsigned long']], 'afKeyState': [116, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long long']], 'phkCurrent': [48, ['pointer64', ['tagHOOK']]], }], 'tagCLS': [0xa0, { 'spcur': [120, ['pointer64', ['tagCURSOR']]], 'cbwndExtra': [100, ['long']], 'pclsClone': [72, ['pointer64', ['tagCLS']]], 'lpszClientAnsiMenuName': [40, ['pointer64', ['unsigned char']]], 'pclsBase': [64, ['pointer64', ['tagCLS']]], 'atomNVClassName': [10, ['unsigned short']], 'style': [84, ['unsigned long']], 'pclsNext': [0, ['pointer64', ['tagCLS']]], 'CSF_flags': [34, ['unsigned short']], 'lpfnWndProc': [88, ['pointer64', ['void']]], 'lpszAnsiClassName': [144, ['pointer64', ['unsigned char']]], 'spcpdFirst': [56, ['pointer64', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [48, ['pointer64', ['unsigned short']]], 'cbclsExtra': [96, ['long']], 'lpszMenuName': [136, ['pointer64', ['unsigned short']]], 'spicnSm': [152, ['pointer64', ['tagCURSOR']]], 'hTaskWow': [32, ['unsigned short']], 'cWndReferenceCount': [80, ['long']], 'hbrBackground': [128, ['pointer64', ['HBRUSH__']]], 'spicn': [112, ['pointer64', ['tagCURSOR']]], 'fnid': [12, ['unsigned short']], 'pdce': [24, ['pointer64', ['tagDCE']]], 'hModule': [104, ['pointer64', ['void']]], 'rpdeskParent': [16, ['pointer64', ['tagDESKTOP']]], 'atomClassName': [8, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x18, { 'usUsagePage': [16, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [20, ['unsigned long']], }], 'tagWINDOWSTATION': [0x98, { 'pClipBase': [88, ['pointer64', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [96, ['unsigned long']], 'luidUser': [136, ['_LUID']], 'pGlobalAtomTable': [120, ['pointer64', ['void']]], 'ptiClipLock': [48, ['pointer64', ['tagTHREADINFO']]], 'dwWSF_Flags': [32, ['unsigned long']], 'rpdeskList': [16, ['pointer64', ['tagDESKTOP']]], 'spklList': [40, ['pointer64', ['tagKL']]], 'spwndClipOpen': [64, ['pointer64', ['tagWND']]], 'luidEndSession': [128, ['_LUID']], 'pTerm': [24, ['pointer64', ['tagTERMINAL']]], 'rpwinstaNext': [8, ['pointer64', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [112, ['pointer64', ['tagWND']]], 'spwndClipViewer': [72, ['pointer64', ['tagWND']]], 'iClipSequenceNumber': [104, ['unsigned long']], 'ptiDrawingClipboard': [56, ['pointer64', ['tagTHREADINFO']]], 'spwndClipOwner': [80, ['pointer64', ['tagWND']]], 'psidUser': [144, ['pointer64', ['void']]], 'iClipSerialNumber': [100, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'UserApcContext': [8, ['pointer64', ['void']]], 'UserApcRoutine': [0, ['pointer64', ['void']]], 'IssuingProcess': [0, ['pointer64', ['void']]], }], 'tagPROFILEVALUEINFO': [0x10, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer64', ['wchar']]], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], '_WNDMSG': [0x10, { 'abMsgs': [8, ['pointer64', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x28, { 'pti': [16, ['pointer64', ['tagTHREADINFO']]], 'TDB_Flags': [34, ['unsigned short']], 'hTaskWow': [32, ['unsigned short']], 'pwti': [24, ['pointer64', ['tagWOWTHREADINFO']]], 'nEvents': [8, ['long']], 'nPriority': [12, ['long']], 'ptdbNext': [0, ['pointer64', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x168, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '__unnamed_1253': [0x8, { 'PowerSequence': [0, ['pointer64', ['_POWER_SEQUENCE']]], }], '_PROCDESKHEAD': [0x28, { 'h': [0, ['pointer64', ['void']]], 'pSelf': [32, ['pointer64', ['unsigned char']]], 'rpdesk': [24, ['pointer64', ['tagDESKTOP']]], 'hTaskWow': [16, ['unsigned long']], 'cLockObj': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], }], '__unnamed_1958': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], '_CONSOLE_CARET_INFO': [0x18, { 'hwnd': [0, ['pointer64', ['HWND__']]], 'rc': [8, ['tagRECT']], }], 'tagPROCESSINFO': [0x300, { 'fHasMagContext': [736, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'hwinsta': [608, ['pointer64', ['HWINSTA__']]], 'ptiList': [256, ['pointer64', ['tagTHREADINFO']]], 'pHidTable': [744, ['pointer64', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [12, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'dwhmodLibLoadedMask': [340, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'hdeskStartup': [328, ['pointer64', ['HDESK__']]], 'dwImeCompatFlags': [696, ['unsigned long']], 'dwRegisteredClasses': [752, ['unsigned long']], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'usi': [708, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32Pid': [56, ['unsigned long']], 'bmHandleFlags': [648, ['_RTL_BITMAP']], 'UserHandleCountPeak': [72, ['unsigned long']], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'cSysExpunge': [336, ['unsigned long']], 'pdvList': [632, ['pointer64', ['tagDESKTOPVIEW']]], 'pwpi': [296, ['pointer64', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [312, ['pointer64', ['tagPROCESSINFO']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'pCursorCache': [664, ['pointer64', ['tagCURSOR']]], 'pClientBase': [672, ['pointer64', ['void']]], 'dwLpkEntryPoints': [680, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], 'DxProcess': [248, ['pointer64', ['void']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'RefCount': [8, ['unsigned long']], 'dwLayout': [740, ['unsigned long']], 'pclsPublicList': [288, ['pointer64', ['tagCLS']]], 'Unused': [736, ['BitField', {'end_bit': 32, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'hMonitor': [624, ['pointer64', ['HMONITOR__']]], 'ptiMainThread': [264, ['pointer64', ['tagTHREADINFO']]], 'pvwplWndGCList': [760, ['pointer64', ['VWPL']]], 'pW32Job': [688, ['pointer64', ['tagW32JOB']]], 'luidSession': [700, ['_LUID']], 'GDIHandleCount': [60, ['long']], 'cThreads': [320, ['unsigned long']], 'rpdeskStartup': [272, ['pointer64', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'pclsPrivateList': [280, ['pointer64', ['tagCLS']]], 'GDIHandleCountPeak': [64, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'ppiNext': [304, ['pointer64', ['tagPROCESSINFO']]], 'Flags': [736, ['unsigned long']], 'dwHotkey': [620, ['unsigned long']], 'amwinsta': [616, ['unsigned long']], 'rpwinsta': [600, ['pointer64', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [344, ['array', 32, ['pointer64', ['void']]]], 'iClipSerialNumber': [640, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'pDCAttrList': [40, ['pointer64', ['void']]], }], '__unnamed_181b': [0x10, { 'Dma': [0, ['__unnamed_180d']], 'MessageInterrupt': [0, ['__unnamed_180b']], 'Generic': [0, ['__unnamed_1805']], 'Memory': [0, ['__unnamed_1805']], 'BusNumber': [0, ['__unnamed_1811']], 'DeviceSpecificData': [0, ['__unnamed_1813']], 'Memory48': [0, ['__unnamed_1817']], 'Memory40': [0, ['__unnamed_1815']], 'DevicePrivate': [0, ['__unnamed_180f']], 'Memory64': [0, ['__unnamed_1819']], 'Interrupt': [0, ['__unnamed_1807']], 'Port': [0, ['__unnamed_1805']], }], '__unnamed_195e': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195c': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_195a': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_125f': [0x10, { 'AllocatedResources': [0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [8, ['pointer64', ['_CM_RESOURCE_LIST']]], }], '__unnamed_125b': [0x20, { 'State': [16, ['_POWER_STATE']], 'Type': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], 'tagKbdLayer': [0x68, { 'pVkToWcharTable': [8, ['pointer64', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [48, ['pointer64', ['unsigned short']]], 'fLocaleFlags': [80, ['unsigned long']], 'pKeyNamesExt': [32, ['pointer64', ['VSC_LPWSTR']]], 'dwSubType': [100, ['unsigned long']], 'pDeadKey': [16, ['pointer64', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer64', ['MODIFIERS']]], 'pKeyNamesDead': [40, ['pointer64', ['pointer64', ['unsigned short']]]], 'bMaxVSCtoVK': [56, ['unsigned char']], 'pKeyNames': [24, ['pointer64', ['VSC_LPWSTR']]], 'dwType': [96, ['unsigned long']], 'pLigature': [88, ['pointer64', ['_LIGATURE1']]], 'nLgMax': [84, ['unsigned char']], 'pVSCtoVK_E1': [72, ['pointer64', ['_VSC_VK']]], 'pVSCtoVK_E0': [64, ['pointer64', ['_VSC_VK']]], 'cbLgEntry': [85, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x20, { 'dwMaxAlloc': [16, ['unsigned long']], 'pHead': [24, ['pointer64', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long long']], 'dwCrtMem': [8, ['unsigned long long']], 'dwCrtAlloc': [20, ['unsigned long']], }], '__unnamed_18c5': [0x4, { 'DefaultBig': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'BaseMiddle': [0, ['BitField', {'end_bit': 8, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Granularity': [0, ['BitField', {'end_bit': 24, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'LimitHigh': [0, ['BitField', {'end_bit': 20, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'BaseHigh': [0, ['BitField', {'end_bit': 32, 'start_bit': 24, 'native_type': 'unsigned long'}]], 'Dpl': [0, ['BitField', {'end_bit': 15, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'Type': [0, ['BitField', {'end_bit': 13, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'System': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'Present': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'LongMode': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], }], '__unnamed_1817': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1815': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1813': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], }], '__unnamed_1956': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], '__unnamed_1954': [0x18, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long long']], }], 'tagMSG': [0x30, { 'wParam': [16, ['unsigned long long']], 'lParam': [24, ['long long']], 'pt': [36, ['tagPOINT']], 'hwnd': [0, ['pointer64', ['HWND__']]], 'time': [32, ['unsigned long']], 'message': [8, ['unsigned long']], }], '__unnamed_1819': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x48, { 'ptdbHead': [16, ['pointer64', ['tagTDB']]], 'lpfnWowExitTask': [24, ['pointer64', ['void']]], 'CSOwningThread': [56, ['pointer64', ['tagTHREADINFO']]], 'ptiScheduled': [8, ['pointer64', ['tagTHREADINFO']]], 'nSendLock': [48, ['unsigned long']], 'nRecvLock': [52, ['unsigned long']], 'CSLockCount': [64, ['long']], 'hEventWowExecClient': [40, ['pointer64', ['void']]], 'pwpiNext': [0, ['pointer64', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [32, ['pointer64', ['_KEVENT']]], }], 'tagMENU': [0x98, { 'iItem': [44, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [132, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [52, ['unsigned long']], 'pParentMenus': [88, ['pointer64', ['tagMENULIST']]], 'fFlags': [40, ['unsigned long']], 'cxMenu': [56, ['unsigned long']], 'dwContextHelpId': [96, ['unsigned long']], 'hbrBack': [112, ['pointer64', ['HBRUSH__']]], 'cxTextAlign': [64, ['unsigned long']], 'cAlloced': [48, ['unsigned long']], 'spwndNotify': [72, ['pointer64', ['tagWND']]], 'dwArrowsOn': [128, ['BitField', {'end_bit': 2, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'iMaxTop': [124, ['long']], 'dwMenuData': [104, ['unsigned long long']], 'cyMenu': [60, ['unsigned long']], 'rgItems': [80, ['pointer64', ['tagITEM']]], 'iTop': [120, ['long']], 'cyMax': [100, ['unsigned long']], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], 'tagPOPUPMENU': [0x58, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28, 'native_type': 'unsigned long'}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4, 'native_type': 'unsigned long'}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5, 'native_type': 'unsigned long'}]], 'posDropped': [84, ['unsigned long']], 'spwndNextPopup': [24, ['pointer64', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'spwndPrevPopup': [32, ['pointer64', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'spwndActivePopup': [56, ['pointer64', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20, 'native_type': 'unsigned long'}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11, 'native_type': 'unsigned long'}]], 'posSelectedItem': [80, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2, 'native_type': 'unsigned long'}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17, 'native_type': 'unsigned long'}]], 'ppmDelayedFree': [72, ['pointer64', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18, 'native_type': 'unsigned long'}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8, 'native_type': 'unsigned long'}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10, 'native_type': 'unsigned long'}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6, 'native_type': 'unsigned long'}]], 'spmenuAlternate': [48, ['pointer64', ['tagMENU']]], 'spmenu': [40, ['pointer64', ['tagMENU']]], 'spwndPopupMenu': [16, ['pointer64', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15, 'native_type': 'unsigned long'}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23, 'native_type': 'unsigned long'}]], 'ppopupmenuRoot': [64, ['pointer64', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9, 'native_type': 'unsigned long'}]], 'spwndNotify': [8, ['pointer64', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22, 'native_type': 'unsigned long'}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3, 'native_type': 'unsigned long'}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21, 'native_type': 'unsigned long'}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13, 'native_type': 'unsigned long'}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19, 'native_type': 'unsigned long'}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7, 'native_type': 'unsigned long'}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16, 'native_type': 'unsigned long'}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14, 'native_type': 'unsigned long'}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12, 'native_type': 'unsigned long'}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '_VK_VALUES_STRINGS': [0x10, { 'fReserved': [8, ['unsigned char']], 'pszMultiNames': [0, ['pointer64', ['unsigned char']]], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x68, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [96, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1211': [0x10, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_1213': [0x20, { 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [25, ['unsigned char']], 'ClusterCount': [24, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [24, ['pointer64', ['void']]], 'ReplaceIfExists': [24, ['unsigned char']], 'FileObject': [16, ['pointer64', ['_FILE_OBJECT']]], }], '__unnamed_1219': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_1950': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], 'tagITEM': [0x90, { 'ulX': [84, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [56, ['unsigned long long']], 'cyItem': [76, ['unsigned long']], 'hbmpChecked': [24, ['pointer64', ['void']]], 'xItem': [64, ['unsigned long']], 'spSubMenu': [16, ['pointer64', ['tagMENU']]], 'hbmpUnchecked': [32, ['pointer64', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [80, ['unsigned long']], 'hbmp': [96, ['pointer64', ['HBITMAP__']]], 'yItem': [68, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [112, ['tagUAHMENUITEMMETRICS']], 'cch': [48, ['unsigned long']], 'ulWidth': [88, ['unsigned long']], 'cyBmp': [108, ['long']], 'cxBmp': [104, ['long']], 'lpstr': [40, ['pointer64', ['unsigned short']]], 'cxItem': [72, ['unsigned long']], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '__unnamed_123f': [0x1, { 'Lock': [0, ['unsigned char']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x18, { 'Length': [0, ['pointer64', ['_LARGE_INTEGER']]], 'ByteOffset': [16, ['_LARGE_INTEGER']], 'Key': [8, ['unsigned long']], }], '__unnamed_121d': [0x20, { 'Type3InputBuffer': [24, ['pointer64', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [16, ['unsigned long']], 'InputBufferLength': [8, ['unsigned long']], }], '__unnamed_121f': [0x10, { 'Length': [8, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x38, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [8, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0x18, { 'Data': [16, ['__unnamed_182e']], 'DataSize': [8, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x100, { 'GDIPushLock': [80, ['_EX_PUSH_LOCK']], 'DxProcess': [248, ['pointer64', ['void']]], 'pBrushAttrList': [48, ['pointer64', ['void']]], 'Process': [0, ['pointer64', ['_EPROCESS']]], 'NextStart': [32, ['pointer64', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [224, ['_LIST_ENTRY']], 'RefCount': [8, ['unsigned long']], 'StartCursorHideTime': [24, ['unsigned long']], 'GDIBrushAttrFreeList': [208, ['_LIST_ENTRY']], 'InputIdleEvent': [16, ['pointer64', ['_KEVENT']]], 'W32PF_Flags': [12, ['unsigned long']], 'GDIHandleCount': [60, ['long']], 'hSecureGdiSharedHandleTable': [240, ['pointer64', ['void']]], 'UserHandleCountPeak': [72, ['unsigned long']], 'W32Pid': [56, ['unsigned long']], 'UserHandleCount': [68, ['long']], 'pDCAttrList': [40, ['pointer64', ['void']]], 'GDIEngUserMemAllocTable': [88, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [64, ['unsigned long']], 'GDIDcAttrFreeList': [192, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0x1220, { 'uiShellMsg': [912, ['unsigned long']], 'atomSysClass': [852, ['array', 25, ['unsigned short']]], 'dtScroll': [2800, ['unsigned long']], 'dwKeyCache': [2952, ['unsigned long']], 'atomIconSmProp': [1356, ['unsigned short']], 'argbSystemUnmatched': [2268, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [1360, ['unsigned short']], 'cySysFontChar': [2832, ['long']], 'mpFnid_serverCBWndProc': [328, ['array', 31, ['unsigned short']]], 'PUSIFlags': [4476, ['unsigned long']], 'dtLBSearch': [2804, ['unsigned long']], 'tmSysFont': [2836, ['tagTEXTMETRICW']], 'ahbrSystem': [2520, ['array', 31, ['pointer64', ['HBRUSH__']]]], 'dwDefaultHeapSize': [908, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [4473, ['unsigned char']], 'wMaxLeftOverlapChars': [2820, ['long']], 'dwLastSystemRITEventTickCountUpdate': [4488, ['unsigned long']], 'dpiSystem': [2896, ['tagDPISERVERINFO']], 'hIcoWindows': [2944, ['pointer64', ['HICON__']]], 'dwAsyncKeyCache': [2956, ['unsigned long']], 'dwTagCount': [4632, ['unsigned long']], 'adwDBGTAGFlags': [4492, ['array', 35, ['unsigned long']]], 'aiSysMet': [1880, ['array', 97, ['long']]], 'acAnsiToOem': [1620, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [272, ['array', 7, ['pointer64', ['void']]]], 'dwLastRITEventTickCount': [2792, ['unsigned long']], 'cbHandleTable': [848, ['unsigned long']], 'atomFrostedWindowProp': [1362, ['unsigned short']], 'ucWheelScrollLines': [2812, ['unsigned long']], 'ptCursorReal': [2784, ['tagPOINT']], 'ucWheelScrollChars': [2816, ['unsigned long']], 'acOemToAnsi': [1364, ['array', 256, ['unsigned char']]], 'hbrGray': [2768, ['pointer64', ['HBRUSH__']]], 'BitCount': [4468, ['unsigned short']], 'argbSystem': [2392, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2808, ['unsigned long']], 'dwInstalledEventHooks': [1876, ['unsigned long']], 'cxSysFontChar': [2828, ['long']], 'wMaxRightOverlapChars': [2824, ['long']], 'oembmi': [2964, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [760, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [904, ['unsigned long']], 'apfnClientA': [392, ['_PFNCLIENT']], 'dmLogPixels': [4470, ['unsigned short']], 'nEvents': [2796, ['long']], 'atomIconProp': [1358, ['unsigned short']], 'Planes': [4472, ['unsigned char']], 'apfnClientW': [576, ['_PFNCLIENT']], 'MBStrings': [916, ['array', 11, ['tagMBSTRING']]], 'UILangID': [4484, ['unsigned short']], 'dwRIPFlags': [4636, ['unsigned long']], 'uCaretWidth': [4480, ['unsigned long']], 'cCaptures': [2960, ['unsigned long']], 'cHandleEntries': [8, ['unsigned long long']], 'ptCursor': [2776, ['tagPOINT']], 'hIconSmWindows': [2936, ['pointer64', ['HICON__']]], 'mpFnidPfn': [16, ['array', 32, ['pointer64', ['void']]]], 'rcScreenReal': [4452, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x38, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [40, ['unsigned long long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11df': [0x8, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer64', ['void']]], 'MasterIrp': [0, ['pointer64', ['_IRP']]], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x30, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [40, ['long']], 'magFactorY': [44, ['long']], 'ptiMagThreadInfo': [32, ['pointer64', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_16c1']], }], '_PFNCLIENTWORKER': [0x58, { 'pfnComboBoxWndProc': [8, ['pointer64', ['void']]], 'pfnMDIClientWndProc': [48, ['pointer64', ['void']]], 'pfnDialogWndProc': [24, ['pointer64', ['void']]], 'pfnStaticWndProc': [56, ['pointer64', ['void']]], 'pfnCtfHookProc': [80, ['pointer64', ['void']]], 'pfnButtonWndProc': [0, ['pointer64', ['void']]], 'pfnImeWndProc': [64, ['pointer64', ['void']]], 'pfnEditWndProc': [32, ['pointer64', ['void']]], 'pfnListBoxWndProc': [40, ['pointer64', ['void']]], 'pfnGhostWndProc': [72, ['pointer64', ['void']]], 'pfnComboListBoxProc': [16, ['pointer64', ['void']]], }], '_DMA_OPERATIONS': [0x80, { 'PutDmaAdapter': [8, ['pointer64', ['void']]], 'FreeMapRegisters': [56, ['pointer64', ['void']]], 'MapTransfer': [64, ['pointer64', ['void']]], 'FreeCommonBuffer': [24, ['pointer64', ['void']]], 'ReadDmaCounter': [80, ['pointer64', ['void']]], 'AllocateCommonBuffer': [16, ['pointer64', ['void']]], 'PutScatterGatherList': [96, ['pointer64', ['void']]], 'CalculateScatterGatherList': [104, ['pointer64', ['void']]], 'BuildMdlFromScatterGatherList': [120, ['pointer64', ['void']]], 'GetScatterGatherList': [88, ['pointer64', ['void']]], 'AllocateAdapterChannel': [32, ['pointer64', ['void']]], 'FreeAdapterChannel': [48, ['pointer64', ['void']]], 'GetDmaAlignment': [72, ['pointer64', ['void']]], 'FlushAdapterBuffers': [40, ['pointer64', ['void']]], 'BuildScatterGatherList': [112, ['pointer64', ['void']]], 'Size': [0, ['unsigned long']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '__unnamed_1225': [0x10, { 'DeviceObject': [8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer64', ['_VPB']]], }], '_SM_VALUES_STRINGS': [0x18, { 'StorageType': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer64', ['unsigned char']]], 'ulValue': [8, ['unsigned long']], 'RangeType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x40, { 'spwndDesktopOwner': [8, ['pointer64', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [32, ['unsigned long']], 'pqDesktop': [24, ['pointer64', ['tagQ']]], 'pEventInputReady': [56, ['pointer64', ['_KEVENT']]], 'rpdeskDestroy': [48, ['pointer64', ['tagDESKTOP']]], 'ptiDesktop': [16, ['pointer64', ['tagTHREADINFO']]], 'pEventTermInit': [40, ['pointer64', ['_KEVENT']]], }], '_SCATTER_GATHER_LIST': [0x10, { 'Elements': [16, ['array', 0, ['_SCATTER_GATHER_ELEMENT']]], 'Reserved': [8, ['unsigned long long']], 'NumberOfElements': [0, ['unsigned long']], }], 'tagMENULIST': [0x10, { 'pMenu': [8, ['pointer64', ['tagMENU']]], 'pNext': [0, ['pointer64', ['tagMENULIST']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x238, { 'psi': [0, ['pointer64', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [552, ['_WNDMSG']], 'awmControl': [40, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [32, ['unsigned long long']], 'pDispInfo': [24, ['pointer64', ['tagDISPLAYINFO']]], 'aheList': [8, ['pointer64', ['_HANDLEENTRY']]], 'DefWindowMsgs': [536, ['_WNDMSG']], 'HeEntrySize': [16, ['unsigned long']], }], 'tagIMC': [0x40, { 'dwClientImcData': [48, ['unsigned long long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [56, ['pointer64', ['HWND__']]], 'pImcNext': [40, ['pointer64', ['tagIMC']]], }], 'tagKL': [0x78, { 'uNumTbl': [88, ['unsigned long']], 'pklPrev': [24, ['pointer64', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [16, ['pointer64', ['tagKL']]], 'spkfPrimary': [56, ['pointer64', ['tagKBDFILE']]], 'dwFontSigs': [64, ['unsigned long']], 'dwLastKbdType': [104, ['unsigned long']], 'CodePage': [72, ['unsigned short']], 'dwKL_Flags': [32, ['unsigned long']], 'iBaseCharset': [68, ['unsigned long']], 'dwKLID': [112, ['unsigned long']], 'spkf': [48, ['pointer64', ['tagKBDFILE']]], 'piiex': [80, ['pointer64', ['tagIMEINFOEX']]], 'hkl': [40, ['pointer64', ['HKL__']]], 'pspkfExtra': [96, ['pointer64', ['pointer64', ['tagKBDFILE']]]], 'wchDiacritic': [74, ['wchar']], 'dwLastKbdSubType': [108, ['unsigned long']], }], '__unnamed_182e': [0x8, { 'pRgb256x3x16': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer64', ['void']]], 'pDxgi1': [0, ['pointer64', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], 'tagCARET': [0x48, { 'iHideLevel': [12, ['long']], 'yOwnDc': [56, ['long']], 'y': [20, ['long']], 'cy': [24, ['long']], 'cx': [28, ['long']], 'hBitmap': [32, ['pointer64', ['HBITMAP__']]], 'cyOwnDc': [64, ['long']], 'fOn': [8, ['BitField', {'end_bit': 2, 'start_bit': 1, 'native_type': 'unsigned long'}]], 'hTimer': [40, ['unsigned long long']], 'xOwnDc': [52, ['long']], 'fVisible': [8, ['BitField', {'end_bit': 1, 'start_bit': 0, 'native_type': 'unsigned long'}]], 'cxOwnDc': [60, ['long']], 'tid': [48, ['unsigned long']], 'x': [16, ['long']], 'spwnd': [0, ['pointer64', ['tagWND']]], }], } volatility-2.3.1/volatility/plugins/gui/vtypes/win7_sp1_x86_vtypes_gui.py0000644000175000017500000035650612033140535026627 0ustar mikemike00000000000000win32k_types = { '_HANDLEENTRY': [0xc, { 'pOwner': [4, ['pointer', ['void']]], 'phead': [0, ['pointer', ['_HEAD']]], 'bFlags': [9, ['unsigned char']], 'wUniq': [10, ['unsigned short']], 'bType': [8, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x3c, { 'dwcInputs': [12, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [16, ['unsigned long']], 'TouchInput': [20, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x34, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [28, ['unsigned long']], 'flags': [32, ['unsigned long']], 'fLastHookHung': [48, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'nTimeout': [48, ['BitField', {'end_bit': 7, 'start_bit': 0}]], 'ihmod': [36, ['long']], 'iHook': [24, ['long']], 'ptiHooked': [40, ['pointer', ['tagTHREADINFO']]], 'phkNext': [20, ['pointer', ['tagHOOK']]], 'rpdesk': [44, ['pointer', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '__unnamed_179f': [0x4, { 'pRgb256x3x16': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer', ['void']]], 'pDxgi1': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], '_W32THREAD': [0xb4, { 'pRBRecursionCount': [40, ['unsigned long']], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'pDevHTInfo': [148, ['pointer', ['void']]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'pdcoRender': [160, ['pointer', ['void']]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pdcoAA': [156, ['pointer', ['void']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'ptlW32': [8, ['pointer', ['_TL']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'bIncludeSprites': [169, ['unsigned char']], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'pSpriteState': [144, ['pointer', ['void']]], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'pdcoSrc': [164, ['pointer', ['void']]], 'pUMPDObj': [28, ['pointer', ['void']]], }], 'tagPROPLIST': [0x10, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagDESKTOPINFO': [0x78, { 'spwndProgman': [96, ['pointer', ['tagWND']]], 'pvwplMessagePPHandler': [112, ['pointer', ['VWPL']]], 'pvDesktopLimit': [4, ['pointer', ['void']]], 'fComposited': [116, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndGestureEngine': [108, ['pointer', ['tagWND']]], 'pvDesktopBase': [0, ['pointer', ['void']]], 'spwndShell': [80, ['pointer', ['tagWND']]], 'ppiShellProcess': [84, ['pointer', ['tagPROCESSINFO']]], 'pvwplShellHook': [100, ['pointer', ['VWPL']]], 'fIsDwmDesktop': [116, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndTaskman': [92, ['pointer', ['tagWND']]], 'aphkStart': [16, ['array', 16, ['pointer', ['tagHOOK']]]], 'fsHooks': [12, ['unsigned long']], 'cntMBox': [104, ['long']], 'spwndBkGnd': [88, ['pointer', ['tagWND']]], 'spwnd': [8, ['pointer', ['tagWND']]], }], 'tagDISPLAYINFO': [0x64, { 'hDev': [0, ['pointer', ['void']]], 'SpatialListHead': [88, ['_KLIST_ENTRY']], 'BitCountMax': [78, ['unsigned short']], 'cyGray': [32, ['long']], 'hdcBits': [16, ['pointer', ['HDC__']]], 'fDesktopIsRect': [80, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hbmGray': [24, ['pointer', ['HBITMAP__']]], 'pmdev': [4, ['pointer', ['void']]], 'cFullScreen': [96, ['short']], 'cxGray': [28, ['long']], 'dmLogPixels': [76, ['unsigned short']], 'hDevInfo': [8, ['pointer', ['void']]], 'fAnyPalette': [80, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pspbFirst': [40, ['pointer', ['tagSPB']]], 'pMonitorPrimary': [48, ['pointer', ['tagMONITOR']]], 'Spare0': [98, ['short']], 'pMonitorFirst': [52, ['pointer', ['tagMONITOR']]], 'hdcGray': [20, ['pointer', ['HDC__']]], 'hrgnScreenReal': [72, ['pointer', ['HRGN__']]], 'cMonitors': [44, ['unsigned long']], 'hdcScreen': [12, ['pointer', ['HDC__']]], 'DockThresholdMax': [84, ['unsigned long']], 'rcScreenReal': [56, ['tagRECT']], 'pdceFirst': [36, ['pointer', ['tagDCE']]], }], 'tagTHREADINFO': [0x208, { 'pstrAppName': [220, ['pointer', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [280, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'ptl': [180, ['pointer', ['_TL']]], 'timeLast': [236, ['long']], 'DontJournalAttach': [276, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'ppi': [184, ['pointer', ['tagPROCESSINFO']]], 'SendMnuDblClk': [276, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'DDENoSync': [280, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'EditNoMouseHide': [280, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'pDevHTInfo': [148, ['pointer', ['void']]], 'OpenGLEMF': [280, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'dwCompatFlags': [276, ['unsigned long']], 'hTouchInputCurrent': [492, ['pointer', ['HTOUCHINPUT__']]], 'psmsSent': [224, ['pointer', ['tagSMS']]], 'cVisWindows': [404, ['unsigned long']], 'hPrevHidData': [488, ['pointer', ['void']]], 'fsHooks': [300, ['unsigned long']], 'qwCompatFlags2': [280, ['unsigned long long']], 'NoPaddedBorder': [280, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'NoDrawPatRect': [280, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ForceTTGrapchis': [276, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'GetDeviceCaps': [276, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'pq': [188, ['pointer', ['tagQ']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'dwExpWinVer': [272, ['unsigned long']], 'NoSoftCursOnMoveSize': [280, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'psmsReceiveList': [232, ['pointer', ['tagSMS']]], 'sphkCurrent': [304, ['pointer', ['tagHOOK']]], 'No50ExStyles': [280, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'IgnoreFaults': [276, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'pClientInfo': [212, ['pointer', ['tagCLIENTINFO']]], 'pdcoSrc': [164, ['pointer', ['void']]], 'pEventQueueServer': [324, ['pointer', ['_KEVENT']]], 'DealyHwndShakeChk': [276, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'amdesk': [396, ['unsigned long']], 'fsChangeBitsRemoved': [384, ['unsigned short']], 'psmsCurrent': [228, ['pointer', ['tagSMS']]], 'NoBatching': [280, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'StrictLLHook': [280, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'pdcoRender': [160, ['pointer', ['void']]], 'NoShadow': [280, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'EnumHelv': [276, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fPack': [516, ['BitField', {'end_bit': 28, 'start_bit': 2}]], 'CallTTDevice': [276, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fsReserveKeys': [388, ['unsigned long']], 'Winver31': [276, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'DisableDBCSProp': [276, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'Win30AvgWidth': [276, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'ptlW32': [8, ['pointer', ['_TL']]], 'AlwaysSendSyncPaint': [276, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'IgnoreNoDiscard': [276, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'NoTimeCbProtect': [280, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'MsShellDlg': [280, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hEventQueueClient': [320, ['pointer', ['void']]], 'cPaintsReady': [252, ['long']], 'SubtractClips': [276, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'PtiLink': [328, ['_LIST_ENTRY']], 'DpiAware': [280, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'spklActive': [192, ['pointer', ['tagKL']]], 'bIncludeSprites': [169, ['unsigned char']], 'mlPost': [372, ['tagMLIST']], 'ptLastReal': [348, ['tagPOINT']], 'fThreadCleanupFinished': [516, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'MultipleBands': [276, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'Random31Ux': [276, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'HackWinFlags': [276, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'cti': [472, ['tagCLIENTTHREADINFO']], 'KCOff': [280, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'wParamHkCurrent': [312, ['unsigned long']], 'readyHead': [508, ['_LIST_ENTRY']], 'UsePrintingEscape': [276, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'NoInitFlagsOnFocus': [280, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ForceTextBand': [276, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'ptdb': [264, ['pointer', ['tagTDB']]], 'SpareCompatFlags2': [280, ['BitField', {'end_bit': 64, 'start_bit': 33}]], 'cWindows': [400, ['unsigned long']], 'cEnterCount': [368, ['long']], 'fETWReserved': [516, ['BitField', {'end_bit': 32, 'start_bit': 29}]], 'dwCompatFlags2': [280, ['unsigned long']], 'NoEMFSpooling': [276, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'pMenuState': [260, ['pointer', ['tagMENUSTATE']]], 'pRBRecursionCount': [40, ['unsigned long']], 'SmoothScrolling': [276, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'Win31DevModeSize': [276, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pwinsta': [264, ['pointer', ['tagWINDOWSTATION']]], 'pSBTrack': [316, ['pointer', ['tagSBTRACK']]], 'ActiveMenus': [280, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'spwndDefaultIme': [356, ['pointer', ['tagWND']]], 'NoCustomPaperSize': [280, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'wchInjected': [386, ['wchar']], 'cTimersReady': [256, ['unsigned long']], 'EditSetTextMunge': [276, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'fgfSwitchInProgressSetter': [516, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'iCursorLevel': [336, ['long']], 'NoScrollBarCtxMenu': [276, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'ulClientDelta': [208, ['unsigned long']], 'pdcoAA': [156, ['pointer', ['void']]], 'cNestedStableVisRgn': [504, ['unsigned long']], 'TryExceptCallWndProc': [280, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'NcCalcSizeOnMove': [276, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'DisableFontAssoc': [276, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'pcti': [196, ['pointer', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [500, ['tagMSGPPINFO']], 'DDE': [280, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ulThreadFlags2': [516, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'NoCharDeadKey': [280, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'pqAttach': [288, ['pointer', ['tagQ']]], 'TTIgnoreRasterDupe': [276, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'aphkStart': [408, ['array', 16, ['pointer', ['tagHOOK']]]], 'DefaultCharset': [280, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'idLast': [240, ['unsigned long']], 'rpdesk': [200, ['pointer', ['tagDESKTOP']]], 'NoWindowArrangement': [280, ['BitField', {'end_bit': 33, 'start_bit': 32}]], 'AnimationOff': [280, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'No50ExStyleBits': [280, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'TransparentBltMirror': [280, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'DDENoAsyncReg': [280, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pDeskInfo': [204, ['pointer', ['tagDESKTOPINFO']]], 'hdesk': [248, ['pointer', ['HDESK__']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'MoreExtraWndWords': [276, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'hklPrev': [364, ['pointer', ['HKL__']]], 'NoGhost': [280, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'IgnoreTopMost': [276, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pmsd': [296, ['pointer', ['_MOVESIZEDATA']]], 'NoHRGN1': [276, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'exitCode': [244, ['long']], 'NoDDETrackDying': [280, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'ptLast': [340, ['tagPOINT']], 'hGestureInfoCurrent': [496, ['pointer', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'FontSubs': [280, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'GiveUpForegound': [280, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spDefaultImc': [360, ['pointer', ['tagIMC']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'TIF_flags': [216, ['unsigned long']], 'apEvent': [392, ['pointer', ['pointer', ['_KEVENT']]]], 'HardwareMixer': [280, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'pUMPDObj': [28, ['pointer', ['void']]], 'pSpriteState': [144, ['pointer', ['void']]], 'EnumTTNotDevice': [276, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'lParamHkCurrent': [308, ['long']], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'ptiSibling': [292, ['pointer', ['tagTHREADINFO']]], 'psiiList': [268, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [280, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'fSpecialInitialization': [516, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'IncreaseStack': [276, ['BitField', {'end_bit': 23, 'start_bit': 22}]], }], '__unnamed_1262': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x64, { 'hDev': [56, ['pointer', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [60, ['pointer', ['void']]], 'rcWorkReal': [32, ['tagRECT']], 'dwMONFlags': [12, ['unsigned long']], 'Spare0': [52, ['short']], 'rcMonitorReal': [16, ['tagRECT']], 'pMonitorNext': [8, ['pointer', ['tagMONITOR']]], 'Flink': [92, ['pointer', ['tagMONITOR']]], 'Blink': [96, ['pointer', ['tagMONITOR']]], 'hrgnMonitorReal': [48, ['pointer', ['HRGN__']]], 'cWndStack': [54, ['short']], 'DockTargets': [64, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_18b4': [0x18, { 'Dma': [0, ['__unnamed_18a8']], 'Generic': [0, ['__unnamed_18a2']], 'Memory': [0, ['__unnamed_18a2']], 'BusNumber': [0, ['__unnamed_18aa']], 'Memory48': [0, ['__unnamed_18b0']], 'Memory40': [0, ['__unnamed_18ae']], 'DevicePrivate': [0, ['__unnamed_177b']], 'ConfigData': [0, ['__unnamed_18ac']], 'Memory64': [0, ['__unnamed_18b2']], 'Interrupt': [0, ['__unnamed_18a6']], 'Port': [0, ['__unnamed_18a2']], }], '__unnamed_18b0': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x20, { 'cExcludeRequest': [24, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [28, ['unsigned long']], 'cUsagePageRequest': [20, ['unsigned long']], 'usUsagePage': [8, ['unsigned short']], 'cDevices': [12, ['unsigned long']], 'cDirectRequest': [16, ['unsigned long']], 'usUsage': [10, ['unsigned short']], }], '__unnamed_1777': [0xc, { 'Translated': [0, ['__unnamed_1773']], 'Raw': [0, ['__unnamed_1775']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x190, { 'TargetMode': [348, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x108, { 'hwndDblClk': [64, ['pointer', ['HWND__']]], 'timeDblClk': [60, ['unsigned long']], 'spwndFocus': [36, ['pointer', ['tagWND']]], 'ExtraInfo': [256, ['long']], 'cLockCount': [250, ['unsigned short']], 'iCursorLevel': [240, ['long']], 'ptiSysLock': [12, ['pointer', ['tagTHREADINFO']]], 'caret': [180, ['tagCARET']], 'ptiMouse': [24, ['pointer', ['tagTHREADINFO']]], 'spwndActivePrev': [44, ['pointer', ['tagWND']]], 'ptMouseMove': [76, ['tagPOINT']], 'msgDblClk': [52, ['unsigned long']], 'msgJournal': [252, ['unsigned long']], 'ptiKeyboard': [28, ['pointer', ['tagTHREADINFO']]], 'cThreads': [248, ['unsigned short']], 'QF_flags': [244, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [40, ['pointer', ['tagWND']]], 'codeCapture': [48, ['unsigned long']], 'idSysLock': [16, ['unsigned long']], 'spcurCurrent': [236, ['pointer', ['tagCURSOR']]], 'ulEtwReserved1': [260, ['unsigned long']], 'ptDblClk': [68, ['tagPOINT']], 'xbtnDblClk': [56, ['unsigned short']], 'afKeyRecentDown': [84, ['array', 32, ['unsigned char']]], 'afKeyState': [116, ['array', 64, ['unsigned char']]], 'spwndCapture': [32, ['pointer', ['tagWND']]], 'idSysPeek': [20, ['unsigned long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x54, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0xc, { 'cMsgs': [8, ['unsigned long']], 'pqmsgRead': [0, ['pointer', ['tagQMSG']]], 'pqmsgWriteLast': [4, ['pointer', ['tagQMSG']]], }], '__unnamed_122d': [0x10, { 'DeviceIoControl': [0, ['__unnamed_11e4']], 'QuerySecurity': [0, ['__unnamed_11e6']], 'ReadWriteConfig': [0, ['__unnamed_1204']], 'Create': [0, ['__unnamed_11c5']], 'SetSecurity': [0, ['__unnamed_11e8']], 'Write': [0, ['__unnamed_11cf']], 'VerifyVolume': [0, ['__unnamed_11ec']], 'WMI': [0, ['__unnamed_1229']], 'CreateMailslot': [0, ['__unnamed_11cd']], 'FilterResourceRequirements': [0, ['__unnamed_1202']], 'SetFile': [0, ['__unnamed_11d9']], 'MountVolume': [0, ['__unnamed_11ec']], 'FileSystemControl': [0, ['__unnamed_11df']], 'UsageNotification': [0, ['__unnamed_1213']], 'Scsi': [0, ['__unnamed_11f0']], 'WaitWake': [0, ['__unnamed_1217']], 'QueryFile': [0, ['__unnamed_11d7']], 'QueryDeviceText': [0, ['__unnamed_120e']], 'CreatePipe': [0, ['__unnamed_11c9']], 'Power': [0, ['__unnamed_1223']], 'QueryDeviceRelations': [0, ['__unnamed_11f4']], 'Read': [0, ['__unnamed_11cf']], 'StartDevice': [0, ['__unnamed_1227']], 'QueryDirectory': [0, ['__unnamed_11d3']], 'PowerSequence': [0, ['__unnamed_121b']], 'QueryId': [0, ['__unnamed_120a']], 'LockControl': [0, ['__unnamed_11e2']], 'NotifyDirectory': [0, ['__unnamed_11d5']], 'QueryInterface': [0, ['__unnamed_11fa']], 'Others': [0, ['__unnamed_122b']], 'QueryVolume': [0, ['__unnamed_11dd']], 'SetLock': [0, ['__unnamed_1206']], 'DeviceCapabilities': [0, ['__unnamed_11fe']], }], '__unnamed_122b': [0x10, { 'Argument4': [12, ['pointer', ['void']]], 'Argument2': [4, ['pointer', ['void']]], 'Argument3': [8, ['pointer', ['void']]], 'Argument1': [0, ['pointer', ['void']]], }], 'tagMENUSTATE': [0x64, { 'fDragAndDrop': [4, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fInsideMenuLoop': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'cxAni': [84, ['long']], 'pGlobalPopupMenu': [0, ['pointer', ['tagPOPUPMENU']]], 'uDraggingIndex': [60, ['unsigned long']], 'uDraggingHitArea': [56, ['unsigned long']], 'fNotifyByPos': [4, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'fButtonDown': [4, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ixAni': [76, ['long']], 'fInCallHandleMenuMessages': [4, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'mnFocus': [16, ['long']], 'iyAni': [80, ['long']], 'dwLockCount': [28, ['unsigned long']], 'fAutoDismiss': [4, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'fIsSysMenu': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'dwAniStartTime': [72, ['unsigned long']], 'pmnsPrev': [32, ['pointer', ['tagMENUSTATE']]], 'fInEndMenu': [4, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hbmAni': [92, ['pointer', ['HBITMAP__']]], 'fIgnoreButtonUp': [4, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptButtonDown': [36, ['tagPOINT']], 'hdcWndAni': [68, ['pointer', ['HDC__']]], 'fAboutToAutoDismiss': [4, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fMenuStarted': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'uDraggingFlags': [64, ['unsigned long']], 'fUnderline': [4, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fInDoDragDrop': [4, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'ptiMenuStateOwner': [24, ['pointer', ['tagTHREADINFO']]], 'uButtonDownIndex': [48, ['unsigned long']], 'fModelessMenu': [4, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'cyAni': [88, ['long']], 'uButtonDownHitArea': [44, ['unsigned long']], 'fButtonAlwaysDown': [4, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'iAniDropDir': [4, ['BitField', {'end_bit': 24, 'start_bit': 19}]], 'ptMouseLast': [8, ['tagPOINT']], 'hdcAni': [96, ['pointer', ['HDC__']]], 'vkButtonDown': [52, ['long']], 'fSetCapture': [4, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fDragging': [4, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fActiveNoForeground': [4, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fMouseOffMenu': [4, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'cmdLast': [20, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x8, { 'DataOrTag': [0, ['unsigned long']], 'pwnd': [4, ['pointer', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x8, { 'pszName': [0, ['pointer', ['unsigned char']]], 'fInternal': [4, ['unsigned char']], 'fDefined': [5, ['unsigned char']], }], 'tagCLIP': [0xc, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [8, ['long']], 'hData': [4, ['pointer', ['void']]], }], '__unnamed_1229': [0x10, { 'Buffer': [12, ['pointer', ['void']]], 'ProviderId': [0, ['unsigned long']], 'BufferSize': [8, ['unsigned long']], 'DataPath': [4, ['pointer', ['void']]], }], '__unnamed_1227': [0x8, { 'AllocatedResources': [0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [4, ['pointer', ['_CM_RESOURCE_LIST']]], }], '_HEAD': [0x8, { 'h': [0, ['pointer', ['void']]], 'cLockObj': [4, ['unsigned long']], }], '__unnamed_1223': [0x10, { 'State': [8, ['_POWER_STATE']], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], '__unnamed_11e6': [0x8, { 'Length': [4, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], 'tagQMSG': [0x40, { 'FromPen': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pti': [56, ['pointer', ['tagTHREADINFO']]], 'ExtraInfo': [36, ['long']], 'Wow64Message': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pqmsgPrev': [4, ['pointer', ['tagQMSG']]], 'NoCoalesce': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Padding': [48, ['BitField', {'end_bit': 32, 'start_bit': 30}]], 'ptMouseReal': [40, ['tagPOINT']], 'pqmsgNext': [0, ['pointer', ['tagQMSG']]], 'dwQEvent': [48, ['BitField', {'end_bit': 30, 'start_bit': 0}]], 'MsgPPInfo': [60, ['tagMSGPPINFO']], 'FromTouch': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'msg': [8, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x10, { 'pPrev': [4, ['pointer', ['tagWin32PoolHead']]], 'pTrace': [12, ['pointer', ['pointer', ['void']]]], 'pNext': [8, ['pointer', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long']], }], 'tagTOUCHINPUT': [0x28, { 'hSource': [8, ['pointer', ['void']]], 'dwExtraInfo': [28, ['unsigned long']], 'cxContact': [32, ['unsigned long']], 'dwMask': [20, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [12, ['unsigned long']], 'cyContact': [36, ['unsigned long']], 'dwTime': [24, ['unsigned long']], 'dwFlags': [16, ['unsigned long']], }], '_CALLBACKWND': [0xc, { 'hwnd': [0, ['pointer', ['HWND__']]], 'pActCtx': [8, ['pointer', ['_ACTIVATION_CONTEXT']]], 'pwnd': [4, ['pointer', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x8, { 'pVkToWchars': [0, ['pointer', ['_VK_TO_WCHARS1']]], 'cbSize': [5, ['unsigned char']], 'nModifications': [4, ['unsigned char']], }], '_TL': [0xc, { 'pfnFree': [8, ['pointer', ['void']]], 'pobj': [4, ['pointer', ['void']]], 'next': [0, ['pointer', ['_TL']]], }], '_MOVESIZEDATA': [0xdc, { 'fmsKbd': [160, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'fMoveFromMax': [160, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fSnapMoving': [160, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'ptRestore': [152, ['tagPOINT']], 'fUsePreviewRect': [160, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'ptStartHitWindowRelative': [192, ['tagPOINT']], 'CurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [160, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'fCheckPtForcefullyRestored': [160, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSnapMovingTemporaryAllowed': [160, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'Unused': [160, ['BitField', {'end_bit': 32, 'start_bit': 28}]], 'fOffScreen': [160, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fWindowWasSuperMaximized': [160, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'StartCurrentHitTarget': [168, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [160, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fIsMoveSizeLoop': [160, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcPreviewCursor': [52, ['tagRECT']], 'dyMouse': [136, ['long']], 'fVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'fTrackCancelled': [160, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'impx': [144, ['long']], 'impy': [148, ['long']], 'fLockWindowUpdate': [160, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fStartVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptMinTrack': [84, ['tagPOINT']], 'pMonitorCurrentHitTarget': [172, ['pointer', ['tagMONITOR']]], 'rcWindow': [100, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [164, ['pointer', ['tagMONITOR']]], 'cmd': [140, ['long']], 'ptMaxTrack': [92, ['tagPOINT']], 'fForceSizing': [160, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fThresholdSelector': [160, ['BitField', {'end_bit': 18, 'start_bit': 15}]], 'MoveRectStyle': [180, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [160, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fForeground': [160, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'ulCountDragOutOfLeftRightTarget': [212, ['unsigned long']], 'ptLastTrack': [200, ['tagPOINT']], 'frcNormalCheckPtValid': [160, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'fIsHitPtOffScreen': [160, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fSnapSizingTemporaryAllowed': [160, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fInitSize': [160, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'dxMouse': [132, ['long']], 'fStartVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'ulCountDragOutOfTopTarget': [208, ['unsigned long']], 'fVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'spwnd': [0, ['pointer', ['tagWND']]], 'fHasPreviewRect': [160, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'rcPreview': [36, ['tagRECT']], 'rcDragCursor': [20, ['tagRECT']], 'Flags': [160, ['unsigned long']], 'ptHitWindowRelative': [184, ['tagPOINT']], 'rcParent': [68, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [216, ['unsigned long']], 'rcNormalStartCheckPt': [116, ['tagRECT']], 'rcDrag': [4, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0xc, { 'Buffer': [8, ['pointer', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31}]], }], 'VSC_LPWSTR': [0x8, { 'vsc': [0, ['unsigned char']], 'pwsz': [4, ['pointer', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0}]], }], '_THROBJHEAD': [0xc, { 'h': [0, ['pointer', ['void']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x44, { 'spwndSBNotify': [12, ['pointer', ['tagWND']]], 'hTimerSB': [40, ['unsigned long']], 'cmdSB': [36, ['unsigned long']], 'xxxpfnSB': [32, ['pointer', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'posNew': [56, ['long']], 'posOld': [52, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'rcTrack': [16, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndSB': [8, ['pointer', ['tagWND']]], 'spwndTrack': [4, ['pointer', ['tagWND']]], 'dpxThumb': [44, ['long']], 'pxOld': [48, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pSBCalc': [64, ['pointer', ['tagSBCALC']]], 'nBar': [60, ['long']], }], '__unnamed_18ae': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_18ac': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_1217': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_18aa': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], 'tagDPISERVERINFO': [0x18, { 'hMsgFont': [8, ['pointer', ['HFONT__']]], 'hCaptionFont': [4, ['pointer', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [12, ['long']], 'wMaxBtnSize': [20, ['unsigned long']], 'cyMsgFontChar': [16, ['long']], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '__unnamed_1787': [0xc, { 'Dma': [0, ['__unnamed_1779']], 'MessageInterrupt': [0, ['__unnamed_1777']], 'Generic': [0, ['__unnamed_1771']], 'Memory': [0, ['__unnamed_1771']], 'BusNumber': [0, ['__unnamed_177d']], 'DeviceSpecificData': [0, ['__unnamed_177f']], 'Memory48': [0, ['__unnamed_1783']], 'Memory40': [0, ['__unnamed_1781']], 'DevicePrivate': [0, ['__unnamed_177b']], 'Memory64': [0, ['__unnamed_1785']], 'Interrupt': [0, ['__unnamed_1773']], 'Port': [0, ['__unnamed_1771']], }], '__unnamed_1785': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '__unnamed_1783': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1781': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x38, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a6': [0x14, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long']], }], '__unnamed_18a2': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], '__unnamed_18a8': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x194, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [348, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], '__unnamed_11c5': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'EaLength': [12, ['unsigned long']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'FileAttributes': [8, ['unsigned short']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], '__unnamed_11c9': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], 'MODIFIERS': [0x8, { 'wMaxModBits': [4, ['unsigned short']], 'pVkToBit': [0, ['pointer', ['VK_TO_BIT']]], 'ModNumber': [6, ['array', 0, ['unsigned char']]], }], 'tagIMEINFOEX': [0x15c, { 'fSysWow64Only': [344, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'wszImeFile': [184, ['array', 80, ['wchar']]], 'fLoadFlag': [72, ['long']], 'hkl': [0, ['pointer', ['HKL__']]], 'dwImeWinVersion': [80, ['unsigned long']], 'dwProdVersion': [76, ['unsigned long']], 'wszImeDescription': [84, ['array', 50, ['wchar']]], 'fCUASLayer': [344, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'ImeInfo': [4, ['tagIMEINFO']], 'wszUIClass': [32, ['array', 16, ['wchar']]], 'fInitOpen': [68, ['long']], 'fdwInitConvMode': [64, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3}]], }], 'tagWND': [0xb0, { 'bEraseBackground': [20, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'spwndOwner': [60, ['pointer', ['tagWND']]], 'bWS_EX_LAYERED': [28, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWS_CLIPCHILDREN': [32, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bMaximizeButtonDown': [24, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'cbwndExtra': [144, ['long']], 'bMakeVisibleWhenUnghosted': [28, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bUIStateActive': [28, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'hMod16': [40, ['unsigned short']], 'bWS_TABSTOP': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused8': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_EX_NOPARENTNOTIFY': [28, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bForceFullNCPaintClipRgn': [24, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bDialogWindow': [20, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'lpfnWndProc': [96, ['pointer', ['void']]], 'bWS_EX_RTLREADING': [28, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bMinimizeButtonDown': [24, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bUnused2': [28, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bUnused3': [28, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bUnused4': [28, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bHasMeun': [20, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bUnused6': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused7': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_SIZEBOX': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'style': [32, ['unsigned long']], 'ppropList': [108, ['pointer', ['tagPROPLIST']]], 'hrgnNewFrame': [128, ['pointer', ['HRGN__']]], 'bHasOverlay': [172, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bUnused9': [32, ['BitField', {'end_bit': 19, 'start_bit': 16}]], 'bClipboardListener': [172, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarLineDownBtnDown': [24, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bReserved3': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bRedirectedForPrint': [172, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bWS_EX_RIGHT': [28, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bStartPaint': [24, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bHasCreatestructName': [20, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bWS_EX_COMPOSITED': [28, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bFullScreen': [24, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spwndLastActive': [148, ['pointer', ['tagWND']]], 'hrgnUpdate': [104, ['pointer', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [172, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bHiddenPopup': [20, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'hrgnClip': [124, ['pointer', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [28, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWS_EX_TOPMOST': [28, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendEraseBackground': [20, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bScrollBarLineUpBtnDown': [24, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWin50Compat': [24, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bRecievedQuerySuspendMsg': [20, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bMaximizeMonitorRegion': [24, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bLayeredLimbo': [172, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bRedrawIfHung': [20, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'FullScreenMode': [24, ['BitField', {'end_bit': 27, 'start_bit': 24}]], 'bLayeredInvalidate': [172, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bVerticallyMaximizedLeft': [172, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_POPUP': [32, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bWS_EX_CONTEXTHELP': [28, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'dwUserData': [156, ['unsigned long']], 'bDisabled': [32, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bAnsiWindowProc': [20, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWin40Compat': [24, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bWS_EX_NOINHERITLAYOUT': [28, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcClient': [80, ['tagRECT']], 'bAnsiCreator': [20, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bAnyScrollButtonDown': [24, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bWS_EX_LAYOUTRTL': [28, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bUIStateKbdAccelHidden': [28, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bSendSizeMoveMsgs': [20, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'spwndParent': [52, ['pointer', ['tagWND']]], 'bLinked': [172, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendNCPaint': [20, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bToggleTopmost': [20, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bInternalPaint': [20, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bDestroyed': [20, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bHasClientEdge': [24, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bServerSideWindowProc': [20, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bCaptionTextTruncated': [24, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'rcWindow': [64, ['tagRECT']], 'bEndPaintInvalidate': [24, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasPalette': [20, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bHasHorizontalScrollbar': [20, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bUIStateFocusRectHidden': [28, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bReserved1': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_COMPOSITEDCompositing': [28, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_MDICHILD': [28, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bHasVerticalScrollbar': [20, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bReserved2': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWMCreateMsgProcessed': [24, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bMinimized': [32, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bWS_EX_NOACTIVATE': [28, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bWS_EX_APPWINDOW': [28, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'pSBInfo': [112, ['pointer', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [24, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bNoNCPaint': [20, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bCloseButtonDown': [24, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bUnused1': [28, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasSPB': [20, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_MINIMIZEBOX': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bMaximized': [32, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bScrollBarVerticalTracking': [24, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bWS_CHILD': [32, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bReserved5': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_DLGMODALFRAME': [28, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bWS_EX_TRANSPARENT': [28, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenu': [120, ['pointer', ['tagMENU']]], 'bWS_THICKFRAME': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bPaintNotProcessed': [20, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bSyncPaintPending': [20, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pcls': [100, ['pointer', ['tagCLS']]], 'bLayeredForDWM': [172, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bMsgBox': [20, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bShellHookRegistered': [24, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'spwndChild': [56, ['pointer', ['tagWND']]], 'bUnused5': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bHelpButtonDown': [24, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bInDestroy': [24, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'state': [20, ['unsigned long']], 'strName': [132, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [48, ['pointer', ['tagWND']]], 'bRedrawFrameIfHung': [20, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_LEFTSCROLLBAR': [28, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bWS_EX_TOOLWINDOW': [28, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_VSCROLL': [32, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bMaximizesToMonitor': [20, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bNoMinmaxAnimatedRects': [24, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fnid': [42, ['unsigned short']], 'ExStyle': [28, ['unsigned long']], 'bRedirected': [28, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bActiveFrame': [20, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bReserved4': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_WINDOWEDGE': [28, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bReserved6': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bReserved7': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_CLIPSIBLINGS': [32, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bWS_EX_ACCEPTFILE': [28, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bWS_HSCROLL': [32, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bUpdateDirty': [20, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bBeingActivated': [20, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'state2': [24, ['unsigned long']], 'spwndNext': [44, ['pointer', ['tagWND']]], 'bScrollBarPageDownBtnDown': [24, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bWS_BORDER': [32, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bWMPaintSent': [24, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarPageUpBtnDown': [24, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'pTransform': [164, ['pointer', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bVisible': [32, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bVerticallyMaximizedRight': [172, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWin31Compat': [24, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWS_EX_STATICEDGE': [28, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bForceMenuDraw': [20, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bForceNCPaint': [24, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'ExStyle2': [172, ['unsigned long']], 'bOldUI': [24, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bWS_DLGFRAME': [32, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bHIGHDPI_UNAWARE_Unused': [172, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bWS_SYSMENU': [32, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'spwndClipboardListenerNext': [168, ['pointer', ['tagWND']]], 'hModule': [36, ['pointer', ['void']]], 'bWS_EX_NOPADDEDBORDER': [28, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pActCtx': [160, ['pointer', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [24, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenuSys': [116, ['pointer', ['tagMENU']]], 'bRecievedSuspendMsg': [20, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bWS_EX_CLIENTEDGE': [28, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bHasCaption': [20, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'hImc': [152, ['pointer', ['HIMC__']]], 'bChildNoActivate': [172, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bWS_GROUP': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '__unnamed_11cd': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], }], '__unnamed_11cf': [0x10, { 'Length': [0, ['unsigned long']], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x28, { 'restrictions': [12, ['unsigned long']], 'Job': [4, ['pointer', ['_EJOB']]], 'ughCrt': [28, ['unsigned long']], 'pgh': [36, ['pointer', ['unsigned long']]], 'ppiTable': [24, ['pointer', ['pointer', ['tagPROCESSINFO']]]], 'ughMax': [32, ['unsigned long']], 'pAtomTable': [8, ['pointer', ['void']]], 'uProcessCount': [16, ['unsigned long']], 'uMaxProcesses': [20, ['unsigned long']], 'pNext': [0, ['pointer', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x34, { 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], 'tagDESKTOP': [0x84, { 'spmenuVScroll': [40, ['pointer', ['tagMENU']]], 'dwMouseHoverTime': [124, ['unsigned long']], 'rpwinstaParent': [16, ['pointer', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [32, ['pointer', ['tagMENU']]], 'spwndForeground': [44, ['pointer', ['tagWND']]], 'spmenuHScroll': [36, ['pointer', ['tagMENU']]], 'spwndTooltip': [56, ['pointer', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [4, ['pointer', ['tagDESKTOPINFO']]], 'spwndMessage': [52, ['pointer', ['tagWND']]], 'cciConsole': [72, ['_CONSOLE_CARET_INFO']], 'PtiList': [92, ['_LIST_ENTRY']], 'spwndTray': [48, ['pointer', ['tagWND']]], 'rpdeskNext': [12, ['pointer', ['tagDESKTOP']]], 'dwDTFlags': [20, ['unsigned long']], 'pMagInputTransform': [128, ['pointer', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [100, ['pointer', ['tagWND']]], 'htEx': [104, ['long']], 'ulHeapSize': [68, ['unsigned long']], 'pheapDesktop': [64, ['pointer', ['tagWIN32HEAP']]], 'hsectionDesktop': [60, ['pointer', ['void']]], 'rcMouseHover': [108, ['tagRECT']], 'dwDesktopId': [24, ['unsigned long']], 'spmenuSys': [28, ['pointer', ['tagMENU']]], 'pDispInfo': [8, ['pointer', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x20, { 'ExtraData': [0, ['pointer', ['void']]], 'trace': [8, ['array', 6, ['pointer', ['void']]]], 'size': [4, ['unsigned long']], }], 'tagSPB': [0x28, { 'hbm': [8, ['pointer', ['HBITMAP__']]], 'hrgn': [28, ['pointer', ['HRGN__']]], 'ulSaveId': [36, ['unsigned long']], 'flags': [32, ['unsigned long']], 'rc': [12, ['tagRECT']], 'pspbNext': [0, ['pointer', ['tagSPB']]], 'spwnd': [4, ['pointer', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'ClientType': [0, ['BitField', {'end_bit': 4, 'start_bit': 0}]], 'VidPnChange': [0, ['BitField', {'end_bit': 8, 'start_bit': 4}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x8, { 'Flink': [0, ['pointer', ['_KLIST_ENTRY']]], 'Blink': [4, ['pointer', ['_KLIST_ENTRY']]], }], '__unnamed_1244': [0x28, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], 'tagPROP': [0x8, { 'fs': [6, ['unsigned short']], 'hData': [0, ['pointer', ['void']]], 'atomKey': [4, ['unsigned short']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x14, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [16, ['pointer', ['unsigned short']]], 'NumOfMouseVKey': [12, ['long']], 'pVkToF': [8, ['pointer', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11fe': [0x4, { 'Capabilities': [0, ['pointer', ['_DEVICE_CAPABILITIES']]], }], '__unnamed_18b2': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], '__unnamed_11fa': [0x10, { 'Interface': [8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData': [12, ['pointer', ['void']]], 'Version': [6, ['unsigned short']], 'InterfaceType': [0, ['pointer', ['_GUID']]], 'Size': [4, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x38, { 'UsagePageLast': [48, ['unsigned short']], 'fExclusiveMouseSink': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fRawKeyboardSink': [52, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fAppKeys': [52, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fCaptureMouse': [52, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fNoLegacyMouse': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'UsageLast': [50, ['unsigned short']], 'fRawKeyboard': [52, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fNoLegacyKeyboard': [52, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'nSinks': [40, ['long']], 'fNoHotKeys': [52, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndTargetMouse': [32, ['pointer', ['tagWND']]], 'spwndTargetKbd': [36, ['pointer', ['tagWND']]], 'UsagePageList': [16, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [52, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pLastRequest': [44, ['pointer', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [24, ['_LIST_ENTRY']], 'fRawMouse': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'fRawMouseSink': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'InclusionList': [8, ['_LIST_ENTRY']], }], '_KFLOATING_SAVE': [0x20, { 'ErrorOffset': [8, ['unsigned long']], 'DataOffset': [16, ['unsigned long']], 'ControlWord': [0, ['unsigned long']], 'DataSelector': [20, ['unsigned long']], 'Cr0NpxState': [24, ['unsigned long']], 'StatusWord': [4, ['unsigned long']], 'Spare1': [28, ['unsigned long']], 'ErrorSelector': [12, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_17ff': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0x60, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [84, ['pointer', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [36, ['pointer', ['void']]], 'pfnTransparentBlt': [68, ['pointer', ['void']]], 'pfnPaint': [44, ['pointer', ['void']]], 'pfnFillPath': [40, ['pointer', ['void']]], 'pfnStretchBltROP': [88, ['pointer', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [76, ['pointer', ['void']]], 'pfnCopyBits': [52, ['pointer', ['void']]], 'pState': [28, ['pointer', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [60, ['pointer', ['void']]], 'pfnDrawStream': [92, ['pointer', ['void']]], 'pfnStrokeAndFillPath': [32, ['pointer', ['void']]], 'pfnLineTo': [64, ['pointer', ['void']]], 'pfnStretchBlt': [56, ['pointer', ['void']]], 'pfnGradientFill': [80, ['pointer', ['void']]], 'pfnAlphaBlend': [72, ['pointer', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [48, ['pointer', ['void']]], }], 'tagSMS': [0x3c, { 'wParam': [40, ['unsigned long']], 'lParam': [44, ['long']], 'lRet': [28, ['long']], 'psmsReceiveNext': [4, ['pointer', ['tagSMS']]], 'tSent': [32, ['unsigned long']], 'psmsNext': [0, ['pointer', ['tagSMS']]], 'ptiCallBackSender': [24, ['pointer', ['tagTHREADINFO']]], 'ptiReceiver': [12, ['pointer', ['tagTHREADINFO']]], 'lpResultCallBack': [16, ['pointer', ['void']]], 'message': [48, ['unsigned long']], 'dwData': [20, ['unsigned long']], 'ptiSender': [8, ['pointer', ['tagTHREADINFO']]], 'flags': [36, ['unsigned long']], 'pvCapture': [56, ['pointer', ['void']]], 'spwnd': [52, ['pointer', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f4': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], '__unnamed_11f0': [0x4, { 'Srb': [0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0xc, { 'ulClientDelta': [8, ['unsigned long']], 'pdesk': [4, ['pointer', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer', ['tagDESKTOPVIEW']]], }], '__unnamed_120a': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_120e': [0x8, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [4, ['unsigned long']], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1bc, { 'PathAndTargetModeSerialization': [44, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x20, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [24, ['unsigned long']], 'wType': [28, ['unsigned short']], 'spcpdNext': [20, ['pointer', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0x5c, { 'pfnDispatchDefWindowProc': [80, ['pointer', ['void']]], 'pfnStaticWndProc': [56, ['pointer', ['void']]], 'pfnDispatchHook': [76, ['pointer', ['void']]], 'pfnDesktopWndProc': [12, ['pointer', ['void']]], 'pfnImeWndProc': [60, ['pointer', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer', ['void']]], 'pfnEditWndProc': [44, ['pointer', ['void']]], 'pfnGhostWndProc': [64, ['pointer', ['void']]], 'pfnMessageWindowProc': [20, ['pointer', ['void']]], 'pfnSwitchWindowProc': [24, ['pointer', ['void']]], 'pfnComboListBoxProc': [36, ['pointer', ['void']]], 'pfnComboBoxWndProc': [32, ['pointer', ['void']]], 'pfnMDIClientWndProc': [52, ['pointer', ['void']]], 'pfnDialogWndProc': [40, ['pointer', ['void']]], 'pfnHkINLPCWPSTRUCT': [68, ['pointer', ['void']]], 'pfnTitleWndProc': [4, ['pointer', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [72, ['pointer', ['void']]], 'pfnButtonWndProc': [28, ['pointer', ['void']]], 'pfnMenuWndProc': [8, ['pointer', ['void']]], 'pfnListBoxWndProc': [48, ['pointer', ['void']]], 'pfnDispatchMessage': [84, ['pointer', ['void']]], 'pfnDefWindowProc': [16, ['pointer', ['void']]], 'pfnMDIActivateDlgProc': [88, ['pointer', ['void']]], }], '_THRDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x20, { 'head': [0, ['_THROBJHEAD']], 'next': [12, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [16, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [24, ['pointer', ['tagWND']]], 'afCmd': [20, ['unsigned long']], 'pcii': [28, ['pointer', ['void']]], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x4c, { 'Origin': [68, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [52, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [72, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x54, { 'rt': [30, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [68, ['pointer', ['HBITMAP__']]], 'cx': [76, ['unsigned long']], 'xHotspot': [36, ['short']], 'hbmColor': [44, ['pointer', ['HBITMAP__']]], 'pcurNext': [16, ['pointer', ['tagCURSOR']]], 'CURSORF_flags': [32, ['unsigned long']], 'hbmMask': [40, ['pointer', ['HBITMAP__']]], 'bpp': [72, ['unsigned long']], 'cy': [80, ['unsigned long']], 'strName': [20, ['_UNICODE_STRING']], 'rcBounds': [52, ['tagRECT']], 'atomModName': [28, ['unsigned short']], 'hbmAlpha': [48, ['pointer', ['HBITMAP__']]], 'yHotspot': [38, ['short']], }], '__unnamed_1202': [0x4, { 'IoResourceRequirementList': [0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '__unnamed_1206': [0x1, { 'Lock': [0, ['unsigned char']], }], '__unnamed_1204': [0x10, { 'Buffer': [4, ['pointer', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [12, ['unsigned long']], 'Offset': [8, ['unsigned long']], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], 'tagDCE': [0x30, { 'hrgnClipPublic': [24, ['pointer', ['HRGN__']]], 'pdceNext': [0, ['pointer', ['tagDCE']]], 'hrgnSavedVis': [28, ['pointer', ['HRGN__']]], 'pwndRedirect': [16, ['pointer', ['tagWND']]], 'pMonitor': [44, ['pointer', ['tagMONITOR']]], 'ppiOwner': [40, ['pointer', ['tagPROCESSINFO']]], 'pwndOrg': [8, ['pointer', ['tagWND']]], 'hrgnClip': [20, ['pointer', ['HRGN__']]], 'hdc': [4, ['pointer', ['HDC__']]], 'ptiOwner': [36, ['pointer', ['tagTHREADINFO']]], 'DCX_flags': [32, ['unsigned long']], 'pwndClip': [12, ['pointer', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x18, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [12, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndTarget': [20, ['pointer', ['tagWND']]], 'fSinkable': [12, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pTLCInfo': [16, ['pointer', ['tagHID_TLC_INFO']]], 'fDevNotify': [12, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fExSinkable': [12, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'usUsage': [10, ['unsigned short']], 'ptr': [16, ['pointer', ['void']]], 'pPORequest': [16, ['pointer', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [8, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x18, { 'pwtiNext': [0, ['pointer', ['tagWOWTHREADINFO']]], 'pIdleEvent': [16, ['pointer', ['_KEVENT']]], 'idParentProcess': [12, ['unsigned long']], 'fAssigned': [20, ['long']], 'idWaitObject': [8, ['unsigned long']], 'idTask': [4, ['unsigned long']], }], '__unnamed_11bb': [0x28, { 'AuxiliaryBuffer': [20, ['pointer', ['unsigned char']]], 'Thread': [16, ['pointer', ['_ETHREAD']]], 'OriginalFileObject': [36, ['pointer', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [32, ['unsigned long']], 'CurrentStackLocation': [32, ['pointer', ['_IO_STACK_LOCATION']]], 'ListEntry': [24, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer', ['void']]]], }], '__unnamed_11be': [0x30, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer', ['void']]], 'Overlay': [0, ['__unnamed_11bb']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_17ff']], }], '_PROCMARKHEAD': [0x10, { 'h': [0, ['pointer', ['void']]], 'ppi': [12, ['pointer', ['tagPROCESSINFO']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], 'tagKBDFILE': [0x5c, { 'head': [0, ['_HEAD']], 'awchDllName': [28, ['array', 32, ['wchar']]], 'pKbdTbl': [16, ['pointer', ['tagKbdLayer']]], 'pkfNext': [8, ['pointer', ['tagKBDFILE']]], 'pKbdNlsTbl': [24, ['pointer', ['tagKbdNlsLayer']]], 'hBase': [12, ['pointer', ['void']]], 'Size': [20, ['unsigned long']], }], 'tagCLIENTINFO': [0x8c, { 'msgDbcsCB': [108, ['tagMSG']], 'dwCompatFlags': [12, ['unsigned long']], 'achDbcsCF': [106, ['array', 2, ['unsigned char']]], 'dwTIFlags': [20, ['unsigned long']], 'pClientThreadInfo': [60, ['pointer', ['tagCLIENTTHREADINFO']]], 'CodePage': [104, ['unsigned short']], 'dwKeyCache': [68, ['unsigned long']], 'dwHookCurrent': [52, ['unsigned long']], 'afAsyncKeyStateRecentDown': [92, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [16, ['unsigned long']], 'fsHooks': [36, ['unsigned long']], 'ulClientDelta': [28, ['unsigned long']], 'pDeskInfo': [24, ['pointer', ['tagDESKTOPINFO']]], 'dwExpWinVer': [8, ['unsigned long']], 'dwHookData': [64, ['unsigned long']], 'afAsyncKeyState': [84, ['array', 8, ['unsigned char']]], 'CallbackWnd': [40, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [136, ['pointer', ['unsigned long']]], 'cInDDEMLCallback': [56, ['long']], 'cSpins': [4, ['unsigned long']], 'hKL': [100, ['pointer', ['HKL__']]], 'dwAsyncKeyCache': [80, ['unsigned long']], 'afKeyState': [72, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long']], 'phkCurrent': [32, ['pointer', ['tagHOOK']]], }], 'tagCLS': [0x5c, { 'spcur': [72, ['pointer', ['tagCURSOR']]], 'cbwndExtra': [60, ['long']], 'pclsClone': [40, ['pointer', ['tagCLS']]], 'lpszClientAnsiMenuName': [24, ['pointer', ['unsigned char']]], 'pclsBase': [36, ['pointer', ['tagCLS']]], 'atomNVClassName': [6, ['unsigned short']], 'style': [48, ['unsigned long']], 'pclsNext': [0, ['pointer', ['tagCLS']]], 'CSF_flags': [22, ['unsigned short']], 'lpfnWndProc': [52, ['pointer', ['void']]], 'lpszAnsiClassName': [84, ['pointer', ['unsigned char']]], 'spcpdFirst': [32, ['pointer', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [28, ['pointer', ['unsigned short']]], 'cbclsExtra': [56, ['long']], 'lpszMenuName': [80, ['pointer', ['unsigned short']]], 'spicnSm': [88, ['pointer', ['tagCURSOR']]], 'hTaskWow': [20, ['unsigned short']], 'cWndReferenceCount': [44, ['long']], 'hbrBackground': [76, ['pointer', ['HBRUSH__']]], 'spicn': [68, ['pointer', ['tagCURSOR']]], 'fnid': [8, ['unsigned short']], 'pdce': [16, ['pointer', ['tagDCE']]], 'hModule': [64, ['pointer', ['void']]], 'rpdeskParent': [12, ['pointer', ['tagDESKTOP']]], 'atomClassName': [4, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x10, { 'usUsagePage': [8, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [12, ['unsigned long']], }], 'tagWINDOWSTATION': [0x58, { 'pClipBase': [44, ['pointer', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [48, ['unsigned long']], 'luidUser': [76, ['_LUID']], 'pGlobalAtomTable': [64, ['pointer', ['void']]], 'ptiClipLock': [24, ['pointer', ['tagTHREADINFO']]], 'dwWSF_Flags': [16, ['unsigned long']], 'rpdeskList': [8, ['pointer', ['tagDESKTOP']]], 'spklList': [20, ['pointer', ['tagKL']]], 'spwndClipOpen': [32, ['pointer', ['tagWND']]], 'luidEndSession': [68, ['_LUID']], 'pTerm': [12, ['pointer', ['tagTERMINAL']]], 'rpwinstaNext': [4, ['pointer', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [60, ['pointer', ['tagWND']]], 'spwndClipViewer': [36, ['pointer', ['tagWND']]], 'iClipSequenceNumber': [56, ['unsigned long']], 'ptiDrawingClipboard': [28, ['pointer', ['tagTHREADINFO']]], 'spwndClipOwner': [40, ['pointer', ['tagWND']]], 'psidUser': [84, ['pointer', ['void']]], 'iClipSerialNumber': [52, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], '__unnamed_11e2': [0x10, { 'Length': [0, ['pointer', ['_LARGE_INTEGER']]], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '__unnamed_163c': [0x8, { 'Attrib': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'WCA_UNDEFINED', 1: 'WCA_NCRENDERING_ENABLED', 2: 'WCA_NCRENDERING_POLICY', 3: 'WCA_TRANSITIONS_FORCEDISABLED', 4: 'WCA_ALLOW_NCPAINT', 5: 'WCA_CAPTION_BUTTON_BOUNDS', 6: 'WCA_NONCLIENT_RTL_LAYOUT', 7: 'WCA_FORCE_ICONIC_REPRESENTATION', 8: 'WCA_FLIP3D_POLICY', 9: 'WCA_EXTENDED_FRAME_BOUNDS', 10: 'WCA_HAS_ICONIC_BITMAP', 11: 'WCA_THEME_ATTRIBUTES', 12: 'WCA_NCRENDERING_EXILED', 13: 'WCA_NCADORNMENTINFO', 14: 'WCA_EXCLUDED_FROM_LIVEPREVIEW', 15: 'WCA_VIDEO_OVERLAY_ACTIVE', 16: 'WCA_FORCE_ACTIVEWINDOW_APPEARANCE', 17: 'WCA_DISALLOW_PEEK', 18: 'WCA_LAST'}}]], 'cbData': [4, ['unsigned long']], }], '__unnamed_11e8': [0x8, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [4, ['pointer', ['void']]], }], 'tagPROFILEVALUEINFO': [0xc, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer', ['wchar']]], }], '__unnamed_11ec': [0x8, { 'DeviceObject': [4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer', ['_VPB']]], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_WNDMSG': [0x8, { 'abMsgs': [4, ['pointer', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x18, { 'pti': [12, ['pointer', ['tagTHREADINFO']]], 'TDB_Flags': [22, ['unsigned short']], 'hTaskWow': [20, ['unsigned short']], 'pwti': [16, ['pointer', ['tagWOWTHREADINFO']]], 'nEvents': [4, ['long']], 'nPriority': [8, ['long']], 'ptdbNext': [0, ['pointer', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x15c, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '_PROCDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], }], '_CONSOLE_CARET_INFO': [0x14, { 'hwnd': [0, ['pointer', ['HWND__']]], 'rc': [4, ['tagRECT']], }], 'tagPROCESSINFO': [0x1b0, { 'fHasMagContext': [412, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hwinsta': [324, ['pointer', ['HWINSTA__']]], 'ptiList': [144, ['pointer', ['tagTHREADINFO']]], 'pHidTable': [420, ['pointer', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [8, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'dwhmodLibLoadedMask': [188, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'hdeskStartup': [180, ['pointer', ['HDESK__']]], 'dwImeCompatFlags': [372, ['unsigned long']], 'dwRegisteredClasses': [424, ['unsigned long']], 'pBrushAttrList': [28, ['pointer', ['void']]], 'usi': [384, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32Pid': [32, ['unsigned long']], 'bmHandleFlags': [348, ['_RTL_BITMAP']], 'UserHandleCountPeak': [48, ['unsigned long']], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'cSysExpunge': [184, ['unsigned long']], 'pdvList': [340, ['pointer', ['tagDESKTOPVIEW']]], 'pwpi': [164, ['pointer', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [172, ['pointer', ['tagPROCESSINFO']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'pCursorCache': [356, ['pointer', ['tagCURSOR']]], 'pClientBase': [360, ['pointer', ['void']]], 'dwLpkEntryPoints': [364, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], 'DxProcess': [140, ['pointer', ['void']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'RefCount': [4, ['unsigned long']], 'dwLayout': [416, ['unsigned long']], 'pclsPublicList': [160, ['pointer', ['tagCLS']]], 'Unused': [412, ['BitField', {'end_bit': 32, 'start_bit': 1}]], 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'hMonitor': [336, ['pointer', ['HMONITOR__']]], 'ptiMainThread': [148, ['pointer', ['tagTHREADINFO']]], 'pvwplWndGCList': [428, ['pointer', ['VWPL']]], 'pW32Job': [368, ['pointer', ['tagW32JOB']]], 'luidSession': [376, ['_LUID']], 'GDIHandleCount': [36, ['long']], 'cThreads': [176, ['unsigned long']], 'rpdeskStartup': [152, ['pointer', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'pclsPrivateList': [156, ['pointer', ['tagCLS']]], 'GDIHandleCountPeak': [40, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'ppiNext': [168, ['pointer', ['tagPROCESSINFO']]], 'Flags': [412, ['unsigned long']], 'dwHotkey': [332, ['unsigned long']], 'amwinsta': [328, ['unsigned long']], 'rpwinsta': [320, ['pointer', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [192, ['array', 32, ['pointer', ['void']]]], 'iClipSerialNumber': [344, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'pDCAttrList': [24, ['pointer', ['void']]], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], 'tagKbdLayer': [0x3c, { 'pVkToWcharTable': [4, ['pointer', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [24, ['pointer', ['unsigned short']]], 'fLocaleFlags': [40, ['unsigned long']], 'pKeyNamesExt': [16, ['pointer', ['VSC_LPWSTR']]], 'dwSubType': [56, ['unsigned long']], 'pDeadKey': [8, ['pointer', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer', ['MODIFIERS']]], 'pKeyNamesDead': [20, ['pointer', ['pointer', ['unsigned short']]]], 'bMaxVSCtoVK': [28, ['unsigned char']], 'pKeyNames': [12, ['pointer', ['VSC_LPWSTR']]], 'dwType': [52, ['unsigned long']], 'pLigature': [48, ['pointer', ['_LIGATURE1']]], 'nLgMax': [44, ['unsigned char']], 'pVSCtoVK_E1': [36, ['pointer', ['_VSC_VK']]], 'pVSCtoVK_E0': [32, ['pointer', ['_VSC_VK']]], 'cbLgEntry': [45, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x14, { 'dwMaxAlloc': [8, ['unsigned long']], 'pHead': [16, ['pointer', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long']], 'dwCrtMem': [4, ['unsigned long']], 'dwCrtAlloc': [12, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], }], 'tagMSG': [0x1c, { 'wParam': [8, ['unsigned long']], 'lParam': [12, ['long']], 'pt': [20, ['tagPOINT']], 'hwnd': [0, ['pointer', ['HWND__']]], 'time': [16, ['unsigned long']], 'message': [4, ['unsigned long']], }], '__unnamed_11a5': [0x4, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer', ['void']]], 'MasterIrp': [0, ['pointer', ['_IRP']]], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x28, { 'ptdbHead': [8, ['pointer', ['tagTDB']]], 'lpfnWowExitTask': [12, ['pointer', ['void']]], 'CSOwningThread': [32, ['pointer', ['tagTHREADINFO']]], 'ptiScheduled': [4, ['pointer', ['tagTHREADINFO']]], 'nSendLock': [24, ['unsigned long']], 'nRecvLock': [28, ['unsigned long']], 'CSLockCount': [36, ['long']], 'hEventWowExecClient': [20, ['pointer', ['void']]], 'pwpiNext': [0, ['pointer', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [16, ['pointer', ['_KEVENT']]], }], '__unnamed_177b': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'tagMENU': [0x6c, { 'iItem': [24, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [88, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [32, ['unsigned long']], 'pParentMenus': [56, ['pointer', ['tagMENULIST']]], 'fFlags': [20, ['unsigned long']], 'cxMenu': [36, ['unsigned long']], 'dwContextHelpId': [60, ['unsigned long']], 'hbrBack': [72, ['pointer', ['HBRUSH__']]], 'cxTextAlign': [44, ['unsigned long']], 'cAlloced': [28, ['unsigned long']], 'spwndNotify': [48, ['pointer', ['tagWND']]], 'dwArrowsOn': [84, ['BitField', {'end_bit': 2, 'start_bit': 0}]], 'iMaxTop': [80, ['long']], 'dwMenuData': [68, ['unsigned long']], 'cyMenu': [40, ['unsigned long']], 'rgItems': [52, ['pointer', ['tagITEM']]], 'iTop': [76, ['long']], 'cyMax': [64, ['unsigned long']], }], '__unnamed_177f': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_177d': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], 'tagPOPUPMENU': [0x30, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'posDropped': [44, ['unsigned long']], 'spwndNextPopup': [12, ['pointer', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndPrevPopup': [16, ['pointer', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndActivePopup': [28, ['pointer', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'posSelectedItem': [40, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ppmDelayedFree': [36, ['pointer', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spmenuAlternate': [24, ['pointer', ['tagMENU']]], 'spmenu': [20, ['pointer', ['tagMENU']]], 'spwndPopupMenu': [8, ['pointer', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23}]], 'ppopupmenuRoot': [32, ['pointer', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndNotify': [4, ['pointer', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], '__unnamed_1779': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1773': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], '_VK_VALUES_STRINGS': [0x8, { 'fReserved': [4, ['unsigned char']], 'pszMultiNames': [0, ['pointer', ['unsigned char']]], }], '__unnamed_1771': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x50, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [76, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], '__unnamed_1775': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '__unnamed_11ac': [0x8, { 'AsynchronousParameters': [0, ['__unnamed_11aa']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], '__unnamed_11aa': [0x8, { 'UserApcContext': [4, ['pointer', ['void']]], 'UserApcRoutine': [0, ['pointer', ['void']]], 'IssuingProcess': [0, ['pointer', ['void']]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1213': [0x8, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagITEM': [0x6c, { 'ulX': [56, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [32, ['unsigned long']], 'cyItem': [48, ['unsigned long']], 'hbmpChecked': [16, ['pointer', ['void']]], 'xItem': [36, ['unsigned long']], 'spSubMenu': [12, ['pointer', ['tagMENU']]], 'hbmpUnchecked': [20, ['pointer', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [52, ['unsigned long']], 'hbmp': [64, ['pointer', ['HBITMAP__']]], 'yItem': [40, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [76, ['tagUAHMENUITEMMETRICS']], 'cch': [28, ['unsigned long']], 'ulWidth': [60, ['unsigned long']], 'cyBmp': [72, ['long']], 'cxBmp': [68, ['long']], 'lpstr': [24, ['pointer', ['unsigned short']]], 'cxItem': [44, ['unsigned long']], }], '__unnamed_11d9': [0x10, { 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [13, ['unsigned char']], 'ClusterCount': [12, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [12, ['pointer', ['void']]], 'ReplaceIfExists': [12, ['unsigned char']], 'FileObject': [8, ['pointer', ['_FILE_OBJECT']]], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x4, { 'PowerSequence': [0, ['pointer', ['_POWER_SEQUENCE']]], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x34, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [4, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0xc, { 'Data': [8, ['__unnamed_179f']], 'DataSize': [4, ['unsigned long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x90, { 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'DxProcess': [140, ['pointer', ['void']]], 'pBrushAttrList': [28, ['pointer', ['void']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'RefCount': [4, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32PF_Flags': [8, ['unsigned long']], 'GDIHandleCount': [36, ['long']], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'UserHandleCountPeak': [48, ['unsigned long']], 'W32Pid': [32, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'pDCAttrList': [24, ['pointer', ['void']]], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [40, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0xffc, { 'uiShellMsg': [520, ['unsigned long']], 'atomSysClass': [460, ['array', 25, ['unsigned short']]], 'dtScroll': [2276, ['unsigned long']], 'dwKeyCache': [2404, ['unsigned long']], 'atomIconSmProp': [964, ['unsigned short']], 'argbSystemUnmatched': [1876, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [968, ['unsigned short']], 'cySysFontChar': [2308, ['long']], 'mpFnid_serverCBWndProc': [164, ['array', 31, ['unsigned short']]], 'PUSIFlags': [3928, ['unsigned long']], 'dtLBSearch': [2280, ['unsigned long']], 'tmSysFont': [2312, ['tagTEXTMETRICW']], 'ahbrSystem': [2124, ['array', 31, ['pointer', ['HBRUSH__']]]], 'dwDefaultHeapSize': [516, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [3925, ['unsigned char']], 'wMaxLeftOverlapChars': [2296, ['long']], 'dwLastSystemRITEventTickCountUpdate': [3940, ['unsigned long']], 'dpiSystem': [2372, ['tagDPISERVERINFO']], 'hIcoWindows': [2400, ['pointer', ['HICON__']]], 'dwAsyncKeyCache': [2408, ['unsigned long']], 'dwTagCount': [4084, ['unsigned long']], 'adwDBGTAGFlags': [3944, ['array', 35, ['unsigned long']]], 'aiSysMet': [1488, ['array', 97, ['long']]], 'acAnsiToOem': [1228, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [136, ['array', 7, ['pointer', ['void']]]], 'dwLastRITEventTickCount': [2268, ['unsigned long']], 'cbHandleTable': [456, ['unsigned long']], 'atomFrostedWindowProp': [970, ['unsigned short']], 'ucWheelScrollLines': [2288, ['unsigned long']], 'ptCursorReal': [2260, ['tagPOINT']], 'ucWheelScrollChars': [2292, ['unsigned long']], 'acOemToAnsi': [972, ['array', 256, ['unsigned char']]], 'hbrGray': [2248, ['pointer', ['HBRUSH__']]], 'BitCount': [3920, ['unsigned short']], 'argbSystem': [2000, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2284, ['unsigned long']], 'dwInstalledEventHooks': [1484, ['unsigned long']], 'cxSysFontChar': [2304, ['long']], 'wMaxRightOverlapChars': [2300, ['long']], 'oembmi': [2416, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [412, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [512, ['unsigned long']], 'apfnClientA': [228, ['_PFNCLIENT']], 'dmLogPixels': [3922, ['unsigned short']], 'nEvents': [2272, ['long']], 'atomIconProp': [966, ['unsigned short']], 'Planes': [3924, ['unsigned char']], 'apfnClientW': [320, ['_PFNCLIENT']], 'MBStrings': [524, ['array', 11, ['tagMBSTRING']]], 'UILangID': [3936, ['unsigned short']], 'dwRIPFlags': [4088, ['unsigned long']], 'uCaretWidth': [3932, ['unsigned long']], 'cCaptures': [2412, ['unsigned long']], 'cHandleEntries': [4, ['unsigned long']], 'ptCursor': [2252, ['tagPOINT']], 'hIconSmWindows': [2396, ['pointer', ['HICON__']]], 'mpFnidPfn': [8, ['array', 32, ['pointer', ['void']]]], 'rcScreenReal': [3904, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x2c, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [36, ['unsigned long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [40, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11dd': [0x8, { 'FsInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], '__unnamed_11df': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x2c, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [36, ['long']], 'magFactorY': [40, ['long']], 'ptiMagThreadInfo': [32, ['pointer', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_1633']], }], '_PFNCLIENTWORKER': [0x2c, { 'pfnComboBoxWndProc': [4, ['pointer', ['void']]], 'pfnMDIClientWndProc': [24, ['pointer', ['void']]], 'pfnDialogWndProc': [12, ['pointer', ['void']]], 'pfnStaticWndProc': [28, ['pointer', ['void']]], 'pfnCtfHookProc': [40, ['pointer', ['void']]], 'pfnButtonWndProc': [0, ['pointer', ['void']]], 'pfnImeWndProc': [32, ['pointer', ['void']]], 'pfnEditWndProc': [16, ['pointer', ['void']]], 'pfnListBoxWndProc': [20, ['pointer', ['void']]], 'pfnGhostWndProc': [36, ['pointer', ['void']]], 'pfnComboListBoxProc': [8, ['pointer', ['void']]], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '_SM_VALUES_STRINGS': [0x10, { 'StorageType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer', ['unsigned char']]], 'ulValue': [4, ['unsigned long']], 'RangeType': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x20, { 'spwndDesktopOwner': [4, ['pointer', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [16, ['unsigned long']], 'pqDesktop': [12, ['pointer', ['tagQ']]], 'pEventInputReady': [28, ['pointer', ['_KEVENT']]], 'rpdeskDestroy': [24, ['pointer', ['tagDESKTOP']]], 'ptiDesktop': [8, ['pointer', ['tagTHREADINFO']]], 'pEventTermInit': [20, ['pointer', ['_KEVENT']]], }], 'tagMENULIST': [0x8, { 'pMenu': [4, ['pointer', ['tagMENU']]], 'pNext': [0, ['pointer', ['tagMENULIST']]], }], '__unnamed_11d5': [0x8, { 'CompletionFilter': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_11d7': [0x8, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_11d3': [0x10, { 'Length': [0, ['unsigned long']], 'FileIndex': [12, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [4, ['pointer', ['_UNICODE_STRING']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x11c, { 'psi': [0, ['pointer', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [276, ['_WNDMSG']], 'awmControl': [20, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [16, ['unsigned long']], 'pDispInfo': [12, ['pointer', ['tagDISPLAYINFO']]], 'aheList': [4, ['pointer', ['_HANDLEENTRY']]], 'DefWindowMsgs': [268, ['_WNDMSG']], 'HeEntrySize': [8, ['unsigned long']], }], 'tagIMC': [0x20, { 'dwClientImcData': [24, ['unsigned long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [28, ['pointer', ['HWND__']]], 'pImcNext': [20, ['pointer', ['tagIMC']]], }], 'tagKL': [0x44, { 'uNumTbl': [48, ['unsigned long']], 'pklPrev': [12, ['pointer', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [8, ['pointer', ['tagKL']]], 'spkfPrimary': [28, ['pointer', ['tagKBDFILE']]], 'dwFontSigs': [32, ['unsigned long']], 'dwLastKbdType': [56, ['unsigned long']], 'CodePage': [40, ['unsigned short']], 'dwKL_Flags': [16, ['unsigned long']], 'iBaseCharset': [36, ['unsigned long']], 'dwKLID': [64, ['unsigned long']], 'spkf': [24, ['pointer', ['tagKBDFILE']]], 'piiex': [44, ['pointer', ['tagIMEINFOEX']]], 'hkl': [20, ['pointer', ['HKL__']]], 'pspkfExtra': [52, ['pointer', ['pointer', ['tagKBDFILE']]]], 'wchDiacritic': [42, ['wchar']], 'dwLastKbdSubType': [60, ['unsigned long']], }], 'tagCARET': [0x38, { 'iHideLevel': [8, ['long']], 'yOwnDc': [44, ['long']], 'y': [16, ['long']], 'cy': [20, ['long']], 'cx': [24, ['long']], 'hBitmap': [28, ['pointer', ['HBITMAP__']]], 'cyOwnDc': [52, ['long']], 'fOn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'hTimer': [32, ['unsigned long']], 'xOwnDc': [40, ['long']], 'fVisible': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'cxOwnDc': [48, ['long']], 'tid': [36, ['unsigned long']], 'x': [12, ['long']], 'spwnd': [0, ['pointer', ['tagWND']]], }], } volatility-2.3.1/volatility/plugins/gui/vtypes/win2003.py0000644000175000017500000000425312227253532023273 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class Win2003x86GuiVTypes(obj.ProfileModification): """Apply the overlays for Windows 2003 x86 (builds on Windows XP x86)""" before = ["XP2003x86BaseVTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): profile.merge_overlay({ 'tagWINDOWSTATION' : [ 0x54, { 'spwndClipOwner' : [ 0x18, ['pointer', ['tagWND']]], 'pGlobalAtomTable' : [ 0x3C, ['pointer', ['void']]], }], 'tagTHREADINFO' : [ None, { 'PtiLink' : [ 0xB0, ['_LIST_ENTRY']], 'fsHooks' : [ 0x9C, ['unsigned long']], 'aphkStart' : [ 0xF8, ['array', 16, ['pointer', ['tagHOOK']]]], }], 'tagDESKTOP' : [ None, { 'hsectionDesktop' : [ 0x3c, ['pointer', ['void']]], 'pheapDesktop' : [ 0x40, ['pointer', ['tagWIN32HEAP']]], 'ulHeapSize' : [ 0x44, ['unsigned long']], 'PtiList' : [ 0x60, ['_LIST_ENTRY']], }], 'tagSERVERINFO' : [ None, { 'cHandleEntries' : [ 4, ['unsigned long']], 'cbHandleTable' : [ 0x1b8, ['unsigned long']], }], }) volatility-2.3.1/volatility/plugins/gui/vtypes/win7_sp0_x86_vtypes_gui.py0000644000175000017500000035534312033140535026624 0ustar mikemike00000000000000win32k_types = { '_HANDLEENTRY': [0xc, { 'pOwner': [4, ['pointer', ['void']]], 'phead': [0, ['pointer', ['_HEAD']]], 'bFlags': [9, ['unsigned char']], 'wUniq': [10, ['unsigned short']], 'bType': [8, ['unsigned char']], }], 'tagTOUCHINPUTINFO': [0x3c, { 'dwcInputs': [12, ['unsigned long']], 'head': [0, ['_THROBJHEAD']], 'uFlags': [16, ['unsigned long']], 'TouchInput': [20, ['array', 1, ['tagTOUCHINPUT']]], }], 'tagHOOK': [0x34, { 'head': [0, ['_THRDESKHEAD']], 'offPfn': [28, ['unsigned long']], 'flags': [32, ['unsigned long']], 'fLastHookHung': [48, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'nTimeout': [48, ['BitField', {'end_bit': 7, 'start_bit': 0}]], 'ihmod': [36, ['long']], 'iHook': [24, ['long']], 'ptiHooked': [40, ['pointer', ['tagTHREADINFO']]], 'phkNext': [20, ['pointer', ['tagHOOK']]], 'rpdesk': [44, ['pointer', ['tagDESKTOP']]], }], 'DEADKEY': [0x8, { 'wchComposed': [4, ['wchar']], 'dwBoth': [0, ['unsigned long']], 'uFlags': [6, ['unsigned short']], }], '__unnamed_179f': [0x4, { 'pRgb256x3x16': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_RGB256x3x16']]], 'pRaw': [0, ['pointer', ['void']]], 'pDxgi1': [0, ['pointer', ['_D3DDDI_GAMMA_RAMP_DXGI_1']]], }], '_W32THREAD': [0xb4, { 'pRBRecursionCount': [40, ['unsigned long']], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'pDevHTInfo': [148, ['pointer', ['void']]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'pdcoRender': [160, ['pointer', ['void']]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pdcoAA': [156, ['pointer', ['void']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'ptlW32': [8, ['pointer', ['_TL']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'bIncludeSprites': [169, ['unsigned char']], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'pSpriteState': [144, ['pointer', ['void']]], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'pdcoSrc': [164, ['pointer', ['void']]], 'pUMPDObj': [28, ['pointer', ['void']]], }], 'tagPROPLIST': [0x10, { 'aprop': [8, ['array', 1, ['tagPROP']]], 'cEntries': [0, ['unsigned long']], 'iFirstFree': [4, ['unsigned long']], }], 'tagDESKTOPINFO': [0x78, { 'spwndProgman': [96, ['pointer', ['tagWND']]], 'pvwplMessagePPHandler': [112, ['pointer', ['VWPL']]], 'pvDesktopLimit': [4, ['pointer', ['void']]], 'fComposited': [116, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndGestureEngine': [108, ['pointer', ['tagWND']]], 'pvDesktopBase': [0, ['pointer', ['void']]], 'spwndShell': [80, ['pointer', ['tagWND']]], 'ppiShellProcess': [84, ['pointer', ['tagPROCESSINFO']]], 'pvwplShellHook': [100, ['pointer', ['VWPL']]], 'fIsDwmDesktop': [116, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndTaskman': [92, ['pointer', ['tagWND']]], 'aphkStart': [16, ['array', 16, ['pointer', ['tagHOOK']]]], 'fsHooks': [12, ['unsigned long']], 'cntMBox': [104, ['long']], 'spwndBkGnd': [88, ['pointer', ['tagWND']]], 'spwnd': [8, ['pointer', ['tagWND']]], }], 'tagDISPLAYINFO': [0x64, { 'hDev': [0, ['pointer', ['void']]], 'SpatialListHead': [88, ['_KLIST_ENTRY']], 'BitCountMax': [78, ['unsigned short']], 'cyGray': [32, ['long']], 'hdcBits': [16, ['pointer', ['HDC__']]], 'fDesktopIsRect': [80, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hbmGray': [24, ['pointer', ['HBITMAP__']]], 'pmdev': [4, ['pointer', ['void']]], 'cFullScreen': [96, ['short']], 'cxGray': [28, ['long']], 'dmLogPixels': [76, ['unsigned short']], 'hDevInfo': [8, ['pointer', ['void']]], 'fAnyPalette': [80, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pspbFirst': [40, ['pointer', ['tagSPB']]], 'pMonitorPrimary': [48, ['pointer', ['tagMONITOR']]], 'Spare0': [98, ['short']], 'pMonitorFirst': [52, ['pointer', ['tagMONITOR']]], 'hdcGray': [20, ['pointer', ['HDC__']]], 'hrgnScreenReal': [72, ['pointer', ['HRGN__']]], 'cMonitors': [44, ['unsigned long']], 'hdcScreen': [12, ['pointer', ['HDC__']]], 'DockThresholdMax': [84, ['unsigned long']], 'rcScreenReal': [56, ['tagRECT']], 'pdceFirst': [36, ['pointer', ['tagDCE']]], }], 'tagTHREADINFO': [0x208, { 'pstrAppName': [220, ['pointer', ['_UNICODE_STRING']]], 'ForceLegacyResizeNCMetr': [280, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'ptl': [180, ['pointer', ['_TL']]], 'timeLast': [236, ['long']], 'DontJournalAttach': [276, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'ppi': [184, ['pointer', ['tagPROCESSINFO']]], 'SendMnuDblClk': [276, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'DDENoSync': [280, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'EditNoMouseHide': [280, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'pDevHTInfo': [148, ['pointer', ['void']]], 'OpenGLEMF': [280, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'dwCompatFlags': [276, ['unsigned long']], 'hTouchInputCurrent': [492, ['pointer', ['HTOUCHINPUT__']]], 'psmsSent': [224, ['pointer', ['tagSMS']]], 'cVisWindows': [404, ['unsigned long']], 'hPrevHidData': [488, ['pointer', ['void']]], 'fsHooks': [300, ['unsigned long']], 'qwCompatFlags2': [280, ['unsigned long long']], 'NoPaddedBorder': [280, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'NoDrawPatRect': [280, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ForceTTGrapchis': [276, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'GetDeviceCaps': [276, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'pgdiBrushAttr': [16, ['pointer', ['void']]], 'pq': [188, ['pointer', ['tagQ']]], 'ulWindowSystemRendering': [172, ['unsigned long']], 'dwExpWinVer': [272, ['unsigned long']], 'NoSoftCursOnMoveSize': [280, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'psmsReceiveList': [232, ['pointer', ['tagSMS']]], 'sphkCurrent': [304, ['pointer', ['tagHOOK']]], 'No50ExStyles': [280, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'IgnoreFaults': [276, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'pClientInfo': [212, ['pointer', ['tagCLIENTINFO']]], 'pdcoSrc': [164, ['pointer', ['void']]], 'pEventQueueServer': [324, ['pointer', ['_KEVENT']]], 'DealyHwndShakeChk': [276, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'amdesk': [396, ['unsigned long']], 'fsChangeBitsRemoved': [384, ['unsigned short']], 'psmsCurrent': [228, ['pointer', ['tagSMS']]], 'NoBatching': [280, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'StrictLLHook': [280, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'pdcoRender': [160, ['pointer', ['void']]], 'NoShadow': [280, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'EnumHelv': [276, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fPack': [516, ['BitField', {'end_bit': 28, 'start_bit': 2}]], 'CallTTDevice': [276, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fsReserveKeys': [388, ['unsigned long']], 'Winver31': [276, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'DisableDBCSProp': [276, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'Win30AvgWidth': [276, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'ptlW32': [8, ['pointer', ['_TL']]], 'AlwaysSendSyncPaint': [276, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'IgnoreNoDiscard': [276, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'NoTimeCbProtect': [280, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'MsShellDlg': [280, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hEventQueueClient': [320, ['pointer', ['void']]], 'cPaintsReady': [252, ['long']], 'SubtractClips': [276, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'PtiLink': [328, ['_LIST_ENTRY']], 'DpiAware': [280, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'spklActive': [192, ['pointer', ['tagKL']]], 'bIncludeSprites': [169, ['unsigned char']], 'mlPost': [372, ['tagMLIST']], 'ptLastReal': [348, ['tagPOINT']], 'fThreadCleanupFinished': [516, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'MultipleBands': [276, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'Random31Ux': [276, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'HackWinFlags': [276, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'cti': [472, ['tagCLIENTTHREADINFO']], 'KCOff': [280, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'wParamHkCurrent': [312, ['unsigned long']], 'readyHead': [508, ['_LIST_ENTRY']], 'UsePrintingEscape': [276, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'NoInitFlagsOnFocus': [280, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ForceTextBand': [276, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'pEThread': [0, ['pointer', ['_ETHREAD']]], 'ptdb': [264, ['pointer', ['tagTDB']]], 'SpareCompatFlags2': [280, ['BitField', {'end_bit': 64, 'start_bit': 33}]], 'cWindows': [400, ['unsigned long']], 'cEnterCount': [368, ['long']], 'fETWReserved': [516, ['BitField', {'end_bit': 32, 'start_bit': 29}]], 'dwCompatFlags2': [280, ['unsigned long']], 'NoEMFSpooling': [276, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'pMenuState': [260, ['pointer', ['tagMENUSTATE']]], 'pRBRecursionCount': [40, ['unsigned long']], 'SmoothScrolling': [276, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'iVisRgnUniqueness': [176, ['unsigned long']], 'RefCount': [4, ['unsigned long']], 'Win31DevModeSize': [276, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pwinsta': [264, ['pointer', ['tagWINDOWSTATION']]], 'pSBTrack': [316, ['pointer', ['tagSBTRACK']]], 'ActiveMenus': [280, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'spwndDefaultIme': [356, ['pointer', ['tagWND']]], 'NoCustomPaperSize': [280, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'wchInjected': [386, ['wchar']], 'cTimersReady': [256, ['unsigned long']], 'EditSetTextMunge': [276, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pUMPDHeap': [24, ['pointer', ['void']]], 'fgfSwitchInProgressSetter': [516, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'iCursorLevel': [336, ['long']], 'NoScrollBarCtxMenu': [276, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'ulClientDelta': [208, ['unsigned long']], 'pdcoAA': [156, ['pointer', ['void']]], 'cNestedStableVisRgn': [504, ['unsigned long']], 'TryExceptCallWndProc': [280, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'NcCalcSizeOnMove': [276, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'DisableFontAssoc': [276, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'pcti': [196, ['pointer', ['tagCLIENTTHREADINFO']]], 'MsgPPInfo': [500, ['tagMSGPPINFO']], 'DDE': [280, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ulThreadFlags2': [516, ['unsigned long']], 'tlSpriteState': [48, ['_TLSPRITESTATE']], 'NoCharDeadKey': [280, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'pqAttach': [288, ['pointer', ['tagQ']]], 'TTIgnoreRasterDupe': [276, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'aphkStart': [408, ['array', 16, ['pointer', ['tagHOOK']]]], 'DefaultCharset': [280, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'idLast': [240, ['unsigned long']], 'rpdesk': [200, ['pointer', ['tagDESKTOP']]], 'NoWindowArrangement': [280, ['BitField', {'end_bit': 33, 'start_bit': 32}]], 'AnimationOff': [280, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'No50ExStyleBits': [280, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'TransparentBltMirror': [280, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'DDENoAsyncReg': [280, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bEnableEngUpdateDeviceSurface': [168, ['unsigned char']], 'pDeskInfo': [204, ['pointer', ['tagDESKTOPINFO']]], 'hdesk': [248, ['pointer', ['HDESK__']]], 'pNonRBRecursionCount': [44, ['unsigned long']], 'MoreExtraWndWords': [276, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'hklPrev': [364, ['pointer', ['HKL__']]], 'NoGhost': [280, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'IgnoreTopMost': [276, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pmsd': [296, ['pointer', ['_MOVESIZEDATA']]], 'NoHRGN1': [276, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'exitCode': [244, ['long']], 'NoDDETrackDying': [280, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'ptLast': [340, ['tagPOINT']], 'hGestureInfoCurrent': [496, ['pointer', ['HGESTUREINFO__']]], 'GdiTmpTgoList': [32, ['_LIST_ENTRY']], 'pUMPDObjs': [20, ['pointer', ['void']]], 'FontSubs': [280, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'GiveUpForegound': [280, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spDefaultImc': [360, ['pointer', ['tagIMC']]], 'pgdiDcattr': [12, ['pointer', ['void']]], 'TIF_flags': [216, ['unsigned long']], 'apEvent': [392, ['pointer', ['pointer', ['_KEVENT']]]], 'HardwareMixer': [280, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'pUMPDObj': [28, ['pointer', ['void']]], 'pSpriteState': [144, ['pointer', ['void']]], 'EnumTTNotDevice': [276, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'lParamHkCurrent': [308, ['long']], 'ulDevHTInfoUniqueness': [152, ['unsigned long']], 'ptiSibling': [292, ['pointer', ['tagTHREADINFO']]], 'psiiList': [268, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'ForceFusion': [280, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'fSpecialInitialization': [516, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'IncreaseStack': [276, ['BitField', {'end_bit': 23, 'start_bit': 22}]], }], '__unnamed_1262': [0x2c, { 'InitialPrivilegeSet': [0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet': [0, ['_PRIVILEGE_SET']], }], '_D3DKMDT_2DREGION': [0x8, { 'cy': [4, ['unsigned long']], 'cx': [0, ['unsigned long']], }], 'tagMONITOR': [0x64, { 'hDev': [56, ['pointer', ['void']]], 'head': [0, ['_HEAD']], 'hDevReal': [60, ['pointer', ['void']]], 'rcWorkReal': [32, ['tagRECT']], 'dwMONFlags': [12, ['unsigned long']], 'Spare0': [52, ['short']], 'rcMonitorReal': [16, ['tagRECT']], 'pMonitorNext': [8, ['pointer', ['tagMONITOR']]], 'Flink': [92, ['pointer', ['tagMONITOR']]], 'Blink': [96, ['pointer', ['tagMONITOR']]], 'hrgnMonitorReal': [48, ['pointer', ['HRGN__']]], 'cWndStack': [54, ['short']], 'DockTargets': [64, ['array', 7, ['array', 4, ['unsigned char']]]], }], '__unnamed_18b4': [0x18, { 'Dma': [0, ['__unnamed_18a8']], 'Generic': [0, ['__unnamed_18a2']], 'Memory': [0, ['__unnamed_18a2']], 'BusNumber': [0, ['__unnamed_18aa']], 'Memory48': [0, ['__unnamed_18b0']], 'Memory40': [0, ['__unnamed_18ae']], 'DevicePrivate': [0, ['__unnamed_177b']], 'ConfigData': [0, ['__unnamed_18ac']], 'Memory64': [0, ['__unnamed_18b2']], 'Interrupt': [0, ['__unnamed_18a6']], 'Port': [0, ['__unnamed_18a2']], }], '__unnamed_18b0': [0x18, { 'Length48': [0, ['unsigned long']], 'Alignment48': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION': [0x10c, { 'APSTriggerBits': [4, ['unsigned long']], 'CopyProtectionType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPMT_UNINITIALIZED', 1: 'D3DKMDT_VPPMT_NOPROTECTION', 2: 'D3DKMDT_VPPMT_MACROVISION_APSTRIGGER', 3: 'D3DKMDT_VPPMT_MACROVISION_FULLSUPPORT', 255: 'D3DKMDT_VPPMT_NOTSPECIFIED'}}]], 'CopyProtectionSupport': [264, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT']], 'OEMCopyProtection': [8, ['array', 256, ['unsigned char']]], }], 'tagHID_TLC_INFO': [0x20, { 'cExcludeRequest': [24, ['unsigned long']], 'link': [0, ['_LIST_ENTRY']], 'cExcludeOrphaned': [28, ['unsigned long']], 'cUsagePageRequest': [20, ['unsigned long']], 'usUsagePage': [8, ['unsigned short']], 'cDevices': [12, ['unsigned long']], 'cDirectRequest': [16, ['unsigned long']], 'usUsage': [10, ['unsigned short']], }], '__unnamed_1777': [0xc, { 'Translated': [0, ['__unnamed_1773']], 'Raw': [0, ['__unnamed_1775']], }], 'HWND__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION': [0x190, { 'TargetMode': [348, ['_D3DKMDT_VIDPN_TARGET_MODE']], 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], }], 'tagQ': [0x108, { 'hwndDblClk': [64, ['pointer', ['HWND__']]], 'timeDblClk': [60, ['unsigned long']], 'spwndFocus': [36, ['pointer', ['tagWND']]], 'ExtraInfo': [256, ['long']], 'cLockCount': [250, ['unsigned short']], 'iCursorLevel': [240, ['long']], 'ptiSysLock': [12, ['pointer', ['tagTHREADINFO']]], 'caret': [180, ['tagCARET']], 'ptiMouse': [24, ['pointer', ['tagTHREADINFO']]], 'spwndActivePrev': [44, ['pointer', ['tagWND']]], 'ptMouseMove': [76, ['tagPOINT']], 'msgDblClk': [52, ['unsigned long']], 'msgJournal': [252, ['unsigned long']], 'ptiKeyboard': [28, ['pointer', ['tagTHREADINFO']]], 'cThreads': [248, ['unsigned short']], 'QF_flags': [244, ['unsigned long']], 'mlInput': [0, ['tagMLIST']], 'spwndActive': [40, ['pointer', ['tagWND']]], 'codeCapture': [48, ['unsigned long']], 'idSysLock': [16, ['unsigned long']], 'spcurCurrent': [236, ['pointer', ['tagCURSOR']]], 'ulEtwReserved1': [260, ['unsigned long']], 'ptDblClk': [68, ['tagPOINT']], 'xbtnDblClk': [56, ['unsigned short']], 'afKeyRecentDown': [84, ['array', 32, ['unsigned char']]], 'afKeyState': [116, ['array', 64, ['unsigned char']]], 'spwndCapture': [32, ['pointer', ['tagWND']]], 'idSysPeek': [20, ['unsigned long']], }], 'tagUSERSTARTUPINFO': [0x1c, { 'wShowWindow': [24, ['unsigned short']], 'dwYSize': [16, ['unsigned long']], 'dwXSize': [12, ['unsigned long']], 'cbReserved2': [26, ['unsigned short']], 'cb': [0, ['unsigned long']], 'dwX': [4, ['unsigned long']], 'dwY': [8, ['unsigned long']], 'dwFlags': [20, ['unsigned long']], }], '_DMM_COMMITVIDPNREQUESTSET_SERIALIZATION': [0x8, { 'CommitVidPnRequestOffset': [4, ['array', 1, ['unsigned long']]], 'NumCommitVidPnRequests': [0, ['unsigned char']], }], '_DMM_MONITORDESCRIPTORSET_SERIALIZATION': [0x90, { 'NumDescriptors': [0, ['unsigned char']], 'DescriptorSerialization': [4, ['array', 1, ['_DMM_MONITORDESCRIPTOR_SERIALIZATION']]], }], '_DMM_MONITORSOURCEMODESET_SERIALIZATION': [0x54, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_DMM_MONITOR_SOURCE_MODE_SERIALIZATION']]], }], '_VK_FUNCTION_PARAM': [0x8, { 'NLSFEProcIndex': [0, ['unsigned char']], 'NLSFEProcParam': [4, ['unsigned long']], }], '_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES': [0x10, { 'SecondChannel': [4, ['unsigned long']], 'FourthChannel': [12, ['unsigned long']], 'ThirdChannel': [8, ['unsigned long']], 'FirstChannel': [0, ['unsigned long']], }], 'tagMLIST': [0xc, { 'cMsgs': [8, ['unsigned long']], 'pqmsgRead': [0, ['pointer', ['tagQMSG']]], 'pqmsgWriteLast': [4, ['pointer', ['tagQMSG']]], }], '__unnamed_122d': [0x10, { 'DeviceIoControl': [0, ['__unnamed_11e4']], 'QuerySecurity': [0, ['__unnamed_11e6']], 'ReadWriteConfig': [0, ['__unnamed_1204']], 'Create': [0, ['__unnamed_11c5']], 'SetSecurity': [0, ['__unnamed_11e8']], 'Write': [0, ['__unnamed_11cf']], 'VerifyVolume': [0, ['__unnamed_11ec']], 'WMI': [0, ['__unnamed_1229']], 'CreateMailslot': [0, ['__unnamed_11cd']], 'FilterResourceRequirements': [0, ['__unnamed_1202']], 'SetFile': [0, ['__unnamed_11d9']], 'MountVolume': [0, ['__unnamed_11ec']], 'FileSystemControl': [0, ['__unnamed_11df']], 'UsageNotification': [0, ['__unnamed_1213']], 'Scsi': [0, ['__unnamed_11f0']], 'WaitWake': [0, ['__unnamed_1217']], 'QueryFile': [0, ['__unnamed_11d7']], 'QueryDeviceText': [0, ['__unnamed_120e']], 'CreatePipe': [0, ['__unnamed_11c9']], 'Power': [0, ['__unnamed_1223']], 'QueryDeviceRelations': [0, ['__unnamed_11f4']], 'Read': [0, ['__unnamed_11cf']], 'StartDevice': [0, ['__unnamed_1227']], 'QueryDirectory': [0, ['__unnamed_11d3']], 'PowerSequence': [0, ['__unnamed_121b']], 'QueryId': [0, ['__unnamed_120a']], 'LockControl': [0, ['__unnamed_11e2']], 'NotifyDirectory': [0, ['__unnamed_11d5']], 'QueryInterface': [0, ['__unnamed_11fa']], 'Others': [0, ['__unnamed_122b']], 'QueryVolume': [0, ['__unnamed_11dd']], 'SetLock': [0, ['__unnamed_1206']], 'DeviceCapabilities': [0, ['__unnamed_11fe']], }], '__unnamed_122b': [0x10, { 'Argument4': [12, ['pointer', ['void']]], 'Argument2': [4, ['pointer', ['void']]], 'Argument3': [8, ['pointer', ['void']]], 'Argument1': [0, ['pointer', ['void']]], }], 'tagMENUSTATE': [0x64, { 'fDragAndDrop': [4, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fInsideMenuLoop': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'cxAni': [84, ['long']], 'pGlobalPopupMenu': [0, ['pointer', ['tagPOPUPMENU']]], 'uDraggingIndex': [60, ['unsigned long']], 'uDraggingHitArea': [56, ['unsigned long']], 'fNotifyByPos': [4, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'fButtonDown': [4, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'ixAni': [76, ['long']], 'fInCallHandleMenuMessages': [4, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'mnFocus': [16, ['long']], 'iyAni': [80, ['long']], 'dwLockCount': [28, ['unsigned long']], 'fAutoDismiss': [4, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'fIsSysMenu': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'dwAniStartTime': [72, ['unsigned long']], 'pmnsPrev': [32, ['pointer', ['tagMENUSTATE']]], 'fInEndMenu': [4, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'hbmAni': [92, ['pointer', ['HBITMAP__']]], 'fIgnoreButtonUp': [4, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptButtonDown': [36, ['tagPOINT']], 'hdcWndAni': [68, ['pointer', ['HDC__']]], 'fAboutToAutoDismiss': [4, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'fMenuStarted': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'uDraggingFlags': [64, ['unsigned long']], 'fUnderline': [4, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fInDoDragDrop': [4, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'ptiMenuStateOwner': [24, ['pointer', ['tagTHREADINFO']]], 'uButtonDownIndex': [48, ['unsigned long']], 'fModelessMenu': [4, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'cyAni': [88, ['long']], 'uButtonDownHitArea': [44, ['unsigned long']], 'fButtonAlwaysDown': [4, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'iAniDropDir': [4, ['BitField', {'end_bit': 24, 'start_bit': 19}]], 'ptMouseLast': [8, ['tagPOINT']], 'hdcAni': [96, ['pointer', ['HDC__']]], 'vkButtonDown': [52, ['long']], 'fSetCapture': [4, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fDragging': [4, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fActiveNoForeground': [4, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fMouseOffMenu': [4, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'cmdLast': [20, ['long']], }], 'tagMSGPPINFO': [0x4, { 'dwIndexMsgPP': [0, ['unsigned long']], }], 'VWPLELEMENT': [0x8, { 'DataOrTag': [0, ['unsigned long']], 'pwnd': [4, ['pointer', ['tagWND']]], }], '_WM_VALUES_STRINGS': [0x8, { 'pszName': [0, ['pointer', ['unsigned char']]], 'fInternal': [4, ['unsigned char']], 'fDefined': [5, ['unsigned char']], }], 'tagCLIP': [0xc, { 'fmt': [0, ['unsigned long']], 'fGlobalHandle': [8, ['long']], 'hData': [4, ['pointer', ['void']]], }], '__unnamed_1229': [0x10, { 'Buffer': [12, ['pointer', ['void']]], 'ProviderId': [0, ['unsigned long']], 'BufferSize': [8, ['unsigned long']], 'DataPath': [4, ['pointer', ['void']]], }], '__unnamed_1227': [0x8, { 'AllocatedResources': [0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated': [4, ['pointer', ['_CM_RESOURCE_LIST']]], }], '_HEAD': [0x8, { 'h': [0, ['pointer', ['void']]], 'cLockObj': [4, ['unsigned long']], }], '__unnamed_1223': [0x10, { 'State': [8, ['_POWER_STATE']], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'SystemPowerState', 1: 'DevicePowerState'}}]], 'SystemContext': [0, ['unsigned long']], 'ShutdownType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'}}]], 'SystemPowerStateContext': [0, ['_SYSTEM_POWER_STATE_CONTEXT']], }], '__unnamed_11e6': [0x8, { 'Length': [4, ['unsigned long']], 'SecurityInformation': [0, ['unsigned long']], }], 'tagQMSG': [0x40, { 'FromPen': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'pti': [56, ['pointer', ['tagTHREADINFO']]], 'ExtraInfo': [36, ['long']], 'Wow64Message': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pqmsgPrev': [4, ['pointer', ['tagQMSG']]], 'NoCoalesce': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Padding': [48, ['BitField', {'end_bit': 32, 'start_bit': 30}]], 'ptMouseReal': [40, ['tagPOINT']], 'pqmsgNext': [0, ['pointer', ['tagQMSG']]], 'dwQEvent': [48, ['BitField', {'end_bit': 30, 'start_bit': 0}]], 'MsgPPInfo': [60, ['tagMSGPPINFO']], 'FromTouch': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'msg': [8, ['tagMSG']], }], 'HWINSTA__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32PoolHead': [0x10, { 'pPrev': [4, ['pointer', ['tagWin32PoolHead']]], 'pTrace': [12, ['pointer', ['pointer', ['void']]]], 'pNext': [8, ['pointer', ['tagWin32PoolHead']]], 'size': [0, ['unsigned long']], }], 'tagTOUCHINPUT': [0x28, { 'hSource': [8, ['pointer', ['void']]], 'dwExtraInfo': [28, ['unsigned long']], 'cxContact': [32, ['unsigned long']], 'dwMask': [20, ['unsigned long']], 'y': [4, ['long']], 'x': [0, ['long']], 'dwID': [12, ['unsigned long']], 'cyContact': [36, ['unsigned long']], 'dwTime': [24, ['unsigned long']], 'dwFlags': [16, ['unsigned long']], }], '_CALLBACKWND': [0xc, { 'hwnd': [0, ['pointer', ['HWND__']]], 'pActCtx': [8, ['pointer', ['_ACTIVATION_CONTEXT']]], 'pwnd': [4, ['pointer', ['tagWND']]], }], 'HMONITOR__': [0x4, { 'unused': [0, ['long']], }], '_D3DKMDT_GRAPHICS_RENDERING_FORMAT': [0x20, { 'VisibleRegionSize': [8, ['_D3DKMDT_2DREGION']], 'Stride': [16, ['unsigned long']], 'PixelFormat': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDIFMT_UNKNOWN', 20: 'D3DDDIFMT_R8G8B8', 21: 'D3DDDIFMT_A8R8G8B8', 22: 'D3DDDIFMT_X8R8G8B8', 23: 'D3DDDIFMT_R5G6B5', 24: 'D3DDDIFMT_X1R5G5B5', 25: 'D3DDDIFMT_A1R5G5B5', 26: 'D3DDDIFMT_A4R4G4B4', 27: 'D3DDDIFMT_R3G3B2', 28: 'D3DDDIFMT_A8', 29: 'D3DDDIFMT_A8R3G3B2', 30: 'D3DDDIFMT_X4R4G4B4', 31: 'D3DDDIFMT_A2B10G10R10', 32: 'D3DDDIFMT_A8B8G8R8', 33: 'D3DDDIFMT_X8B8G8R8', 34: 'D3DDDIFMT_G16R16', 35: 'D3DDDIFMT_A2R10G10B10', 36: 'D3DDDIFMT_A16B16G16R16', 40: 'D3DDDIFMT_A8P8', 41: 'D3DDDIFMT_P8', 50: 'D3DDDIFMT_L8', 51: 'D3DDDIFMT_A8L8', 52: 'D3DDDIFMT_A4L4', 60: 'D3DDDIFMT_V8U8', 61: 'D3DDDIFMT_L6V5U5', 62: 'D3DDDIFMT_X8L8V8U8', 63: 'D3DDDIFMT_Q8W8V8U8', 64: 'D3DDDIFMT_V16U16', 65: 'D3DDDIFMT_W11V11U10', 67: 'D3DDDIFMT_A2W10V10U10', 877942852: 'D3DDDIFMT_DXT4', 70: 'D3DDDIFMT_D16_LOCKABLE', 71: 'D3DDDIFMT_D32', 72: 'D3DDDIFMT_S1D15', 73: 'D3DDDIFMT_D15S1', 74: 'D3DDDIFMT_S8D24', 75: 'D3DDDIFMT_D24S8', 76: 'D3DDDIFMT_X8D24', 77: 'D3DDDIFMT_D24X8', 78: 'D3DDDIFMT_X4S4D24', 79: 'D3DDDIFMT_D24X4S4', 80: 'D3DDDIFMT_D16', 81: 'D3DDDIFMT_L16', 82: 'D3DDDIFMT_D32F_LOCKABLE', 83: 'D3DDDIFMT_D24FS8', 84: 'D3DDDIFMT_D32_LOCKABLE', 85: 'D3DDDIFMT_S8_LOCKABLE', 100: 'D3DDDIFMT_VERTEXDATA', 101: 'D3DDDIFMT_INDEX16', 102: 'D3DDDIFMT_INDEX32', 110: 'D3DDDIFMT_Q16W16V16U16', 111: 'D3DDDIFMT_R16F', 112: 'D3DDDIFMT_G16R16F', 113: 'D3DDDIFMT_A16B16G16R16F', 114: 'D3DDDIFMT_R32F', 115: 'D3DDDIFMT_G32R32F', 116: 'D3DDDIFMT_A32B32G32R32F', 117: 'D3DDDIFMT_CxV8U8', 118: 'D3DDDIFMT_A1', 119: 'D3DDDIFMT_A2B10G10R10_XR_BIAS', 150: 'D3DDDIFMT_PICTUREPARAMSDATA', 151: 'D3DDDIFMT_MACROBLOCKDATA', 152: 'D3DDDIFMT_RESIDUALDIFFERENCEDATA', 153: 'D3DDDIFMT_DEBLOCKINGDATA', 154: 'D3DDDIFMT_INVERSEQUANTIZATIONDATA', 155: 'D3DDDIFMT_SLICECONTROLDATA', 156: 'D3DDDIFMT_BITSTREAMDATA', 157: 'D3DDDIFMT_MOTIONVECTORBUFFER', 158: 'D3DDDIFMT_FILMGRAINBUFFER', 159: 'D3DDDIFMT_DXVA_RESERVED9', 160: 'D3DDDIFMT_DXVA_RESERVED10', 161: 'D3DDDIFMT_DXVA_RESERVED11', 162: 'D3DDDIFMT_DXVA_RESERVED12', 163: 'D3DDDIFMT_DXVA_RESERVED13', 164: 'D3DDDIFMT_DXVA_RESERVED14', 165: 'D3DDDIFMT_DXVA_RESERVED15', 166: 'D3DDDIFMT_DXVA_RESERVED16', 167: 'D3DDDIFMT_DXVA_RESERVED17', 168: 'D3DDDIFMT_DXVA_RESERVED18', 169: 'D3DDDIFMT_DXVA_RESERVED19', 170: 'D3DDDIFMT_DXVA_RESERVED20', 171: 'D3DDDIFMT_DXVA_RESERVED21', 172: 'D3DDDIFMT_DXVA_RESERVED22', 173: 'D3DDDIFMT_DXVA_RESERVED23', 174: 'D3DDDIFMT_DXVA_RESERVED24', 175: 'D3DDDIFMT_DXVA_RESERVED25', 176: 'D3DDDIFMT_DXVA_RESERVED26', 177: 'D3DDDIFMT_DXVA_RESERVED27', 178: 'D3DDDIFMT_DXVA_RESERVED28', 179: 'D3DDDIFMT_DXVA_RESERVED29', 180: 'D3DDDIFMT_DXVA_RESERVED30', 181: 'D3DDDIFMT_DXVACOMPBUFFER_MAX', 844388420: 'D3DDDIFMT_DXT2', 199: 'D3DDDIFMT_BINARYBUFFER', 861165636: 'D3DDDIFMT_DXT3', 827611204: 'D3DDDIFMT_DXT1', 827606349: 'D3DDDIFMT_MULTI2_ARGB8', 1195525970: 'D3DDDIFMT_R8G8_B8G8', 1498831189: 'D3DDDIFMT_UYVY', 844715353: 'D3DDDIFMT_YUY2', 894720068: 'D3DDDIFMT_DXT5', 1111970375: 'D3DDDIFMT_G8R8_G8B8', 2147483647: 'D3DDDIFMT_FORCE_UINT'}}]], 'PixelValueAccessMode': [28, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_PVAM_UNINITIALIZED', 1: 'D3DKMDT_PVAM_DIRECT', 2: 'D3DKMDT_PVAM_PRESETPALETTE', 3: 'D3DKMDT_PVAM_MAXVALID'}}]], 'PrimSurfSize': [0, ['_D3DKMDT_2DREGION']], 'ColorBasis': [24, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], '_VK_TO_WCHAR_TABLE': [0x8, { 'pVkToWchars': [0, ['pointer', ['_VK_TO_WCHARS1']]], 'cbSize': [5, ['unsigned char']], 'nModifications': [4, ['unsigned char']], }], '_TL': [0xc, { 'pfnFree': [8, ['pointer', ['void']]], 'pobj': [4, ['pointer', ['void']]], 'next': [0, ['pointer', ['_TL']]], }], '_MOVESIZEDATA': [0xdc, { 'fmsKbd': [160, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'fMoveFromMax': [160, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fSnapMoving': [160, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'ptRestore': [152, ['tagPOINT']], 'fUsePreviewRect': [160, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'ptStartHitWindowRelative': [192, ['tagPOINT']], 'CurrentHitTarget': [176, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fHasSoftwareCursor': [160, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'fCheckPtForcefullyRestored': [160, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSnapMovingTemporaryAllowed': [160, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'Unused': [160, ['BitField', {'end_bit': 32, 'start_bit': 28}]], 'fOffScreen': [160, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fWindowWasSuperMaximized': [160, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'StartCurrentHitTarget': [168, ['Enumeration', {'target': 'long', 'choices': {0: 'ThresholdMarginTop', 1: 'ThresholdMarginLeft', 2: 'ThresholdMarginRight', 3: 'ThresholdMarginBottom', 4: 'ThresholdMarginMax'}}]], 'fSnapSizing': [160, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fIsMoveSizeLoop': [160, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcPreviewCursor': [52, ['tagRECT']], 'dyMouse': [136, ['long']], 'fVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'fTrackCancelled': [160, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'impx': [144, ['long']], 'impy': [148, ['long']], 'fLockWindowUpdate': [160, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fStartVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'ptMinTrack': [84, ['tagPOINT']], 'pMonitorCurrentHitTarget': [172, ['pointer', ['tagMONITOR']]], 'rcWindow': [100, ['tagRECT']], 'pStartMonitorCurrentHitTarget': [164, ['pointer', ['tagMONITOR']]], 'cmd': [140, ['long']], 'ptMaxTrack': [92, ['tagPOINT']], 'fForceSizing': [160, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fThresholdSelector': [160, ['BitField', {'end_bit': 18, 'start_bit': 15}]], 'MoveRectStyle': [180, ['Enumeration', {'target': 'long', 'choices': {0: 'MoveRectKeepPositionAtCursor', 1: 'MoveRectMidTopAtCursor', 2: 'MoveRectKeepAspectRatioAtCursor', 3: 'MoveRectSidewiseKeepPositionAtCursor'}}]], 'fDragFullWindows': [160, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'fForeground': [160, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'ulCountDragOutOfLeftRightTarget': [212, ['unsigned long']], 'ptLastTrack': [200, ['tagPOINT']], 'frcNormalCheckPtValid': [160, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'fIsHitPtOffScreen': [160, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fSnapSizingTemporaryAllowed': [160, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fInitSize': [160, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'dxMouse': [132, ['long']], 'fStartVerticallyMaximizedRight': [160, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'ulCountDragOutOfTopTarget': [208, ['unsigned long']], 'fVerticallyMaximizedLeft': [160, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'spwnd': [0, ['pointer', ['tagWND']]], 'fHasPreviewRect': [160, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'rcPreview': [36, ['tagRECT']], 'rcDragCursor': [20, ['tagRECT']], 'Flags': [160, ['unsigned long']], 'ptHitWindowRelative': [184, ['tagPOINT']], 'rcParent': [68, ['tagRECT']], 'ulCountSizeOutOfTopBottomTarget': [216, ['unsigned long']], 'rcNormalStartCheckPt': [116, ['tagRECT']], 'rcDrag': [4, ['tagRECT']], }], '_LARGE_UNICODE_STRING': [0xc, { 'Buffer': [8, ['pointer', ['unsigned short']]], 'Length': [0, ['unsigned long']], 'MaximumLength': [4, ['BitField', {'end_bit': 31, 'start_bit': 0}]], 'bAnsi': [4, ['BitField', {'end_bit': 32, 'start_bit': 31}]], }], 'VSC_LPWSTR': [0x8, { 'vsc': [0, ['unsigned char']], 'pwsz': [4, ['pointer', ['unsigned short']]], }], '_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION': [0x10, { 'Scaling': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPS_UNINITIALIZED', 1: 'D3DKMDT_VPPS_IDENTITY', 2: 'D3DKMDT_VPPS_CENTERED', 3: 'D3DKMDT_VPPS_STRETCHED', 4: 'D3DKMDT_VPPS_ASPECTRATIOCENTEREDMAX', 5: 'D3DKMDT_VPPS_CUSTOM', 253: 'D3DKMDT_VPPS_RESERVED1', 254: 'D3DKMDT_VPPS_UNPINNED', 255: 'D3DKMDT_VPPS_NOTSPECIFIED'}}]], 'RotationSupport': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT']], 'Rotation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPR_UNINITIALIZED', 1: 'D3DKMDT_VPPR_IDENTITY', 2: 'D3DKMDT_VPPR_ROTATE90', 3: 'D3DKMDT_VPPR_ROTATE180', 4: 'D3DKMDT_VPPR_ROTATE270', 254: 'D3DKMDT_VPPR_UNPINNED', 255: 'D3DKMDT_VPPR_NOTSPECIFIED'}}]], 'ScalingSupport': [4, ['_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT']], }], 'tagUAHMENUPOPUPMETRICS': [0x14, { 'rgcx': [0, ['array', 4, ['long']]], 'fUpdateMaxWidths': [16, ['BitField', {'end_bit': 1, 'start_bit': 0}]], }], '_THROBJHEAD': [0xc, { 'h': [0, ['pointer', ['void']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], '_DMM_COFUNCPATHSMODALITY_SERIALIZATION': [0x8, { 'NumPathsFromSource': [0, ['unsigned char']], 'PathAndTargetModeSetOffset': [4, ['array', 1, ['unsigned long']]], }], 'tagSBTRACK': [0x44, { 'spwndSBNotify': [12, ['pointer', ['tagWND']]], 'hTimerSB': [40, ['unsigned long']], 'cmdSB': [36, ['unsigned long']], 'xxxpfnSB': [32, ['pointer', ['void']]], 'fTrackVert': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'posNew': [56, ['long']], 'posOld': [52, ['long']], 'fCtlSB': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'rcTrack': [16, ['tagRECT']], 'fTrackRecalc': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndSB': [8, ['pointer', ['tagWND']]], 'spwndTrack': [4, ['pointer', ['tagWND']]], 'dpxThumb': [44, ['long']], 'pxOld': [48, ['long']], 'fHitOld': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pSBCalc': [64, ['pointer', ['tagSBCALC']]], 'nBar': [60, ['long']], }], '__unnamed_18ae': [0x18, { 'Length40': [0, ['unsigned long']], 'Alignment40': [4, ['unsigned long']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], }], '__unnamed_18ac': [0xc, { 'Priority': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_1217': [0x4, { 'PowerState': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'}}]], }], '__unnamed_18aa': [0x10, { 'MinBusNumber': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], 'Reserved': [12, ['unsigned long']], 'MaxBusNumber': [8, ['unsigned long']], }], 'tagDPISERVERINFO': [0x18, { 'hMsgFont': [8, ['pointer', ['HFONT__']]], 'hCaptionFont': [4, ['pointer', ['HFONT__']]], 'gclBorder': [0, ['long']], 'cxMsgFontChar': [12, ['long']], 'wMaxBtnSize': [20, ['unsigned long']], 'cyMsgFontChar': [16, ['long']], }], 'tagOEMBITMAPINFO': [0x10, { 'y': [4, ['long']], 'x': [0, ['long']], 'cy': [12, ['long']], 'cx': [8, ['long']], }], '__unnamed_1787': [0xc, { 'Dma': [0, ['__unnamed_1779']], 'MessageInterrupt': [0, ['__unnamed_1777']], 'Generic': [0, ['__unnamed_1771']], 'Memory': [0, ['__unnamed_1771']], 'BusNumber': [0, ['__unnamed_177d']], 'DeviceSpecificData': [0, ['__unnamed_177f']], 'Memory48': [0, ['__unnamed_1783']], 'Memory40': [0, ['__unnamed_1781']], 'DevicePrivate': [0, ['__unnamed_177b']], 'Memory64': [0, ['__unnamed_1785']], 'Interrupt': [0, ['__unnamed_1773']], 'Port': [0, ['__unnamed_1771']], }], '__unnamed_1785': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length64': [8, ['unsigned long']], }], '__unnamed_1783': [0xc, { 'Length48': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], '__unnamed_1781': [0xc, { 'Length40': [8, ['unsigned long']], 'Start': [0, ['_LARGE_INTEGER']], }], 'HICON__': [0x4, { 'unused': [0, ['long']], }], '_DMM_VIDPNTARGETMODESET_SERIALIZATION': [0x38, { 'NumModes': [0, ['unsigned char']], 'ModeSerialization': [4, ['array', 1, ['_D3DKMDT_VIDPN_TARGET_MODE']]], }], '_D3DMATRIX': [0x40, { '_33': [40, ['float']], '_42': [52, ['float']], '_43': [56, ['float']], '_44': [60, ['float']], '_34': [44, ['float']], '_14': [12, ['float']], '_13': [8, ['float']], '_12': [4, ['float']], '_11': [0, ['float']], '_41': [48, ['float']], '_31': [32, ['float']], '_24': [28, ['float']], '_32': [36, ['float']], '_22': [20, ['float']], '_23': [24, ['float']], '_21': [16, ['float']], }], '__unnamed_18a6': [0x14, { 'AffinityPolicy': [8, ['unsigned short']], 'Group': [10, ['unsigned short']], 'PriorityPolicy': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'}}]], 'MinimumVector': [0, ['unsigned long']], 'MaximumVector': [4, ['unsigned long']], 'TargetedProcessors': [16, ['unsigned long']], }], '__unnamed_18a2': [0x18, { 'Length': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment': [4, ['unsigned long']], }], '__unnamed_18a8': [0x8, { 'MinimumChannel': [0, ['unsigned long']], 'MaximumChannel': [4, ['unsigned long']], }], 'HGESTUREINFO__': [0x4, { 'unused': [0, ['long']], }], '_VK_TO_FUNCTION_TABLE': [0x84, { 'NLSFEProcType': [1, ['unsigned char']], 'NLSFEProcSwitch': [3, ['unsigned char']], 'Vk': [0, ['unsigned char']], 'NLSFEProcCurrent': [2, ['unsigned char']], 'NLSFEProcAlt': [68, ['array', 8, ['_VK_FUNCTION_PARAM']]], 'NLSFEProc': [4, ['array', 8, ['_VK_FUNCTION_PARAM']]], }], '_DMM_VIDPNPATHANDTARGETMODESET_SERIALIZATION': [0x194, { 'PathInfo': [0, ['_D3DKMDT_VIDPN_PRESENT_PATH']], 'TargetModeSet': [348, ['_DMM_VIDPNTARGETMODESET_SERIALIZATION']], }], '__unnamed_11c5': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'EaLength': [12, ['unsigned long']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'FileAttributes': [8, ['unsigned short']], }], 'HDESK__': [0x4, { 'unused': [0, ['long']], }], 'VK_TO_BIT': [0x2, { 'Vk': [0, ['unsigned char']], 'ModBits': [1, ['unsigned char']], }], '__unnamed_11c9': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], }], 'MODIFIERS': [0x8, { 'wMaxModBits': [4, ['unsigned short']], 'pVkToBit': [0, ['pointer', ['VK_TO_BIT']]], 'ModNumber': [6, ['array', 0, ['unsigned char']]], }], 'tagIMEINFOEX': [0x15c, { 'fSysWow64Only': [344, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'wszImeFile': [184, ['array', 80, ['wchar']]], 'fLoadFlag': [72, ['long']], 'hkl': [0, ['pointer', ['HKL__']]], 'dwImeWinVersion': [80, ['unsigned long']], 'dwProdVersion': [76, ['unsigned long']], 'wszImeDescription': [84, ['array', 50, ['wchar']]], 'fCUASLayer': [344, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'ImeInfo': [4, ['tagIMEINFO']], 'wszUIClass': [32, ['array', 16, ['wchar']]], 'fInitOpen': [68, ['long']], 'fdwInitConvMode': [64, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION_SUPPORT': [0x4, { 'MacroVisionFull': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'MacroVisionApsTrigger': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'NoProtection': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Reserved': [0, ['BitField', {'end_bit': 32, 'start_bit': 3}]], }], 'tagWND': [0xb0, { 'bEraseBackground': [20, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'spwndOwner': [60, ['pointer', ['tagWND']]], 'bWS_EX_LAYERED': [28, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWS_CLIPCHILDREN': [32, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bMaximizeButtonDown': [24, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'cbwndExtra': [144, ['long']], 'bMakeVisibleWhenUnghosted': [28, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bUIStateActive': [28, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'hMod16': [40, ['unsigned short']], 'bWS_TABSTOP': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused8': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_EX_NOPARENTNOTIFY': [28, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bForceFullNCPaintClipRgn': [24, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bDialogWindow': [20, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'lpfnWndProc': [96, ['pointer', ['void']]], 'bWS_EX_RTLREADING': [28, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bMinimizeButtonDown': [24, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bUnused2': [28, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bUnused3': [28, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bUnused4': [28, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bHasMeun': [20, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bUnused6': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bUnused7': [32, ['BitField', {'end_bit': 18, 'start_bit': 16}]], 'bWS_SIZEBOX': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'style': [32, ['unsigned long']], 'ppropList': [108, ['pointer', ['tagPROPLIST']]], 'hrgnNewFrame': [128, ['pointer', ['HRGN__']]], 'bHasOverlay': [172, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bUnused9': [32, ['BitField', {'end_bit': 19, 'start_bit': 16}]], 'bClipboardListener': [172, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarLineDownBtnDown': [24, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bReserved3': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bRedirectedForPrint': [172, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bWS_EX_RIGHT': [28, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bStartPaint': [24, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bHasCreatestructName': [20, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bWS_EX_COMPOSITED': [28, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bFullScreen': [24, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spwndLastActive': [148, ['pointer', ['tagWND']]], 'hrgnUpdate': [104, ['pointer', ['HRGN__']]], 'head': [0, ['_THRDESKHEAD']], 'bConsoleWindow': [172, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bHiddenPopup': [20, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'hrgnClip': [124, ['pointer', ['HRGN__']]], 'bWS_EX_CONTROLPARENT': [28, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWS_EX_TOPMOST': [28, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendEraseBackground': [20, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bScrollBarLineUpBtnDown': [24, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bWin50Compat': [24, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'bRecievedQuerySuspendMsg': [20, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bMaximizeMonitorRegion': [24, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bLayeredLimbo': [172, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bRedrawIfHung': [20, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'FullScreenMode': [24, ['BitField', {'end_bit': 27, 'start_bit': 24}]], 'bLayeredInvalidate': [172, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bVerticallyMaximizedLeft': [172, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_POPUP': [32, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bWS_EX_CONTEXTHELP': [28, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'dwUserData': [156, ['unsigned long']], 'bDisabled': [32, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bAnsiWindowProc': [20, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'bWin40Compat': [24, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bWS_EX_NOINHERITLAYOUT': [28, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'rcClient': [80, ['tagRECT']], 'bAnsiCreator': [20, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bAnyScrollButtonDown': [24, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bWS_EX_LAYOUTRTL': [28, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bUIStateKbdAccelHidden': [28, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bSendSizeMoveMsgs': [20, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'spwndParent': [52, ['pointer', ['tagWND']]], 'bLinked': [172, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bSendNCPaint': [20, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bToggleTopmost': [20, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bInternalPaint': [20, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bDestroyed': [20, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bHasClientEdge': [24, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bServerSideWindowProc': [20, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bCaptionTextTruncated': [24, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'rcWindow': [64, ['tagRECT']], 'bEndPaintInvalidate': [24, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasPalette': [20, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bHasHorizontalScrollbar': [20, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'bUIStateFocusRectHidden': [28, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bReserved1': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_COMPOSITEDCompositing': [28, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_MDICHILD': [28, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bHasVerticalScrollbar': [20, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bReserved2': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWMCreateMsgProcessed': [24, ['BitField', {'end_bit': 32, 'start_bit': 31}]], 'bMinimized': [32, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bWS_EX_NOACTIVATE': [28, ['BitField', {'end_bit': 28, 'start_bit': 27}]], 'bWS_EX_APPWINDOW': [28, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'pSBInfo': [112, ['pointer', ['tagSBINFO']]], 'bSmallIconFromWMQueryDrag': [24, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bNoNCPaint': [20, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bCloseButtonDown': [24, ['BitField', {'end_bit': 13, 'start_bit': 12}]], 'bUnused1': [28, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'bHasSPB': [20, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_MINIMIZEBOX': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bMaximized': [32, ['BitField', {'end_bit': 25, 'start_bit': 24}]], 'bScrollBarVerticalTracking': [24, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bWS_CHILD': [32, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bReserved5': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_DLGMODALFRAME': [28, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bWS_EX_TRANSPARENT': [28, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenu': [120, ['pointer', ['tagMENU']]], 'bWS_THICKFRAME': [32, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bPaintNotProcessed': [20, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bSyncPaintPending': [20, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pcls': [100, ['pointer', ['tagCLS']]], 'bLayeredForDWM': [172, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bMsgBox': [20, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'bShellHookRegistered': [24, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'spwndChild': [56, ['pointer', ['tagWND']]], 'bUnused5': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bHelpButtonDown': [24, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bInDestroy': [24, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'state': [20, ['unsigned long']], 'strName': [132, ['_LARGE_UNICODE_STRING']], 'spwndPrev': [48, ['pointer', ['tagWND']]], 'bRedrawFrameIfHung': [20, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bWS_EX_LEFTSCROLLBAR': [28, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'bWS_EX_TOOLWINDOW': [28, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'bWS_VSCROLL': [32, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'bMaximizesToMonitor': [20, ['BitField', {'end_bit': 31, 'start_bit': 30}]], 'bNoMinmaxAnimatedRects': [24, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fnid': [42, ['unsigned short']], 'ExStyle': [28, ['unsigned long']], 'bRedirected': [28, ['BitField', {'end_bit': 30, 'start_bit': 29}]], 'bActiveFrame': [20, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bReserved4': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_EX_WINDOWEDGE': [28, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bReserved6': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bReserved7': [32, ['BitField', {'end_bit': 16, 'start_bit': 0}]], 'bWS_CLIPSIBLINGS': [32, ['BitField', {'end_bit': 27, 'start_bit': 26}]], 'bWS_EX_ACCEPTFILE': [28, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'bWS_HSCROLL': [32, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'bUpdateDirty': [20, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'bBeingActivated': [20, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'state2': [24, ['unsigned long']], 'spwndNext': [44, ['pointer', ['tagWND']]], 'bScrollBarPageDownBtnDown': [24, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'bWS_BORDER': [32, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'bWMPaintSent': [24, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'bScrollBarPageUpBtnDown': [24, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'pTransform': [164, ['pointer', ['_D3DMATRIX']]], 'bWS_MAXIMIZEBOX': [32, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'bVisible': [32, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'bVerticallyMaximizedRight': [172, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWin31Compat': [24, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'bWS_EX_STATICEDGE': [28, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'bForceMenuDraw': [20, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'bForceNCPaint': [24, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'ExStyle2': [172, ['unsigned long']], 'bOldUI': [24, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'bWS_DLGFRAME': [32, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'bHIGHDPI_UNAWARE_Unused': [172, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'bWS_SYSMENU': [32, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'spwndClipboardListenerNext': [168, ['pointer', ['tagWND']]], 'hModule': [36, ['pointer', ['void']]], 'bWS_EX_NOPADDEDBORDER': [28, ['BitField', {'end_bit': 24, 'start_bit': 23}]], 'pActCtx': [160, ['pointer', ['_ACTIVATION_CONTEXT']]], 'bBottomMost': [24, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'spmenuSys': [116, ['pointer', ['tagMENU']]], 'bRecievedSuspendMsg': [20, ['BitField', {'end_bit': 26, 'start_bit': 25}]], 'bWS_EX_CLIENTEDGE': [28, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'bHasCaption': [20, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'hImc': [152, ['pointer', ['HIMC__']]], 'bChildNoActivate': [172, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'bWS_GROUP': [32, ['BitField', {'end_bit': 18, 'start_bit': 17}]], }], 'tagUAHMENUITEMMETRICS': [0x20, { 'rgsizeBar': [0, ['array', 2, ['tagSIZE']]], 'rgsizePopup': [0, ['array', 4, ['tagSIZE']]], }], '__unnamed_11cd': [0x10, { 'ShareAccess': [10, ['unsigned short']], 'Reserved': [8, ['unsigned short']], 'SecurityContext': [0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options': [4, ['unsigned long']], 'Parameters': [12, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], }], '__unnamed_11cf': [0x10, { 'Length': [0, ['unsigned long']], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '_DXGK_DIAG_CODE_POINT_PACKET': [0x40, { 'Header': [0, ['_DXGK_DIAG_HEADER']], 'Param3': [60, ['unsigned long']], 'Param1': [52, ['unsigned long']], 'CodePointType': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_CODE_POINT_TYPE_NONE', 1: 'DXGK_DIAG_CODE_POINT_TYPE_RECOMMEND_FUNC_VIDPN', 2: 'DXGK_DIAG_CODE_POINT_TYPE_OS_RECOMMENDED_VIDPN', 3: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_LOG_FAILURE', 4: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_INVALIDATE_ERROR', 5: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_LOG_FAILURE', 7: 'DXGK_DIAG_CODE_POINT_TYPE_CDS_FAILURE_DB', 8: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_BTL', 9: 'DXGK_DIAG_CODE_POINT_TYPE_RETRIEVE_DB', 10: 'DXGK_DIAG_CODE_POINT_TYPE_QDC_LOG_FAILURE', 11: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_GDI', 12: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_GDI', 13: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_ON_MONITOR', 14: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_OFF_MONITOR', 15: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_DIM_MONITOR', 16: 'DXGK_DIAG_CODE_POINT_TYPE_POWER_UNDIM_MONITOR', 17: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BACKTRACK', 18: 'DXGK_DIAG_CODE_POINT_TYPE_BML_CLOSEST_TARGET_MODE', 19: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_SOURCE_MODE', 20: 'DXGK_DIAG_CODE_POINT_TYPE_BML_NO_EXACT_TARGET_MODE', 21: 'DXGK_DIAG_CODE_POINT_TYPE_BML_SOURCE_MODE_NOT_PINNED', 22: 'DXGK_DIAG_CODE_POINT_TYPE_BML_TARGET_MODE_NOT_PINNED', 23: 'DXGK_DIAG_CODE_POINT_TYPE_BML_RESTARTED', 24: 'DXGK_DIAG_CODE_POINT_TYPE_TDR', 25: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_EVENT_NOTIFICATION', 26: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEMDEV_USE_DEFAULT_MODE', 27: 'DXGK_DIAG_CODE_POINT_TYPE_CONNECTED_SET_LOG_FAILURE', 28: 'DXGK_DIAG_CODE_POINT_TYPE_INVALIDATE_DXGK_MODE_CACHE', 29: 'DXGK_DIAG_CODE_POINT_TYPE_REBUILD_DXGK_MODE_CACHE', 30: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_RELAX_REFRESH_MATCH', 31: 'DXGK_DIAG_CODE_POINT_TYPE_CREATEFUNVIDPN_CCDBML_FAIL_VISTABML_SUCCESSED', 32: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_SOURCE_MODE', 33: 'DXGK_DIAG_CODE_POINT_TYPE_BML_BEST_TARGET_MODE', 34: 'DXGK_DIAG_CODE_POINT_TYPE_ADD_DEVICE', 35: 'DXGK_DIAG_CODE_POINT_TYPE_START_ADAPTER', 36: 'DXGK_DIAG_CODE_POINT_TYPE_STOP_ADAPTER', 37: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING', 38: 'DXGK_DIAG_CODE_POINT_TYPE_CHILD_POLLING_TARGET', 39: 'DXGK_DIAG_CODE_POINT_TYPE_INDICATE_CHILD_STATUS', 40: 'DXGK_DIAG_CODE_POINT_TYPE_HANDLE_IRP', 41: 'DXGK_DIAG_CODE_POINT_TYPE_CHANGE_UNSUPPORTED_MONITOR_MODE_FLAG', 42: 'DXGK_DIAG_CODE_POINT_TYPE_ACPI_NOTIFY_CALLBACK', 43: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_DISABLEGDI', 44: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_EVICTALL_ENABLEGDI', 45: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_EXCLUDE_MODESWITCH', 46: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_SYNC_MONITOR_EVENT', 47: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_NOTIFY_GDI', 48: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_PNP_ENABLE_VGA', 49: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_TDR_SWITCH_GDI', 50: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_CREATE_DEVICE_FAILED', 51: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DEVICE_REMOVED', 52: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_DRVASSERTMODE_TRUE_FAILED', 53: 'DXGK_DIAG_CODE_POINT_TYPE_VIDEOPORTCALLOUT_CDD_RECREATE_DEVICE_FAILED', 54: 'DXGK_DIAG_CODE_POINT_TYPE_CDD_MAPSHADOWBUFFER_FAILED', 55: 'DXGK_DIAG_CODE_POINT_TYPE_COMMIT_VIDPN_LOG_FAILURE', 56: 'DXGK_DIAG_CODE_POINT_TYPE_DRIVER_RECOMMEND_LOG_FAILURE', 57: 'DXGK_DIAG_CODE_POINT_TYPE_SDC_ENFORCED_CLONE_PATH_INVALID_SOURCE_IDX', 58: 'DXGK_DIAG_CODE_POINT_TYPE_DRVPROBEANDCAPTURE_FAILED', 59: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKCDDENABLE_OPTIMIZED_MODE_CHANGE', 60: 'DXGK_DIAG_CODE_POINT_TYPE_DXGKSETDISPLAYMODE_OPTIMIZED_MODE_CHANGE', 61: 'DXGK_DIAG_CODE_POINT_TYPE_MON_DEPART_GETRECENTTOP_FAIL', 62: 'DXGK_DIAG_CODE_POINT_TYPE_MON_ARRIVE_INC_ADD_FAIL', 63: 'DXGK_DIAG_CODE_POINT_TYPE_CCD_DATABASE_PERSIST', 64: 'DXGK_DIAG_CODE_POINT_TYPE_MAX', -1: 'DXGK_DIAG_CODE_POINT_TYPE_FORCE_UINT32'}}]], 'Param2': [56, ['unsigned long']], }], 'tagW32JOB': [0x28, { 'restrictions': [12, ['unsigned long']], 'Job': [4, ['pointer', ['_EJOB']]], 'ughCrt': [28, ['unsigned long']], 'pgh': [36, ['pointer', ['unsigned long']]], 'ppiTable': [24, ['pointer', ['pointer', ['tagPROCESSINFO']]]], 'ughMax': [32, ['unsigned long']], 'pAtomTable': [8, ['pointer', ['void']]], 'uProcessCount': [16, ['unsigned long']], 'uMaxProcesses': [20, ['unsigned long']], 'pNext': [0, ['pointer', ['tagW32JOB']]], }], 'tagMBSTRING': [0x28, { 'szName': [0, ['array', 15, ['wchar']]], 'uID': [32, ['unsigned long']], 'uStr': [36, ['unsigned long']], }], '_D3DKMDT_VIDPN_TARGET_MODE': [0x34, { 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'Id': [0, ['unsigned long']], 'Preference': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], }], 'tagDESKTOP': [0x84, { 'spmenuVScroll': [40, ['pointer', ['tagMENU']]], 'dwMouseHoverTime': [124, ['unsigned long']], 'rpwinstaParent': [16, ['pointer', ['tagWINDOWSTATION']]], 'spmenuDialogSys': [32, ['pointer', ['tagMENU']]], 'spwndForeground': [44, ['pointer', ['tagWND']]], 'spmenuHScroll': [36, ['pointer', ['tagMENU']]], 'spwndTooltip': [56, ['pointer', ['tagWND']]], 'dwSessionId': [0, ['unsigned long']], 'pDeskInfo': [4, ['pointer', ['tagDESKTOPINFO']]], 'spwndMessage': [52, ['pointer', ['tagWND']]], 'cciConsole': [72, ['_CONSOLE_CARET_INFO']], 'PtiList': [92, ['_LIST_ENTRY']], 'spwndTray': [48, ['pointer', ['tagWND']]], 'rpdeskNext': [12, ['pointer', ['tagDESKTOP']]], 'dwDTFlags': [20, ['unsigned long']], 'pMagInputTransform': [128, ['pointer', ['_MAGNIFICATION_INPUT_TRANSFORM']]], 'spwndTrack': [100, ['pointer', ['tagWND']]], 'htEx': [104, ['long']], 'ulHeapSize': [68, ['unsigned long']], 'pheapDesktop': [64, ['pointer', ['tagWIN32HEAP']]], 'hsectionDesktop': [60, ['pointer', ['void']]], 'rcMouseHover': [108, ['tagRECT']], 'dwDesktopId': [24, ['unsigned long']], 'spmenuSys': [28, ['pointer', ['tagMENU']]], 'pDispInfo': [8, ['pointer', ['tagDISPLAYINFO']]], }], 'tagPOOLRECORD': [0x20, { 'ExtraData': [0, ['pointer', ['void']]], 'trace': [8, ['array', 6, ['pointer', ['void']]]], 'size': [4, ['unsigned long']], }], 'tagSPB': [0x28, { 'hbm': [8, ['pointer', ['HBITMAP__']]], 'hrgn': [28, ['pointer', ['HRGN__']]], 'ulSaveId': [36, ['unsigned long']], 'flags': [32, ['unsigned long']], 'rc': [12, ['tagRECT']], 'pspbNext': [0, ['pointer', ['tagSPB']]], 'spwnd': [4, ['pointer', ['tagWND']]], }], '_DMM_COMMITVIDPNREQUEST_DIAGINFO': [0xc, { 'ForceAllActiveVidPnModeListInvalidation': [4, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'ClientType': [0, ['BitField', {'end_bit': 4, 'start_bit': 0}]], 'VidPnChange': [0, ['BitField', {'end_bit': 8, 'start_bit': 4}]], 'ModeChangeRequestId': [8, ['unsigned long']], 'ReclaimClonedTarget': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'CleanupAfterFailedCommitVidPn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], }], 'HFONT__': [0x4, { 'unused': [0, ['long']], }], 'tagTEXTMETRICW': [0x3c, { 'tmCharSet': [56, ['unsigned char']], 'tmDigitizedAspectY': [40, ['long']], 'tmStruckOut': [54, ['unsigned char']], 'tmItalic': [52, ['unsigned char']], 'tmDigitizedAspectX': [36, ['long']], 'tmWeight': [28, ['long']], 'tmFirstChar': [44, ['wchar']], 'tmOverhang': [32, ['long']], 'tmDescent': [8, ['long']], 'tmPitchAndFamily': [55, ['unsigned char']], 'tmDefaultChar': [48, ['wchar']], 'tmLastChar': [46, ['wchar']], 'tmBreakChar': [50, ['wchar']], 'tmMaxCharWidth': [24, ['long']], 'tmUnderlined': [53, ['unsigned char']], 'tmInternalLeading': [12, ['long']], 'tmAscent': [4, ['long']], 'tmHeight': [0, ['long']], 'tmAveCharWidth': [20, ['long']], 'tmExternalLeading': [16, ['long']], }], '_KLIST_ENTRY': [0x8, { 'Flink': [0, ['pointer', ['_KLIST_ENTRY']]], 'Blink': [4, ['pointer', ['_KLIST_ENTRY']]], }], '__unnamed_1244': [0x28, { 'Wcb': [0, ['_WAIT_CONTEXT_BLOCK']], 'ListEntry': [0, ['_LIST_ENTRY']], }], 'tagPROP': [0x8, { 'fs': [6, ['unsigned short']], 'hData': [0, ['pointer', ['void']]], 'atomKey': [4, ['unsigned short']], }], 'tagCLIENTTHREADINFO': [0x10, { 'fsWakeMask': [10, ['unsigned short']], 'CTIF_flags': [0, ['unsigned long']], 'fsWakeBits': [6, ['unsigned short']], 'fsWakeBitsJournal': [8, ['unsigned short']], 'fsChangeBits': [4, ['unsigned short']], 'tickLastMsgChecked': [12, ['unsigned long']], }], 'tagKbdNlsLayer': [0x14, { 'OEMIdentifier': [0, ['unsigned short']], 'NumOfVkToF': [4, ['unsigned long']], 'pusMouseVKey': [16, ['pointer', ['unsigned short']]], 'NumOfMouseVKey': [12, ['long']], 'pVkToF': [8, ['pointer', ['_VK_TO_FUNCTION_TABLE']]], 'LayoutInformation': [2, ['unsigned short']], }], 'HBITMAP__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_11fe': [0x4, { 'Capabilities': [0, ['pointer', ['_DEVICE_CAPABILITIES']]], }], '__unnamed_18b2': [0x18, { 'Length64': [0, ['unsigned long']], 'MaximumAddress': [16, ['_LARGE_INTEGER']], 'MinimumAddress': [8, ['_LARGE_INTEGER']], 'Alignment64': [4, ['unsigned long']], }], '__unnamed_11fa': [0x10, { 'Interface': [8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData': [12, ['pointer', ['void']]], 'Version': [6, ['unsigned short']], 'InterfaceType': [0, ['pointer', ['_GUID']]], 'Size': [4, ['unsigned short']], }], 'tagPROCESS_HID_TABLE': [0x38, { 'UsagePageLast': [48, ['unsigned short']], 'fExclusiveMouseSink': [52, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fRawKeyboardSink': [52, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'fAppKeys': [52, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fCaptureMouse': [52, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fNoLegacyMouse': [52, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'UsageLast': [50, ['unsigned short']], 'fRawKeyboard': [52, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fNoLegacyKeyboard': [52, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'nSinks': [40, ['long']], 'fNoHotKeys': [52, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndTargetMouse': [32, ['pointer', ['tagWND']]], 'spwndTargetKbd': [36, ['pointer', ['tagWND']]], 'UsagePageList': [16, ['_LIST_ENTRY']], 'link': [0, ['_LIST_ENTRY']], 'fExclusiveKeyboardSink': [52, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'pLastRequest': [44, ['pointer', ['tagPROCESS_HID_REQUEST']]], 'ExclusionList': [24, ['_LIST_ENTRY']], 'fRawMouse': [52, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'fRawMouseSink': [52, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'InclusionList': [8, ['_LIST_ENTRY']], }], '_KFLOATING_SAVE': [0x20, { 'ErrorOffset': [8, ['unsigned long']], 'DataOffset': [16, ['unsigned long']], 'ControlWord': [0, ['unsigned long']], 'DataSelector': [20, ['unsigned long']], 'Cr0NpxState': [24, ['unsigned long']], 'StatusWord': [4, ['unsigned long']], 'Spare1': [28, ['unsigned long']], 'ErrorSelector': [12, ['unsigned long']], }], 'tagRECT': [0x10, { 'top': [4, ['long']], 'right': [8, ['long']], 'bottom': [12, ['long']], 'left': [0, ['long']], }], '__unnamed_17ff': [0x20, { 'Text': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_TRF_UNINITIALIZED'}}]], 'Graphics': [0, ['_D3DKMDT_GRAPHICS_RENDERING_FORMAT']], }], 'HBRUSH__': [0x4, { 'unused': [0, ['long']], }], '_TLSPRITESTATE': [0x60, { 'flOriginalSurfFlags': [4, ['unsigned long']], 'iSpriteType': [16, ['unsigned long']], 'pfnSaveScreenBits': [84, ['pointer', ['void']]], 'bInsideDriverCall': [0, ['unsigned char']], 'pfnStrokePath': [36, ['pointer', ['void']]], 'pfnTransparentBlt': [68, ['pointer', ['void']]], 'pfnPaint': [44, ['pointer', ['void']]], 'pfnFillPath': [40, ['pointer', ['void']]], 'pfnStretchBltROP': [88, ['pointer', ['void']]], 'iType': [24, ['unsigned long']], 'pfnPlgBlt': [76, ['pointer', ['void']]], 'pfnCopyBits': [52, ['pointer', ['void']]], 'pState': [28, ['pointer', ['void']]], 'iOriginalType': [8, ['unsigned long']], 'pfnTextOut': [60, ['pointer', ['void']]], 'pfnDrawStream': [92, ['pointer', ['void']]], 'pfnStrokeAndFillPath': [32, ['pointer', ['void']]], 'pfnLineTo': [64, ['pointer', ['void']]], 'pfnStretchBlt': [56, ['pointer', ['void']]], 'pfnGradientFill': [80, ['pointer', ['void']]], 'pfnAlphaBlend': [72, ['pointer', ['void']]], 'flags': [20, ['unsigned long']], 'flSpriteSurfFlags': [12, ['unsigned long']], 'pfnBitBlt': [48, ['pointer', ['void']]], }], 'tagSMS': [0x3c, { 'wParam': [40, ['unsigned long']], 'lParam': [44, ['long']], 'lRet': [28, ['long']], 'psmsReceiveNext': [4, ['pointer', ['tagSMS']]], 'tSent': [32, ['unsigned long']], 'psmsNext': [0, ['pointer', ['tagSMS']]], 'ptiCallBackSender': [24, ['pointer', ['tagTHREADINFO']]], 'ptiReceiver': [12, ['pointer', ['tagTHREADINFO']]], 'lpResultCallBack': [16, ['pointer', ['void']]], 'message': [48, ['unsigned long']], 'dwData': [20, ['unsigned long']], 'ptiSender': [8, ['pointer', ['tagTHREADINFO']]], 'flags': [36, ['unsigned long']], 'pvCapture': [56, ['pointer', ['void']]], 'spwnd': [52, ['pointer', ['tagWND']]], }], '_D3DKMDT_FREQUENCY_RANGE': [0x20, { 'MinVSyncFreq': [0, ['_D3DDDI_RATIONAL']], 'MaxVSyncFreq': [8, ['_D3DDDI_RATIONAL']], 'MaxHSyncFreq': [24, ['_D3DDDI_RATIONAL']], 'MinHSyncFreq': [16, ['_D3DDDI_RATIONAL']], }], '__unnamed_11f4': [0x4, { 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'}}]], }], '__unnamed_11f0': [0x4, { 'Srb': [0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], }], 'HRGN__': [0x4, { 'unused': [0, ['long']], }], 'tagSIZE': [0x8, { 'cy': [4, ['long']], 'cx': [0, ['long']], }], 'tagDESKTOPVIEW': [0xc, { 'ulClientDelta': [8, ['unsigned long']], 'pdesk': [4, ['pointer', ['tagDESKTOP']]], 'pdvNext': [0, ['pointer', ['tagDESKTOPVIEW']]], }], '__unnamed_120a': [0x4, { 'IdType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'}}]], }], '__unnamed_120e': [0x8, { 'DeviceTextType': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'}}]], 'LocaleId': [4, ['unsigned long']], }], '_DMM_VIDPNPATHSFROMSOURCE_SERIALIZATION': [0x1bc, { 'PathAndTargetModeSerialization': [44, ['array', 1, ['_DMM_VIDPNPATHANDTARGETMODE_SERIALIZATION']]], 'NumPathsFromSource': [40, ['unsigned char']], 'SourceMode': [0, ['_D3DKMDT_VIDPN_SOURCE_MODE']], }], '_D3DDDI_GAMMA_RAMP_RGB256x3x16': [0x600, { 'Blue': [1024, ['array', 256, ['unsigned short']]], 'Green': [512, ['array', 256, ['unsigned short']]], 'Red': [0, ['array', 256, ['unsigned short']]], }], '_CALLPROCDATA': [0x20, { 'head': [0, ['_PROCDESKHEAD']], 'pfnClientPrevious': [24, ['unsigned long']], 'wType': [28, ['unsigned short']], 'spcpdNext': [20, ['pointer', ['_CALLPROCDATA']]], }], '_D3DDDI_RATIONAL': [0x8, { 'Denominator': [4, ['unsigned long']], 'Numerator': [0, ['unsigned long']], }], '_PFNCLIENT': [0x5c, { 'pfnDispatchDefWindowProc': [80, ['pointer', ['void']]], 'pfnStaticWndProc': [56, ['pointer', ['void']]], 'pfnDispatchHook': [76, ['pointer', ['void']]], 'pfnDesktopWndProc': [12, ['pointer', ['void']]], 'pfnImeWndProc': [60, ['pointer', ['void']]], 'pfnScrollBarWndProc': [0, ['pointer', ['void']]], 'pfnEditWndProc': [44, ['pointer', ['void']]], 'pfnGhostWndProc': [64, ['pointer', ['void']]], 'pfnMessageWindowProc': [20, ['pointer', ['void']]], 'pfnSwitchWindowProc': [24, ['pointer', ['void']]], 'pfnComboListBoxProc': [36, ['pointer', ['void']]], 'pfnComboBoxWndProc': [32, ['pointer', ['void']]], 'pfnMDIClientWndProc': [52, ['pointer', ['void']]], 'pfnDialogWndProc': [40, ['pointer', ['void']]], 'pfnHkINLPCWPSTRUCT': [68, ['pointer', ['void']]], 'pfnTitleWndProc': [4, ['pointer', ['void']]], 'pfnHkINLPCWPRETSTRUCT': [72, ['pointer', ['void']]], 'pfnButtonWndProc': [28, ['pointer', ['void']]], 'pfnMenuWndProc': [8, ['pointer', ['void']]], 'pfnListBoxWndProc': [48, ['pointer', ['void']]], 'pfnDispatchMessage': [84, ['pointer', ['void']]], 'pfnDefWindowProc': [16, ['pointer', ['void']]], 'pfnMDIActivateDlgProc': [88, ['pointer', ['void']]], }], '_THRDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'pti': [8, ['pointer', ['tagTHREADINFO']]], 'cLockObj': [4, ['unsigned long']], }], 'tagSVR_INSTANCE_INFO': [0x20, { 'head': [0, ['_THROBJHEAD']], 'next': [12, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'nextInThisThread': [16, ['pointer', ['tagSVR_INSTANCE_INFO']]], 'spwndEvent': [24, ['pointer', ['tagWND']]], 'afCmd': [20, ['unsigned long']], 'pcii': [28, ['pointer', ['void']]], }], '_D3DKMDT_MONITOR_SOURCE_MODE': [0x4c, { 'Origin': [68, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'VideoSignalInfo': [4, ['_D3DKMDT_VIDEO_SIGNAL_INFO']], 'ColorCoeffDynamicRanges': [52, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'Preference': [72, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MP_UNINITIALIZED', 1: 'D3DKMDT_MP_PREFERRED', 2: 'D3DKMDT_MP_MAXVALID'}}]], 'Id': [0, ['unsigned long']], 'ColorBasis': [48, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], }], 'VWPL': [0x10, { 'fTagged': [12, ['long']], 'cElem': [4, ['unsigned long']], 'cThreshhold': [8, ['unsigned long']], 'aElement': [16, ['array', 0, ['VWPLELEMENT']]], 'cPwnd': [0, ['unsigned long']], }], 'tagCURSOR': [0x54, { 'rt': [30, ['unsigned short']], 'head': [0, ['_PROCMARKHEAD']], 'hbmUserAlpha': [68, ['pointer', ['HBITMAP__']]], 'cx': [76, ['unsigned long']], 'xHotspot': [36, ['short']], 'hbmColor': [44, ['pointer', ['HBITMAP__']]], 'pcurNext': [16, ['pointer', ['tagCURSOR']]], 'CURSORF_flags': [32, ['unsigned long']], 'hbmMask': [40, ['pointer', ['HBITMAP__']]], 'bpp': [72, ['unsigned long']], 'cy': [80, ['unsigned long']], 'strName': [20, ['_UNICODE_STRING']], 'rcBounds': [52, ['tagRECT']], 'atomModName': [28, ['unsigned short']], 'hbmAlpha': [48, ['pointer', ['HBITMAP__']]], 'yHotspot': [38, ['short']], }], '__unnamed_1202': [0x4, { 'IoResourceRequirementList': [0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], }], '__unnamed_1206': [0x1, { 'Lock': [0, ['unsigned char']], }], '__unnamed_1204': [0x10, { 'Buffer': [4, ['pointer', ['void']]], 'WhichSpace': [0, ['unsigned long']], 'Length': [12, ['unsigned long']], 'Offset': [8, ['unsigned long']], }], 'HKL__': [0x4, { 'unused': [0, ['long']], }], 'tagDCE': [0x30, { 'hrgnClipPublic': [24, ['pointer', ['HRGN__']]], 'pdceNext': [0, ['pointer', ['tagDCE']]], 'hrgnSavedVis': [28, ['pointer', ['HRGN__']]], 'pwndRedirect': [16, ['pointer', ['tagWND']]], 'pMonitor': [44, ['pointer', ['tagMONITOR']]], 'ppiOwner': [40, ['pointer', ['tagPROCESSINFO']]], 'pwndOrg': [8, ['pointer', ['tagWND']]], 'hrgnClip': [20, ['pointer', ['HRGN__']]], 'hdc': [4, ['pointer', ['HDC__']]], 'ptiOwner': [36, ['pointer', ['tagTHREADINFO']]], 'DCX_flags': [32, ['unsigned long']], 'pwndClip': [12, ['pointer', ['tagWND']]], }], 'tagPROCESS_HID_REQUEST': [0x18, { 'link': [0, ['_LIST_ENTRY']], 'fExclusiveOrphaned': [12, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'spwndTarget': [20, ['pointer', ['tagWND']]], 'fSinkable': [12, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'pTLCInfo': [16, ['pointer', ['tagHID_TLC_INFO']]], 'fDevNotify': [12, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fExSinkable': [12, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'usUsage': [10, ['unsigned short']], 'ptr': [16, ['pointer', ['void']]], 'pPORequest': [16, ['pointer', ['tagHID_PAGEONLY_REQUEST']]], 'usUsagePage': [8, ['unsigned short']], }], 'tagWOWTHREADINFO': [0x14, { 'idParentProcess': [12, ['unsigned long']], 'pwtiNext': [0, ['pointer', ['tagWOWTHREADINFO']]], 'idTask': [4, ['unsigned long']], 'pIdleEvent': [16, ['pointer', ['_KEVENT']]], 'idWaitObject': [8, ['unsigned long']], }], '__unnamed_11bb': [0x28, { 'AuxiliaryBuffer': [20, ['pointer', ['unsigned char']]], 'Thread': [16, ['pointer', ['_ETHREAD']]], 'OriginalFileObject': [36, ['pointer', ['_FILE_OBJECT']]], 'DeviceQueueEntry': [0, ['_KDEVICE_QUEUE_ENTRY']], 'PacketType': [32, ['unsigned long']], 'CurrentStackLocation': [32, ['pointer', ['_IO_STACK_LOCATION']]], 'ListEntry': [24, ['_LIST_ENTRY']], 'DriverContext': [0, ['array', 4, ['pointer', ['void']]]], }], '__unnamed_11be': [0x30, { 'Apc': [0, ['_KAPC']], 'CompletionKey': [0, ['pointer', ['void']]], 'Overlay': [0, ['__unnamed_11bb']], }], 'tagSBDATA': [0x10, { 'posMax': [4, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], 'pos': [12, ['long']], }], 'tagIMEINFO': [0x1c, { 'fdwProperty': [4, ['unsigned long']], 'fdwSelectCaps': [24, ['unsigned long']], 'fdwUICaps': [16, ['unsigned long']], 'dwPrivateDataSize': [0, ['unsigned long']], 'fdwSCSCaps': [20, ['unsigned long']], 'fdwSentenceCaps': [12, ['unsigned long']], 'fdwConversionCaps': [8, ['unsigned long']], }], '_D3DKMDT_VIDPN_SOURCE_MODE': [0x28, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_RMT_UNINITIALIZED', 1: 'D3DKMDT_RMT_GRAPHICS', 2: 'D3DKMDT_RMT_TEXT'}}]], 'Id': [0, ['unsigned long']], 'Format': [8, ['__unnamed_17ff']], }], '_PROCMARKHEAD': [0x10, { 'h': [0, ['pointer', ['void']]], 'ppi': [12, ['pointer', ['tagPROCESSINFO']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], 'tagKBDFILE': [0x5c, { 'head': [0, ['_HEAD']], 'awchDllName': [28, ['array', 32, ['wchar']]], 'pKbdTbl': [16, ['pointer', ['tagKbdLayer']]], 'pkfNext': [8, ['pointer', ['tagKBDFILE']]], 'pKbdNlsTbl': [24, ['pointer', ['tagKbdNlsLayer']]], 'hBase': [12, ['pointer', ['void']]], 'Size': [20, ['unsigned long']], }], 'tagCLIENTINFO': [0x8c, { 'msgDbcsCB': [108, ['tagMSG']], 'dwCompatFlags': [12, ['unsigned long']], 'achDbcsCF': [106, ['array', 2, ['unsigned char']]], 'dwTIFlags': [20, ['unsigned long']], 'pClientThreadInfo': [60, ['pointer', ['tagCLIENTTHREADINFO']]], 'CodePage': [104, ['unsigned short']], 'dwKeyCache': [68, ['unsigned long']], 'dwHookCurrent': [52, ['unsigned long']], 'afAsyncKeyStateRecentDown': [92, ['array', 8, ['unsigned char']]], 'dwCompatFlags2': [16, ['unsigned long']], 'fsHooks': [36, ['unsigned long']], 'ulClientDelta': [28, ['unsigned long']], 'pDeskInfo': [24, ['pointer', ['tagDESKTOPINFO']]], 'dwExpWinVer': [8, ['unsigned long']], 'dwHookData': [64, ['unsigned long']], 'afAsyncKeyState': [84, ['array', 8, ['unsigned char']]], 'CallbackWnd': [40, ['_CALLBACKWND']], 'lpdwRegisteredClasses': [136, ['pointer', ['unsigned long']]], 'cInDDEMLCallback': [56, ['long']], 'cSpins': [4, ['unsigned long']], 'hKL': [100, ['pointer', ['HKL__']]], 'dwAsyncKeyCache': [80, ['unsigned long']], 'afKeyState': [72, ['array', 8, ['unsigned char']]], 'CI_flags': [0, ['unsigned long']], 'phkCurrent': [32, ['pointer', ['tagHOOK']]], }], 'tagCLS': [0x5c, { 'spcur': [72, ['pointer', ['tagCURSOR']]], 'cbwndExtra': [60, ['long']], 'pclsClone': [40, ['pointer', ['tagCLS']]], 'lpszClientAnsiMenuName': [24, ['pointer', ['unsigned char']]], 'pclsBase': [36, ['pointer', ['tagCLS']]], 'atomNVClassName': [6, ['unsigned short']], 'style': [48, ['unsigned long']], 'pclsNext': [0, ['pointer', ['tagCLS']]], 'CSF_flags': [22, ['unsigned short']], 'lpfnWndProc': [52, ['pointer', ['void']]], 'lpszAnsiClassName': [84, ['pointer', ['unsigned char']]], 'spcpdFirst': [32, ['pointer', ['_CALLPROCDATA']]], 'lpszClientUnicodeMenuName': [28, ['pointer', ['unsigned short']]], 'cbclsExtra': [56, ['long']], 'lpszMenuName': [80, ['pointer', ['unsigned short']]], 'spicnSm': [88, ['pointer', ['tagCURSOR']]], 'hTaskWow': [20, ['unsigned short']], 'cWndReferenceCount': [44, ['long']], 'hbrBackground': [76, ['pointer', ['HBRUSH__']]], 'spicn': [68, ['pointer', ['tagCURSOR']]], 'fnid': [8, ['unsigned short']], 'pdce': [16, ['pointer', ['tagDCE']]], 'hModule': [64, ['pointer', ['void']]], 'rpdeskParent': [12, ['pointer', ['tagDESKTOP']]], 'atomClassName': [4, ['unsigned short']], }], '_DMM_VIDPN_SERIALIZATION': [0xc, { 'PathsFromSourceSerializationOffsets': [8, ['array', 1, ['unsigned long']]], 'NumActiveSources': [4, ['unsigned char']], 'Size': [0, ['unsigned long']], }], 'tagHID_PAGEONLY_REQUEST': [0x10, { 'usUsagePage': [8, ['unsigned short']], 'link': [0, ['_LIST_ENTRY']], 'cRefCount': [12, ['unsigned long']], }], 'tagWINDOWSTATION': [0x58, { 'pClipBase': [44, ['pointer', ['tagCLIP']]], 'dwSessionId': [0, ['unsigned long']], 'cNumClipFormats': [48, ['unsigned long']], 'luidUser': [76, ['_LUID']], 'pGlobalAtomTable': [64, ['pointer', ['void']]], 'ptiClipLock': [24, ['pointer', ['tagTHREADINFO']]], 'dwWSF_Flags': [16, ['unsigned long']], 'rpdeskList': [8, ['pointer', ['tagDESKTOP']]], 'spklList': [20, ['pointer', ['tagKL']]], 'spwndClipOpen': [32, ['pointer', ['tagWND']]], 'luidEndSession': [68, ['_LUID']], 'pTerm': [12, ['pointer', ['tagTERMINAL']]], 'rpwinstaNext': [4, ['pointer', ['tagWINDOWSTATION']]], 'spwndClipboardListener': [60, ['pointer', ['tagWND']]], 'spwndClipViewer': [36, ['pointer', ['tagWND']]], 'iClipSequenceNumber': [56, ['unsigned long']], 'ptiDrawingClipboard': [28, ['pointer', ['tagTHREADINFO']]], 'spwndClipOwner': [40, ['pointer', ['tagWND']]], 'psidUser': [84, ['pointer', ['void']]], 'iClipSerialNumber': [52, ['unsigned long']], }], '__unnamed_11e4': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'IoControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], '__unnamed_11e2': [0x10, { 'Length': [0, ['pointer', ['_LARGE_INTEGER']]], 'ByteOffset': [8, ['_LARGE_INTEGER']], 'Key': [4, ['unsigned long']], }], '__unnamed_11e8': [0x8, { 'SecurityInformation': [0, ['unsigned long']], 'SecurityDescriptor': [4, ['pointer', ['void']]], }], 'tagPROFILEVALUEINFO': [0xc, { 'dwValue': [0, ['unsigned long']], 'uSection': [4, ['unsigned long']], 'pwszKeyName': [8, ['pointer', ['wchar']]], }], '__unnamed_11ec': [0x8, { 'DeviceObject': [4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb': [0, ['pointer', ['_VPB']]], }], '__unnamed_1633': [0x8, { 'ActiveSize': [0, ['_D3DKMDT_2DREGION']], 'MaxPixelRate': [0, ['unsigned long']], }], '_DMM_MONITOR_SERIALIZATION': [0x28, { 'FrequencyRangeSetOffset': [28, ['unsigned long']], 'ModePruningAlgorithm': [16, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_MPA_UNINITIALIZED', 1: 'DMM_MPA_GDI', 2: 'DMM_MPA_VISTA', 3: 'DMM_MPA_MAXVALID'}}]], 'VideoPresentTargetId': [4, ['unsigned long']], 'IsSimulatedMonitor': [12, ['unsigned char']], 'SourceModeSetOffset': [24, ['unsigned long']], 'Orientation': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MO_UNINITIALIZED', 1: 'D3DKMDT_MO_0DEG', 2: 'D3DKMDT_MO_90DEG', 3: 'D3DKMDT_MO_180DEG', 4: 'D3DKMDT_MO_270DEG'}}]], 'DescriptorSetOffset': [32, ['unsigned long']], 'MonitorPowerState': [20, ['Enumeration', {'target': 'long', 'choices': {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'}}]], 'IsUsingDefaultProfile': [13, ['unsigned char']], 'MonitorType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'DMM_VMT_UNINITIALIZED', 1: 'DMM_VMT_PHYSICAL_MONITOR', 2: 'DMM_VMT_BOOT_PERSISTENT_MONITOR', 3: 'DMM_VMT_PERSISTENT_MONITOR', 4: 'DMM_VMT_TEMPORARY_MONITOR', 5: 'DMM_VMT_SIMULATED_MONITOR'}}]], 'Size': [0, ['unsigned long']], }], '_WNDMSG': [0x8, { 'abMsgs': [4, ['pointer', ['unsigned char']]], 'maxMsgs': [0, ['unsigned long']], }], 'tagTDB': [0x18, { 'pti': [12, ['pointer', ['tagTHREADINFO']]], 'TDB_Flags': [22, ['unsigned short']], 'hTaskWow': [20, ['unsigned short']], 'pwti': [16, ['pointer', ['tagWOWTHREADINFO']]], 'nEvents': [4, ['long']], 'nPriority': [8, ['long']], 'ptdbNext': [0, ['pointer', ['tagTDB']]], }], '_LIGATURE1': [0x6, { 'wch': [4, ['array', 1, ['wchar']]], 'VirtualKey': [0, ['unsigned char']], 'ModificationNumber': [2, ['unsigned short']], }], '_D3DKMDT_VIDPN_PRESENT_PATH': [0x15c, { 'GammaRamp': [336, ['_D3DKMDT_GAMMA_RAMP']], 'VidPnSourceId': [0, ['unsigned long']], 'Content': [64, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPC_UNINITIALIZED', 1: 'D3DKMDT_VPPC_GRAPHICS', 2: 'D3DKMDT_VPPC_VIDEO', 255: 'D3DKMDT_VPPC_NOTSPECIFIED'}}]], 'VisibleFromActiveBROffset': [36, ['_D3DKMDT_2DREGION']], 'VidPnTargetColorBasis': [44, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_CB_UNINITIALIZED', 1: 'D3DKMDT_CB_INTENSITY', 2: 'D3DKMDT_CB_SRGB', 3: 'D3DKMDT_CB_SCRGB', 4: 'D3DKMDT_CB_YCBCR', 5: 'D3DKMDT_CB_MAXVALID'}}]], 'ContentTransformation': [12, ['_D3DKMDT_VIDPN_PRESENT_PATH_TRANSFORMATION']], 'VidPnTargetId': [4, ['unsigned long']], 'VisibleFromActiveTLOffset': [28, ['_D3DKMDT_2DREGION']], 'CopyProtection': [68, ['_D3DKMDT_VIDPN_PRESENT_PATH_COPYPROTECTION']], 'VidPnTargetColorCoeffDynamicRanges': [48, ['_D3DKMDT_COLOR_COEFF_DYNAMIC_RANGES']], 'ImportanceOrdinal': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VPPI_UNINITIALIZED', 1: 'D3DKMDT_VPPI_PRIMARY', 2: 'D3DKMDT_VPPI_SECONDARY', 3: 'D3DKMDT_VPPI_TERTIARY', 4: 'D3DKMDT_VPPI_QUATERNARY', 5: 'D3DKMDT_VPPI_QUINARY', 6: 'D3DKMDT_VPPI_SENARY', 7: 'D3DKMDT_VPPI_SEPTENARY', 8: 'D3DKMDT_VPPI_OCTONARY', 9: 'D3DKMDT_VPPI_NONARY', 10: 'D3DKMDT_VPPI_DENARY', 32: 'D3DKMDT_VPPI_MAX', 255: 'D3DKMDT_VPPI_NOTSPECIFIED'}}]], }], '_PROCDESKHEAD': [0x14, { 'h': [0, ['pointer', ['void']]], 'pSelf': [16, ['pointer', ['unsigned char']]], 'rpdesk': [12, ['pointer', ['tagDESKTOP']]], 'hTaskWow': [8, ['unsigned long']], 'cLockObj': [4, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_ROTATION_SUPPORT': [0x4, { 'Rotate270': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Rotate90': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Rotate180': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], }], '_CONSOLE_CARET_INFO': [0x14, { 'hwnd': [0, ['pointer', ['HWND__']]], 'rc': [4, ['tagRECT']], }], 'tagPROCESSINFO': [0x1b0, { 'fHasMagContext': [412, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'hwinsta': [324, ['pointer', ['HWINSTA__']]], 'ptiList': [144, ['pointer', ['tagTHREADINFO']]], 'pHidTable': [420, ['pointer', ['tagPROCESS_HID_TABLE']]], 'W32PF_Flags': [8, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'dwhmodLibLoadedMask': [188, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'hdeskStartup': [180, ['pointer', ['HDESK__']]], 'dwImeCompatFlags': [372, ['unsigned long']], 'dwRegisteredClasses': [424, ['unsigned long']], 'pBrushAttrList': [28, ['pointer', ['void']]], 'usi': [384, ['tagUSERSTARTUPINFO']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32Pid': [32, ['unsigned long']], 'bmHandleFlags': [348, ['_RTL_BITMAP']], 'UserHandleCountPeak': [48, ['unsigned long']], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'cSysExpunge': [184, ['unsigned long']], 'pdvList': [340, ['pointer', ['tagDESKTOPVIEW']]], 'pwpi': [164, ['pointer', ['tagWOWPROCESSINFO']]], 'ppiNextRunning': [172, ['pointer', ['tagPROCESSINFO']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'pCursorCache': [356, ['pointer', ['tagCURSOR']]], 'pClientBase': [360, ['pointer', ['void']]], 'dwLpkEntryPoints': [364, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], 'DxProcess': [140, ['pointer', ['void']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'RefCount': [4, ['unsigned long']], 'dwLayout': [416, ['unsigned long']], 'pclsPublicList': [160, ['pointer', ['tagCLS']]], 'Unused': [412, ['BitField', {'end_bit': 32, 'start_bit': 1}]], 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'hMonitor': [336, ['pointer', ['HMONITOR__']]], 'ptiMainThread': [148, ['pointer', ['tagTHREADINFO']]], 'pvwplWndGCList': [428, ['pointer', ['VWPL']]], 'pW32Job': [368, ['pointer', ['tagW32JOB']]], 'luidSession': [376, ['_LUID']], 'GDIHandleCount': [36, ['long']], 'cThreads': [176, ['unsigned long']], 'rpdeskStartup': [152, ['pointer', ['tagDESKTOP']]], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'pclsPrivateList': [156, ['pointer', ['tagCLS']]], 'GDIHandleCountPeak': [40, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'ppiNext': [168, ['pointer', ['tagPROCESSINFO']]], 'Flags': [412, ['unsigned long']], 'dwHotkey': [332, ['unsigned long']], 'amwinsta': [328, ['unsigned long']], 'rpwinsta': [320, ['pointer', ['tagWINDOWSTATION']]], 'ahmodLibLoaded': [192, ['array', 32, ['pointer', ['void']]]], 'iClipSerialNumber': [344, ['unsigned long']], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'pDCAttrList': [24, ['pointer', ['void']]], }], '_DMM_COMMITVIDPNREQUEST_SERIALIZATION': [0x1c, { 'RequestDiagInfo': [4, ['_DMM_COMMITVIDPNREQUEST_DIAGINFO']], 'AffectedVidPnSourceId': [0, ['unsigned long']], 'VidPnSerialization': [16, ['_DMM_VIDPN_SERIALIZATION']], }], 'tagKbdLayer': [0x3c, { 'pVkToWcharTable': [4, ['pointer', ['_VK_TO_WCHAR_TABLE']]], 'pusVSCtoVK': [24, ['pointer', ['unsigned short']]], 'fLocaleFlags': [40, ['unsigned long']], 'pKeyNamesExt': [16, ['pointer', ['VSC_LPWSTR']]], 'dwSubType': [56, ['unsigned long']], 'pDeadKey': [8, ['pointer', ['DEADKEY']]], 'pCharModifiers': [0, ['pointer', ['MODIFIERS']]], 'pKeyNamesDead': [20, ['pointer', ['pointer', ['unsigned short']]]], 'bMaxVSCtoVK': [28, ['unsigned char']], 'pKeyNames': [12, ['pointer', ['VSC_LPWSTR']]], 'dwType': [52, ['unsigned long']], 'pLigature': [48, ['pointer', ['_LIGATURE1']]], 'nLgMax': [44, ['unsigned char']], 'pVSCtoVK_E1': [36, ['pointer', ['_VSC_VK']]], 'pVSCtoVK_E0': [32, ['pointer', ['_VSC_VK']]], 'cbLgEntry': [45, ['unsigned char']], }], 'HDC__': [0x4, { 'unused': [0, ['long']], }], 'tagWin32AllocStats': [0x14, { 'dwMaxAlloc': [8, ['unsigned long']], 'pHead': [16, ['pointer', ['tagWin32PoolHead']]], 'dwMaxMem': [0, ['unsigned long']], 'dwCrtMem': [4, ['unsigned long']], 'dwCrtAlloc': [12, ['unsigned long']], }], '_D3DKMDT_VIDPN_PRESENT_PATH_SCALING_SUPPORT': [0x4, { 'Centered': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'AspectRatioCenteredMax': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'Stretched': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'Identity': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'Custom': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], }], 'tagMSG': [0x1c, { 'wParam': [8, ['unsigned long']], 'lParam': [12, ['long']], 'pt': [20, ['tagPOINT']], 'hwnd': [0, ['pointer', ['HWND__']]], 'time': [16, ['unsigned long']], 'message': [4, ['unsigned long']], }], '__unnamed_11a5': [0x4, { 'IrpCount': [0, ['long']], 'SystemBuffer': [0, ['pointer', ['void']]], 'MasterIrp': [0, ['pointer', ['_IRP']]], }], '_DMM_VIDPNSET_SERIALIZATION': [0x8, { 'VidPnOffset': [4, ['array', 1, ['unsigned long']]], 'NumVidPns': [0, ['unsigned char']], }], 'tagWOWPROCESSINFO': [0x28, { 'ptdbHead': [8, ['pointer', ['tagTDB']]], 'lpfnWowExitTask': [12, ['pointer', ['void']]], 'CSOwningThread': [32, ['pointer', ['tagTHREADINFO']]], 'ptiScheduled': [4, ['pointer', ['tagTHREADINFO']]], 'nSendLock': [24, ['unsigned long']], 'nRecvLock': [28, ['unsigned long']], 'CSLockCount': [36, ['long']], 'hEventWowExecClient': [20, ['pointer', ['void']]], 'pwpiNext': [0, ['pointer', ['tagWOWPROCESSINFO']]], 'pEventWowExec': [16, ['pointer', ['_KEVENT']]], }], '__unnamed_177b': [0xc, { 'Data': [0, ['array', 3, ['unsigned long']]], }], 'tagMENU': [0x6c, { 'iItem': [24, ['long']], 'head': [0, ['_PROCDESKHEAD']], 'umpm': [88, ['tagUAHMENUPOPUPMETRICS']], 'cItems': [32, ['unsigned long']], 'pParentMenus': [56, ['pointer', ['tagMENULIST']]], 'fFlags': [20, ['unsigned long']], 'cxMenu': [36, ['unsigned long']], 'dwContextHelpId': [60, ['unsigned long']], 'hbrBack': [72, ['pointer', ['HBRUSH__']]], 'cxTextAlign': [44, ['unsigned long']], 'cAlloced': [28, ['unsigned long']], 'spwndNotify': [48, ['pointer', ['tagWND']]], 'dwArrowsOn': [84, ['BitField', {'end_bit': 2, 'start_bit': 0}]], 'iMaxTop': [80, ['long']], 'dwMenuData': [68, ['unsigned long']], 'cyMenu': [40, ['unsigned long']], 'rgItems': [52, ['pointer', ['tagITEM']]], 'iTop': [76, ['long']], 'cyMax': [64, ['unsigned long']], }], '__unnamed_177f': [0xc, { 'DataSize': [0, ['unsigned long']], 'Reserved1': [4, ['unsigned long']], 'Reserved2': [8, ['unsigned long']], }], '__unnamed_177d': [0xc, { 'Start': [0, ['unsigned long']], 'Length': [4, ['unsigned long']], 'Reserved': [8, ['unsigned long']], }], 'tagPOPUPMENU': [0x30, { 'fUseMonitorRect': [0, ['BitField', {'end_bit': 29, 'start_bit': 28}]], 'fDroppedLeft': [0, ['BitField', {'end_bit': 5, 'start_bit': 4}]], 'fHierarchyDropped': [0, ['BitField', {'end_bit': 6, 'start_bit': 5}]], 'posDropped': [44, ['unsigned long']], 'spwndNextPopup': [12, ['pointer', ['tagWND']]], 'fIsMenuBar': [0, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'spwndPrevPopup': [16, ['pointer', ['tagWND']]], 'fHasMenuBar': [0, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'spwndActivePopup': [28, ['pointer', ['tagWND']]], 'fTrackMouseEvent': [0, ['BitField', {'end_bit': 21, 'start_bit': 20}]], 'fNoNotify': [0, ['BitField', {'end_bit': 12, 'start_bit': 11}]], 'posSelectedItem': [40, ['unsigned long']], 'fIsSysMenu': [0, ['BitField', {'end_bit': 3, 'start_bit': 2}]], 'fFlushDelayedFree': [0, ['BitField', {'end_bit': 18, 'start_bit': 17}]], 'ppmDelayedFree': [36, ['pointer', ['tagPOPUPMENU']]], 'fFreed': [0, ['BitField', {'end_bit': 19, 'start_bit': 18}]], 'fSynchronous': [0, ['BitField', {'end_bit': 9, 'start_bit': 8}]], 'fDropNextPopup': [0, ['BitField', {'end_bit': 11, 'start_bit': 10}]], 'fRightButton': [0, ['BitField', {'end_bit': 7, 'start_bit': 6}]], 'spmenuAlternate': [24, ['pointer', ['tagMENU']]], 'spmenu': [20, ['pointer', ['tagMENU']]], 'spwndPopupMenu': [8, ['pointer', ['tagWND']]], 'fDestroyed': [0, ['BitField', {'end_bit': 16, 'start_bit': 15}]], 'iDropDir': [0, ['BitField', {'end_bit': 28, 'start_bit': 23}]], 'ppopupmenuRoot': [32, ['pointer', ['tagPOPUPMENU']]], 'fFirstClick': [0, ['BitField', {'end_bit': 10, 'start_bit': 9}]], 'spwndNotify': [4, ['pointer', ['tagWND']]], 'fRtoL': [0, ['BitField', {'end_bit': 23, 'start_bit': 22}]], 'fIsTrackPopup': [0, ['BitField', {'end_bit': 4, 'start_bit': 3}]], 'fSendUninit': [0, ['BitField', {'end_bit': 22, 'start_bit': 21}]], 'fShowTimer': [0, ['BitField', {'end_bit': 14, 'start_bit': 13}]], 'fInCancel': [0, ['BitField', {'end_bit': 20, 'start_bit': 19}]], 'fToggle': [0, ['BitField', {'end_bit': 8, 'start_bit': 7}]], 'fDelayedFree': [0, ['BitField', {'end_bit': 17, 'start_bit': 16}]], 'fHideTimer': [0, ['BitField', {'end_bit': 15, 'start_bit': 14}]], 'fAboutToHide': [0, ['BitField', {'end_bit': 13, 'start_bit': 12}]], }], '_DMM_MONITORDESCRIPTOR_SERIALIZATION': [0x8c, { 'Origin': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'Data': [12, ['array', 128, ['unsigned char']]], 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MDT_UNINITIALIZED', 1: 'D3DKMDT_MDT_VESA_EDID_V1_BASEBLOCK', 2: 'D3DKMDT_MDT_VESA_EDID_V1_BLOCKMAP', 255: 'D3DKMDT_MDT_OTHER'}}]], 'Id': [0, ['unsigned long']], }], '__unnamed_1779': [0xc, { 'Reserved1': [8, ['unsigned long']], 'Port': [4, ['unsigned long']], 'Channel': [0, ['unsigned long']], }], 'HTOUCHINPUT__': [0x4, { 'unused': [0, ['long']], }], '__unnamed_1773': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [2, ['unsigned short']], 'Level': [0, ['unsigned short']], }], '_VK_VALUES_STRINGS': [0x8, { 'fReserved': [4, ['unsigned char']], 'pszMultiNames': [0, ['pointer', ['unsigned char']]], }], '__unnamed_1771': [0xc, { 'Start': [0, ['_LARGE_INTEGER']], 'Length': [8, ['unsigned long']], }], '_DMM_MONITOR_SOURCE_MODE_SERIALIZATION': [0x50, { 'Info': [0, ['_D3DKMDT_MONITOR_SOURCE_MODE']], 'TimingType': [76, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MTT_UNINITIALIZED', 1: 'D3DKMDT_MTT_ESTABLISHED', 2: 'D3DKMDT_MTT_STANDARD', 3: 'D3DKMDT_MTT_EXTRASTANDARD', 4: 'D3DKMDT_MTT_DETAILED', 5: 'D3DKMDT_MTT_DEFAULTMONITORPROFILE', 6: 'D3DKMDT_MTT_MAXVALID'}}]], }], '__unnamed_1775': [0xc, { 'Affinity': [8, ['unsigned long']], 'Vector': [4, ['unsigned long']], 'Group': [0, ['unsigned short']], 'MessageCount': [2, ['unsigned short']], }], '__unnamed_11ac': [0x8, { 'AsynchronousParameters': [0, ['__unnamed_11aa']], 'AllocationSize': [0, ['_LARGE_INTEGER']], }], '__unnamed_11aa': [0x8, { 'UserApcContext': [4, ['pointer', ['void']]], 'UserApcRoutine': [0, ['pointer', ['void']]], 'IssuingProcess': [0, ['pointer', ['void']]], }], 'tagSBCALC': [0x40, { 'posMax': [4, ['long']], 'pxThumbTop': [52, ['long']], 'pxThumbBottom': [48, ['long']], 'cpxThumb': [32, ['long']], 'pxMin': [60, ['long']], 'pxStart': [44, ['long']], 'pxDownArrow': [40, ['long']], 'pos': [12, ['long']], 'cpx': [56, ['long']], 'pxBottom': [20, ['long']], 'pxTop': [16, ['long']], 'pxLeft': [24, ['long']], 'pxRight': [28, ['long']], 'pxUpArrow': [36, ['long']], 'posMin': [0, ['long']], 'page': [8, ['long']], }], 'HIMC__': [0x4, { 'unused': [0, ['long']], }], 'tagSBINFO': [0x24, { 'WSBflags': [0, ['long']], 'Horz': [4, ['tagSBDATA']], 'Vert': [20, ['tagSBDATA']], }], '__unnamed_1213': [0x8, { 'Type': [4, ['Enumeration', {'target': 'long', 'choices': {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'}}]], 'Reserved': [1, ['array', 3, ['unsigned char']]], 'InPath': [0, ['unsigned char']], }], 'tagITEM': [0x6c, { 'ulX': [56, ['unsigned long']], 'wID': [8, ['unsigned long']], 'dwItemData': [32, ['unsigned long']], 'cyItem': [48, ['unsigned long']], 'hbmpChecked': [16, ['pointer', ['void']]], 'xItem': [36, ['unsigned long']], 'spSubMenu': [12, ['pointer', ['tagMENU']]], 'hbmpUnchecked': [20, ['pointer', ['void']]], 'fState': [4, ['unsigned long']], 'dxTab': [52, ['unsigned long']], 'hbmp': [64, ['pointer', ['HBITMAP__']]], 'yItem': [40, ['unsigned long']], 'fType': [0, ['unsigned long']], 'umim': [76, ['tagUAHMENUITEMMETRICS']], 'cch': [28, ['unsigned long']], 'ulWidth': [60, ['unsigned long']], 'cyBmp': [72, ['long']], 'cxBmp': [68, ['long']], 'lpstr': [24, ['pointer', ['unsigned short']]], 'cxItem': [44, ['unsigned long']], }], '__unnamed_11d9': [0x10, { 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'AdvanceOnly': [13, ['unsigned char']], 'ClusterCount': [12, ['unsigned long']], 'Length': [0, ['unsigned long']], 'DeleteHandle': [12, ['pointer', ['void']]], 'ReplaceIfExists': [12, ['unsigned char']], 'FileObject': [8, ['pointer', ['_FILE_OBJECT']]], }], '_VSC_VK': [0x4, { 'Vsc': [0, ['unsigned char']], 'Vk': [2, ['unsigned short']], }], '_VK_TO_WCHARS1': [0x4, { 'Attributes': [1, ['unsigned char']], 'VirtualKey': [0, ['unsigned char']], 'wch': [2, ['array', 1, ['wchar']]], }], '__unnamed_121b': [0x4, { 'PowerSequence': [0, ['pointer', ['_POWER_SEQUENCE']]], }], '_DMM_MONITORFREQUENCYRANGESET_SERIALIZATION': [0x34, { 'NumFrequencyRanges': [0, ['unsigned char']], 'FrequencyRangeSerialization': [4, ['array', 1, ['_D3DKMDT_MONITOR_FREQUENCY_RANGE']]], }], '_D3DKMDT_GAMMA_RAMP': [0xc, { 'Data': [8, ['__unnamed_179f']], 'DataSize': [4, ['unsigned long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_GAMMARAMP_UNINITIALIZED', 1: 'D3DDDI_GAMMARAMP_DEFAULT', 2: 'D3DDDI_GAMMARAMP_RGB256x3x16', 3: 'D3DDDI_GAMMARAMP_DXGI_1'}}]], }], '_W32PROCESS': [0x90, { 'GDIPushLock': [52, ['_EX_PUSH_LOCK']], 'DxProcess': [140, ['pointer', ['void']]], 'pBrushAttrList': [28, ['pointer', ['void']]], 'Process': [0, ['pointer', ['_EPROCESS']]], 'NextStart': [20, ['pointer', ['_W32PROCESS']]], 'GDIW32PIDLockedBitmaps': [128, ['_LIST_ENTRY']], 'RefCount': [4, ['unsigned long']], 'StartCursorHideTime': [16, ['unsigned long']], 'GDIBrushAttrFreeList': [120, ['_LIST_ENTRY']], 'InputIdleEvent': [12, ['pointer', ['_KEVENT']]], 'W32PF_Flags': [8, ['unsigned long']], 'GDIHandleCount': [36, ['long']], 'hSecureGdiSharedHandleTable': [136, ['pointer', ['void']]], 'UserHandleCountPeak': [48, ['unsigned long']], 'W32Pid': [32, ['unsigned long']], 'UserHandleCount': [44, ['long']], 'pDCAttrList': [24, ['pointer', ['void']]], 'GDIEngUserMemAllocTable': [56, ['_RTL_AVL_TABLE']], 'GDIHandleCountPeak': [40, ['unsigned long']], 'GDIDcAttrFreeList': [112, ['_LIST_ENTRY']], }], 'tagSERVERINFO': [0xffc, { 'uiShellMsg': [520, ['unsigned long']], 'atomSysClass': [460, ['array', 25, ['unsigned short']]], 'dtScroll': [2276, ['unsigned long']], 'dwKeyCache': [2404, ['unsigned long']], 'atomIconSmProp': [964, ['unsigned short']], 'argbSystemUnmatched': [1876, ['array', 31, ['unsigned long']]], 'atomContextHelpIdProp': [968, ['unsigned short']], 'cySysFontChar': [2308, ['long']], 'mpFnid_serverCBWndProc': [164, ['array', 31, ['unsigned short']]], 'PUSIFlags': [3928, ['unsigned long']], 'dtLBSearch': [2280, ['unsigned long']], 'tmSysFont': [2312, ['tagTEXTMETRICW']], 'ahbrSystem': [2124, ['array', 31, ['pointer', ['HBRUSH__']]]], 'dwDefaultHeapSize': [516, ['unsigned long']], 'dwSRVIFlags': [0, ['unsigned long']], 'BitsPixel': [3925, ['unsigned char']], 'wMaxLeftOverlapChars': [2296, ['long']], 'dwLastSystemRITEventTickCountUpdate': [3940, ['unsigned long']], 'dpiSystem': [2372, ['tagDPISERVERINFO']], 'hIcoWindows': [2400, ['pointer', ['HICON__']]], 'dwAsyncKeyCache': [2408, ['unsigned long']], 'dwTagCount': [4084, ['unsigned long']], 'adwDBGTAGFlags': [3944, ['array', 35, ['unsigned long']]], 'aiSysMet': [1488, ['array', 97, ['long']]], 'acAnsiToOem': [1228, ['array', 256, ['unsigned char']]], 'aStoCidPfn': [136, ['array', 7, ['pointer', ['void']]]], 'dwLastRITEventTickCount': [2268, ['unsigned long']], 'cbHandleTable': [456, ['unsigned long']], 'atomFrostedWindowProp': [970, ['unsigned short']], 'ucWheelScrollLines': [2288, ['unsigned long']], 'ptCursorReal': [2260, ['tagPOINT']], 'ucWheelScrollChars': [2292, ['unsigned long']], 'acOemToAnsi': [972, ['array', 256, ['unsigned char']]], 'hbrGray': [2248, ['pointer', ['HBRUSH__']]], 'BitCount': [3920, ['unsigned short']], 'argbSystem': [2000, ['array', 31, ['unsigned long']]], 'dtCaretBlink': [2284, ['unsigned long']], 'dwInstalledEventHooks': [1484, ['unsigned long']], 'cxSysFontChar': [2304, ['long']], 'wMaxRightOverlapChars': [2300, ['long']], 'oembmi': [2416, ['array', 93, ['tagOEMBITMAPINFO']]], 'apfnClientWorker': [412, ['_PFNCLIENTWORKER']], 'dwDefaultHeapBase': [512, ['unsigned long']], 'apfnClientA': [228, ['_PFNCLIENT']], 'dmLogPixels': [3922, ['unsigned short']], 'nEvents': [2272, ['long']], 'atomIconProp': [966, ['unsigned short']], 'Planes': [3924, ['unsigned char']], 'apfnClientW': [320, ['_PFNCLIENT']], 'MBStrings': [524, ['array', 11, ['tagMBSTRING']]], 'UILangID': [3936, ['unsigned short']], 'dwRIPFlags': [4088, ['unsigned long']], 'uCaretWidth': [3932, ['unsigned long']], 'cCaptures': [2412, ['unsigned long']], 'cHandleEntries': [4, ['unsigned long']], 'ptCursor': [2252, ['tagPOINT']], 'hIconSmWindows': [2396, ['pointer', ['HICON__']]], 'mpFnidPfn': [8, ['array', 32, ['pointer', ['void']]]], 'rcScreenReal': [3904, ['tagRECT']], }], '_D3DKMDT_VIDEO_SIGNAL_INFO': [0x2c, { 'VSyncFreq': [20, ['_D3DDDI_RATIONAL']], 'ActiveSize': [12, ['_D3DKMDT_2DREGION']], 'PixelRate': [36, ['unsigned long']], 'TotalSize': [4, ['_D3DKMDT_2DREGION']], 'VideoStandard': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_VSS_UNINITIALIZED', 1: 'D3DKMDT_VSS_VESA_DMT', 2: 'D3DKMDT_VSS_VESA_GTF', 3: 'D3DKMDT_VSS_VESA_CVT', 4: 'D3DKMDT_VSS_IBM', 5: 'D3DKMDT_VSS_APPLE', 6: 'D3DKMDT_VSS_NTSC_M', 7: 'D3DKMDT_VSS_NTSC_J', 8: 'D3DKMDT_VSS_NTSC_443', 9: 'D3DKMDT_VSS_PAL_B', 10: 'D3DKMDT_VSS_PAL_B1', 11: 'D3DKMDT_VSS_PAL_G', 12: 'D3DKMDT_VSS_PAL_H', 13: 'D3DKMDT_VSS_PAL_I', 14: 'D3DKMDT_VSS_PAL_D', 15: 'D3DKMDT_VSS_PAL_N', 16: 'D3DKMDT_VSS_PAL_NC', 17: 'D3DKMDT_VSS_SECAM_B', 18: 'D3DKMDT_VSS_SECAM_D', 19: 'D3DKMDT_VSS_SECAM_G', 20: 'D3DKMDT_VSS_SECAM_H', 21: 'D3DKMDT_VSS_SECAM_K', 22: 'D3DKMDT_VSS_SECAM_K1', 23: 'D3DKMDT_VSS_SECAM_L', 24: 'D3DKMDT_VSS_SECAM_L1', 25: 'D3DKMDT_VSS_EIA_861', 26: 'D3DKMDT_VSS_EIA_861A', 27: 'D3DKMDT_VSS_EIA_861B', 28: 'D3DKMDT_VSS_PAL_K', 29: 'D3DKMDT_VSS_PAL_K1', 30: 'D3DKMDT_VSS_PAL_L', 31: 'D3DKMDT_VSS_PAL_M', 255: 'D3DKMDT_VSS_OTHER'}}]], 'ScanLineOrdering': [40, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DDDI_VSSLO_UNINITIALIZED', 1: 'D3DDDI_VSSLO_PROGRESSIVE', 2: 'D3DDDI_VSSLO_INTERLACED_UPPERFIELDFIRST', 3: 'D3DDDI_VSSLO_INTERLACED_LOWERFIELDFIRST', 255: 'D3DDDI_VSSLO_OTHER'}}]], 'HSyncFreq': [28, ['_D3DDDI_RATIONAL']], }], '__unnamed_11dd': [0x8, { 'FsInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'}}]], 'Length': [0, ['unsigned long']], }], '__unnamed_11df': [0x10, { 'Type3InputBuffer': [12, ['pointer', ['void']]], 'OutputBufferLength': [0, ['unsigned long']], 'FsControlCode': [8, ['unsigned long']], 'InputBufferLength': [4, ['unsigned long']], }], 'D3DDDI_DXGI_RGB': [0xc, { 'Blue': [8, ['float']], 'Green': [4, ['float']], 'Red': [0, ['float']], }], '_MAGNIFICATION_INPUT_TRANSFORM': [0x2c, { 'rcScreen': [16, ['tagRECT']], 'magFactorX': [36, ['long']], 'magFactorY': [40, ['long']], 'ptiMagThreadInfo': [32, ['pointer', ['tagTHREADINFO']]], 'rcSource': [0, ['tagRECT']], }], '_D3DKMDT_MONITOR_FREQUENCY_RANGE': [0x30, { 'Origin': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MCO_UNINITIALIZED', 1: 'D3DKMDT_MCO_DEFAULTMONITORPROFILE', 2: 'D3DKMDT_MCO_MONITORDESCRIPTOR', 3: 'D3DKMDT_MCO_MONITORDESCRIPTOR_REGISTRYOVERRIDE', 4: 'D3DKMDT_MCO_SPECIFICCAP_REGISTRYOVERRIDE', 5: 'D3DKMDT_MCO_MAXVALID'}}]], 'ConstraintType': [36, ['Enumeration', {'target': 'long', 'choices': {0: 'D3DKMDT_MFRC_UNINITIALIZED', 1: 'D3DKMDT_MFRC_ACTIVESIZE', 2: 'D3DKMDT_MFRC_MAXPIXELRATE'}}]], 'RangeLimits': [4, ['_D3DKMDT_FREQUENCY_RANGE']], 'Constraint': [40, ['__unnamed_1633']], }], '_PFNCLIENTWORKER': [0x2c, { 'pfnComboBoxWndProc': [4, ['pointer', ['void']]], 'pfnMDIClientWndProc': [24, ['pointer', ['void']]], 'pfnDialogWndProc': [12, ['pointer', ['void']]], 'pfnStaticWndProc': [28, ['pointer', ['void']]], 'pfnCtfHookProc': [40, ['pointer', ['void']]], 'pfnButtonWndProc': [0, ['pointer', ['void']]], 'pfnImeWndProc': [32, ['pointer', ['void']]], 'pfnEditWndProc': [16, ['pointer', ['void']]], 'pfnListBoxWndProc': [20, ['pointer', ['void']]], 'pfnGhostWndProc': [36, ['pointer', ['void']]], 'pfnComboListBoxProc': [8, ['pointer', ['void']]], }], '_D3DDDI_GAMMA_RAMP_DXGI_1': [0x3024, { 'GammaCurve': [24, ['array', 1025, ['D3DDDI_DXGI_RGB']]], 'Scale': [0, ['D3DDDI_DXGI_RGB']], 'Offset': [12, ['D3DDDI_DXGI_RGB']], }], '_DXGK_DIAG_HEADER': [0x30, { 'Index': [40, ['unsigned long']], 'ProcessName': [16, ['array', 16, ['unsigned char']]], 'LogTimestamp': [8, ['unsigned long long']], 'ThreadId': [32, ['unsigned long long']], 'Type': [0, ['Enumeration', {'target': 'long', 'choices': {0: 'DXGK_DIAG_TYPE_NONE', 1: 'DXGK_DIAG_TYPE_SDC', 2: 'DXGK_DIAG_TYPE_HPD', 3: 'DXGK_DIAG_TYPE_DC_ORIGIN', 4: 'DXGK_DIAG_TYPE_USER_CDS', 5: 'DXGK_DIAG_TYPE_DRV_CDS', 6: 'DXGK_DIAG_TYPE_CODE_POINT', 7: 'DXGK_DIAG_TYPE_QDC', 8: 'DXGK_DIAG_TYPE_MONITOR_MGR', 9: 'DXGK_DIAG_TYPE_CONNECTEDSET_NOT_FOUND', 10: 'DXGK_DIAG_TYPE_DISPDIAG_COLLECTED', 11: 'DXGK_DIAG_TYPE_BML_PACKET', 12: 'DXGK_DIAG_TYPE_BML_PACKET_EX', 13: 'DXGK_DIAG_TYPE_COMMIT_VIDPN_FAILED', 14: 'DXGK_DIAG_TYPE_MAX', -1: 'DXGK_DIAG_TYPE_FORCE_UINT32'}}]], 'WdLogIdx': [44, ['unsigned long']], 'Size': [4, ['unsigned long']], }], '_SM_VALUES_STRINGS': [0x10, { 'StorageType': [12, ['Enumeration', {'target': 'long', 'choices': {0: 'SmStorageActual', 1: 'SmStorageNonActual'}}]], 'pszName': [0, ['pointer', ['unsigned char']]], 'ulValue': [4, ['unsigned long']], 'RangeType': [8, ['Enumeration', {'target': 'long', 'choices': {0: 'SmRangeSharedInfo', 1: 'SmRangeNonSharedInfo', 2: 'SmRangeBool'}}]], }], 'tagTERMINAL': [0x20, { 'spwndDesktopOwner': [4, ['pointer', ['tagWND']]], 'dwTERMF_Flags': [0, ['unsigned long']], 'dwNestedLevel': [16, ['unsigned long']], 'pqDesktop': [12, ['pointer', ['tagQ']]], 'pEventInputReady': [28, ['pointer', ['_KEVENT']]], 'rpdeskDestroy': [24, ['pointer', ['tagDESKTOP']]], 'ptiDesktop': [8, ['pointer', ['tagTHREADINFO']]], 'pEventTermInit': [20, ['pointer', ['_KEVENT']]], }], 'tagMENULIST': [0x8, { 'pMenu': [4, ['pointer', ['tagMENU']]], 'pNext': [0, ['pointer', ['tagMENULIST']]], }], '__unnamed_11d5': [0x8, { 'CompletionFilter': [4, ['unsigned long']], 'Length': [0, ['unsigned long']], }], '__unnamed_11d7': [0x8, { 'Length': [0, ['unsigned long']], 'FileInformationClass': [4, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], }], '__unnamed_11d3': [0x10, { 'Length': [0, ['unsigned long']], 'FileIndex': [12, ['unsigned long']], 'FileInformationClass': [8, ['Enumeration', {'target': 'long', 'choices': {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'}}]], 'FileName': [4, ['pointer', ['_UNICODE_STRING']]], }], 'tagPOINT': [0x8, { 'y': [4, ['long']], 'x': [0, ['long']], }], 'tagSHAREDINFO': [0x11c, { 'psi': [0, ['pointer', ['tagSERVERINFO']]], 'DefWindowSpecMsgs': [276, ['_WNDMSG']], 'awmControl': [20, ['array', 31, ['_WNDMSG']]], 'ulSharedDelta': [16, ['unsigned long']], 'pDispInfo': [12, ['pointer', ['tagDISPLAYINFO']]], 'aheList': [4, ['pointer', ['_HANDLEENTRY']]], 'DefWindowMsgs': [268, ['_WNDMSG']], 'HeEntrySize': [8, ['unsigned long']], }], 'tagIMC': [0x20, { 'dwClientImcData': [24, ['unsigned long']], 'head': [0, ['_THRDESKHEAD']], 'hImeWnd': [28, ['pointer', ['HWND__']]], 'pImcNext': [20, ['pointer', ['tagIMC']]], }], 'tagKL': [0x44, { 'uNumTbl': [48, ['unsigned long']], 'pklPrev': [12, ['pointer', ['tagKL']]], 'head': [0, ['_HEAD']], 'pklNext': [8, ['pointer', ['tagKL']]], 'spkfPrimary': [28, ['pointer', ['tagKBDFILE']]], 'dwFontSigs': [32, ['unsigned long']], 'dwLastKbdType': [56, ['unsigned long']], 'CodePage': [40, ['unsigned short']], 'dwKL_Flags': [16, ['unsigned long']], 'iBaseCharset': [36, ['unsigned long']], 'dwKLID': [64, ['unsigned long']], 'spkf': [24, ['pointer', ['tagKBDFILE']]], 'piiex': [44, ['pointer', ['tagIMEINFOEX']]], 'hkl': [20, ['pointer', ['HKL__']]], 'pspkfExtra': [52, ['pointer', ['pointer', ['tagKBDFILE']]]], 'wchDiacritic': [42, ['wchar']], 'dwLastKbdSubType': [60, ['unsigned long']], }], 'tagCARET': [0x38, { 'iHideLevel': [8, ['long']], 'yOwnDc': [44, ['long']], 'y': [16, ['long']], 'cy': [20, ['long']], 'cx': [24, ['long']], 'hBitmap': [28, ['pointer', ['HBITMAP__']]], 'cyOwnDc': [52, ['long']], 'fOn': [4, ['BitField', {'end_bit': 2, 'start_bit': 1}]], 'hTimer': [32, ['unsigned long']], 'xOwnDc': [40, ['long']], 'fVisible': [4, ['BitField', {'end_bit': 1, 'start_bit': 0}]], 'cxOwnDc': [48, ['long']], 'tid': [36, ['unsigned long']], 'x': [12, ['long']], 'spwnd': [0, ['pointer', ['tagWND']]], }], } volatility-2.3.1/volatility/plugins/gui/__init__.py0000644000175000017500000000000012033140535022351 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/gui/screenshot.py0000644000175000017500000000753112227253532023016 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # Copyright (C) 2009 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.plugins.gui.windowstations as windowstations import volatility.debug as debug try: from PIL import Image, ImageDraw has_pil = True except ImportError: has_pil = False class Screenshot(windowstations.WndScan): """Save a pseudo-screenshot based on GDI windows""" def __init__(self, config, *args, **kwargs): windowstations.WndScan.__init__(self, config, *args, **kwargs) config.add_option("DUMP-DIR", short_option = 'D', type = "string", help = "Output directory", action = "store") def draw_text(self, draw, text, left, top, fill = "Black"): """Label windows in the screen shot""" lines = text.split('\x0d\x0a') for line in lines: draw.text( (left, top), line, fill = fill) _, height = draw.textsize(line) top += height def render_text(self, outfd, data): if not has_pil: debug.error("Please install PIL") if not self._config.DUMP_DIR or not os.path.isdir(self._config.DUMP_DIR): debug.error("Please supply an existing --dump-dir") seen = [] for window_station in data: for desktop in window_station.desktops(): offset = desktop.PhysicalAddress if offset in seen: continue seen.append(offset) # The foreground window win = desktop.DeskInfo.spwnd # Some desktops don't have any windows if not win: debug.warning("{0}\{1}\{2} has no windows\n".format( desktop.dwSessionId, window_station.Name, desktop.Name)) continue im = Image.new("RGB", (win.rcWindow.right + 1, win.rcWindow.bottom + 1), "White") draw = ImageDraw.Draw(im) # Traverse windows, visible only for win, _level in desktop.windows( win = win, filter = lambda x : 'WS_VISIBLE' in str(x.style)): draw.rectangle(win.rcWindow.get_tup(), outline = "Black", fill = "White") draw.rectangle(win.rcClient.get_tup(), outline = "Black", fill = "White") ## Create labels for the windows self.draw_text(draw, str(win.strName or ''), win.rcWindow.left + 2, win.rcWindow.top) file_name = "session_{0}.{1}.{2}.png".format( desktop.dwSessionId, window_station.Name, desktop.Name) file_name = os.path.join(self._config.DUMP_DIR, file_name) try: im.save(file_name, "PNG") result = "Wrote {0}".format(file_name) except SystemError, why: result = why outfd.write("{0}\n".format(result)) volatility-2.3.1/volatility/plugins/gui/messagehooks.py0000644000175000017500000002636012227253532023332 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.plugins.gui.atoms as atoms import volatility.plugins.gui.constants as consts import volatility.plugins.gui.sessions as sessions # Offsets to (_catomSysTableEntries, _aatomSysLoaded) in win32k.sys. We use # this for translating the ihmod value into a fully-qualified DLL path name # used by messagehooks and eventhooks plugins. If the values for your system # aren't in the list, the plugins will still work, but the names of the Hook # Module will not be available. message_offsets_x86 = [ (0x001ab0a0, 0x001ab060), # ? (shylock.dmp) (0x001aaea0, 0x001aae60), # 5.1.2600.6033 (XP SP3) (0x001ac640, 0x001ac600), # 5.1.2600.6149 (XP) (0x001a9400, 0x001a93c0), # 5.1.2600.5512 (XP SP3) (0x001a9220, 0x001a91e0), # 5.1.2600.3335 (XP SP2) (0x001a6f00, 0x001a6ec0), # 5.1.2600.2180 (XP SP2) (0x001a0338, 0x001a03c0), # ? (W2K3 SP0) (0x001b5600, 0x001b55c0), # 5.2.3790.4980 (W2K3 SP2) (0x001b1440, 0x001b1400), # 5.2.3790.1830 (W2K3 SP1) (0x001de0e0, 0x001de0a0), # 6.0.6000.16386 (Vista SP0) (0x001e01e0, 0x001e01a0), # 6.0.6002.18005 (Vista SP2) (0x001df0e0, 0x001df0a0), # 6.0.6001.18000 (W2K8 SP1) (0x00219800, 0x002197C0), # 6.1.7600.16385 (Win 7 SP0) (0x0021e800, 0x0021e7c0), # 6.1.7600.16988 (Win 7 SP0) (0x0021a900, 0x0021a8c0), # 6.1.7601.17514 (Win 7 SP1) ] message_offsets_x64 = [ (0x003b3880, 0x003b3840), # 5.2.3790.1830 (W2K3 SP1 / XP SP1) (0x003b4880, 0x003b4840), # 5.2.3790.3959 (W2K3 SP2 / XP SP2) (0x0028ba20, 0x0028b9e0), # 6.0.6000.16386 (Vista SP0) (0x00288a20, 0x002889e0), # 6.0.6001.18000 (Vista SP1 / W2K8 SP1) (0x00289c20, 0x00289be0), # 6.0.6002.18005 (Vista SP2 / W2K8 SP2) (0x002da480, 0x002da440), # 6.1.7600.16385 (Win 7 SP0) (0x002db6a0, 0x002db660), # 6.1.7601.17514 (Win 7 SP1) (0x002e08a0, 0x002e0860), # 6.1.7601.17842 (W2K8 R2 SP1) (0x002e06a0, 0x002e0660), # ?? (W2K8 R2 SP1) ] class MessageHooks(atoms.Atoms, sessions.SessionsMixin): """List desktop and thread window message hooks""" def calculate(self): # Get all the atom tables and window stations atom_tables = dict((atom_table, winsta) for (atom_table, winsta) in atoms.Atoms(self._config).calculate()) # Unique window stations window_stations = [ winsta for winsta in atom_tables.values() if winsta] for winsta in window_stations: yield winsta, atom_tables def translate_atom(self, winsta, atom_tables, atom_id): """ Translate an atom into an atom name. @param winsta: a tagWINDOWSTATION in the proper session space @param atom_tables: a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values. @param index: the index into the atom handle table. """ # First check the default atoms if consts.DEFAULT_ATOMS.has_key(atom_id): return consts.DEFAULT_ATOMS[atom_id].Name # A list of tables to search. The session atom tables # have priority and will be searched first. table_list = [ table for (table, window_station) in atom_tables.items() if window_station == None ] table_list.append(winsta.AtomTable) ## Fixme: the session atom tables are found via physical ## AS pool tag scanning, and there's no good way (afaik) ## to associate the table with its session. Thus if more ## than one session has atoms with the same id but different ## values, then we could possibly select the wrong one. for table in table_list: atom = table.find_atom(atom_id) if atom: return atom.Name return obj.NoneObject("Cannot translate atom {0:#x}".format(atom_id)) def translate_hmod(self, winsta, atom_tables, index): """ Translate an ihmod (index into a handle table) into an atom. This requires locating the win32k!_aatomSysLoaded symbol. If the symbol cannot be found, we'll just report back the ihmod value. @param winsta: a tagWINDOWSTATION in the proper session space @param atom_tables: a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values. @param index: the index into the atom handle table. """ # No need to translate these if index == -1: return "(Current Module)" # To get an _MM_SESSION_SPACE we first start with a # kernel AS and walk processes. kernel_space = utils.load_as(self._config) session = self.find_session_space( kernel_space, winsta.dwSessionId) # Report back the ihmod value if we fail if not session: return hex(index) if winsta.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': message_offsets = message_offsets_x86 else: message_offsets = message_offsets_x64 # Iterate over the possible offsets for win32k globals for (count_offset, table_offset) in message_offsets: # This is _catomSysTableEntries count = obj.Object("unsigned long", offset = session.Win32KBase + count_offset, vm = session.obj_vm) # We fail for this offset if the count is unreadable, # its greater than 32, or its less than the requested # handle table index. if (count == None or count == 0 or count > 32 or count <= index): continue # An array of atom IDs atomlist = obj.Object("Array", targetType = "unsigned short", offset = session.Win32KBase + table_offset, count = count, vm = session.obj_vm) # Our last sanity check is that the number of valid # atoms equals the claimed number of atoms. This check # is currently commented out because on at least one image # (shylock.dmp), the count is 3 but there are only 2 valid # atoms, thus we end up skipping it. #valid_entries = len([atom for atom in atoms if atom != 0]) #if count != valid_entries: # continue # We can stop after finding a potential atom atom_id = atomlist[index] # Attempt to translate the atom into a module name module = self.translate_atom(winsta, atom_tables, atom_id) if module: return module # Report back the ihmod value if we fail return hex(index) def render_text(self, outfd, data): """Render output in table form""" self.table_header(outfd, [("Offset(V)", "[addrpad]"), ("Sess", "<6"), ("Desktop", "20"), ("Thread", "30"), ("Filter", "20"), ("Flags", "20"), ("Function", "[addrpad]"), ("Module", ""), ]) for winsta, atom_tables in data: for desk in winsta.desktops(): for name, hook in desk.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) self.table_row(outfd, hook.obj_offset, winsta.dwSessionId, "{0}\\{1}".format(winsta.Name, desk.Name), "", name, str(hook.flags), hook.offPfn, module, ) for thrd in desk.threads(): info = "{0} ({1} {2})".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId ) for name, hook in thrd.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) self.table_row(outfd, hook.obj_offset, winsta.dwSessionId, "{0}\\{1}".format(winsta.Name, desk.Name), info, name, str(hook.flags), hook.offPfn, module, ) def render_block(self, outfd, data): """Render output as a block""" def write_block(outfd, winsta, desk, hook, module, thread): outfd.write("{0:<10} : {1:#x}\n".format("Offset(V)", hook.obj_offset)) outfd.write("{0:<10} : {1}\n".format("Session", winsta.dwSessionId)) outfd.write("{0:<10} : {1}\n".format("Desktop", "{0}\\{1}".format(winsta.Name, desk.Name))) outfd.write("{0:<10} : {1}\n".format("Thread", thread)) outfd.write("{0:<10} : {1}\n".format("Filter", name)) outfd.write("{0:<10} : {1}\n".format("Flags", str(hook.flags))) outfd.write("{0:<10} : {1:#x}\n".format("Procedure", hook.offPfn)) outfd.write("{0:<10} : {1}\n".format("ihmod", hook.ihmod)) outfd.write("{0:<10} : {1}\n\n".format("Module", module)) for winsta, atom_tables in data: for desk in winsta.desktops(): for name, hook in desk.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) write_block(outfd, winsta, desk, hook, module, "") for thrd in desk.threads(): info = "{0} ({1} {2})".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId ) for name, hook in thrd.hooks(): module = self.translate_hmod(winsta, atom_tables, hook.ihmod) write_block(outfd, winsta, desk, hook, module, info) volatility-2.3.1/volatility/plugins/gui/constants.py0000644000175000017500000002047312227253532022655 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # Copyright (C) 2009 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import copy # Windows assigns several atom IDs by default, but doesn't include # them in the local or global atom tables. Thus when we perform a # lookup, we don't want to exclude these default atoms, so we create # a fake atom structure and assign the values as needed. The search # algorithm will then check the default atoms before moving onto the # atoms found in local/global tables. class FakeAtom(object): def __init__(self, name): self.Name = name DEFAULT_ATOMS = { 0x8000: FakeAtom("PopupMenu (Default)"), 0x8001: FakeAtom("Desktop (Default)"), 0x8002: FakeAtom("Dialog (Default)"), 0x8003: FakeAtom("WinSwitch (Default)"), 0x8004: FakeAtom("IconTitle (Default)"), 0x8006: FakeAtom("ToolTip (Default)"), } WINDOW_STYLES = dict( WS_OVERLAPPED = 0x00000000L, WS_POPUP = 0x80000000L, WS_CHILD = 0x40000000L, WS_MINIMIZE = 0x20000000L, WS_VISIBLE = 0x10000000L, WS_DISABLED = 0x08000000L, WS_CLIPSIBLINGS = 0x04000000L, WS_CLIPCHILDREN = 0x02000000L, WS_MAXIMIZE = 0x01000000L, WS_CAPTION = 0x00C00000L, WS_BORDER = 0x00800000L, WS_DLGFRAME = 0x00400000L, WS_VSCROLL = 0x00200000L, WS_HSCROLL = 0x00100000L, WS_SYSMENU = 0x00080000L, WS_THICKFRAME = 0x00040000L, WS_GROUP = 0x00020000L, WS_TABSTOP = 0x00010000L, WS_MINIMIZEBOX = 0x00020000L, WS_MAXIMIZEBOX = 0x00010000L, ) WINDOW_STYLES_EX = dict( WS_EX_DLGMODALFRAME = 0x00000001L, WS_EX_NOPARENTNOTIFY = 0x00000004L, WS_EX_TOPMOST = 0x00000008L, WS_EX_ACCEPTFILES = 0x00000010L, WS_EX_TRANSPARENT = 0x00000020L, WS_EX_MDICHILD = 0x00000040L, WS_EX_TOOLWINDOW = 0x00000080L, WS_EX_WINDOWEDGE = 0x00000100L, WS_EX_CLIENTEDGE = 0x00000200L, WS_EX_CONTEXTHELP = 0x00000400L, WS_EX_RIGHT = 0x00001000L, WS_EX_LEFT = 0x00000000L, WS_EX_RTLREADING = 0x00002000L, WS_EX_LTRREADING = 0x00000000L, WS_EX_LEFTSCROLLBAR = 0x00004000L, WS_EX_RIGHTSCROLLBAR = 0x00000000L, WS_EX_CONTROLPARENT = 0x00010000L, WS_EX_STATICEDGE = 0x00020000L, WS_EX_APPWINDOW = 0x00040000L, ) # These are message types in the order that they appear in the aphkStart array. MESSAGE_TYPES = [ ('WH_MSGFILTER', -1), ('WH_JOURNALRECORD', 0), ('WH_JOURNALPLAYBACK', 1), ('WH_KEYBOARD', 2), ('WH_GETMESSAGE', 3), ('WH_CALLWNDPROC', 4), ('WH_CBT', 5), ('WH_SYSMSGFILTER', 6), ('WH_MOUSE', 7), ('WH_HARDWARE', 8), ('WH_DEBUG', 9), ('WH_SHELL', 10), ('WH_FOREGROUNDIDLE', 11), ('WH_CALLWNDPROCRET', 12), ('WH_KEYBOARD_LL', 13), ('WH_MOUSE_LL', 14), ] # See http://forum.sysinternals.com/enumerate-windows-hooks_topic23877_post124845.html HOOK_FLAGS = dict( HF_GLOBAL = 0, #0x0001, # Global hooks (for all threads on desktop) HF_ANSI = 1, #0x0002, # Uses Ansi strings instead of Unicode HF_HUNG = 3, #0x0008, # The hook procedure is hung HF_HOOKFAULTED = 4, #0x0010, # The hook procedure caused some fault HF_WX86KNOWNDLL = 6, #0x0040, # Hook Module is x86 machine type HF_DESTROYED = 7, #0x0080, # The object is destroyed (set by FreeHook) HF_INCHECKWHF = 8, #0x0100, # The fsHooks is currently being updated HF_FREED = 9, #0x0200, # The object is freed ) # dwflags parameter to SetWinEventHook EVENT_FLAGS = { #0x0000 : 'WINEVENT_OUTOFCONTEXT', 0x0001 : 'WINEVENT_SKIPOWNTHREAD', 0x0002 : 'WINEVENT_SKIPOWNPROCESS', 0x0004 : 'WINEVENT_INCONTEXT', } # The eventMin and eventMax parameters to SetWinEventHook. EVENT_ID_ENUM = { 0x00000001: 'EVENT_MIN', 0x7FFFFFFF: 'EVENT_MAX', #0x0001: 'EVENT_SYSTEM_SOUND', 0x0002: 'EVENT_SYSTEM_ALERT', 0x0003: 'EVENT_SYSTEM_FOREGROUND', 0x0004: 'EVENT_SYSTEM_MENUSTART', 0x0005: 'EVENT_SYSTEM_MENUEND', 0x0006: 'EVENT_SYSTEM_MENUPOPUPSTART', 0x0007: 'EVENT_SYSTEM_MENUPOPUPEND', 0x0008: 'EVENT_SYSTEM_CAPTURESTART', 0x0009: 'EVENT_SYSTEM_CAPTUREEND', 0x000A: 'EVENT_SYSTEM_MOVESIZESTART', 0x000B: 'EVENT_SYSTEM_MOVESIZEEND', 0x000C: 'EVENT_SYSTEM_CONTEXTHELPSTART', 0x000D: 'EVENT_SYSTEM_CONTEXTHELPEND', 0x000E: 'EVENT_SYSTEM_DRAGDROPSTART', 0x000F: 'EVENT_SYSTEM_DRAGDROPEND', 0x0010: 'EVENT_SYSTEM_DIALOGSTART', 0x0011: 'EVENT_SYSTEM_DIALOGEND', 0x0012: 'EVENT_SYSTEM_SCROLLINGSTART', 0x0013: 'EVENT_SYSTEM_SCROLLINGEND', 0x0014: 'EVENT_SYSTEM_SWITCHSTART', 0x0015: 'EVENT_SYSTEM_SWITCHEND', 0x0016: 'EVENT_SYSTEM_MINIMIZESTART', 0x0017: 'EVENT_SYSTEM_MINIMIZEEND', 0x0020: 'EVENT_SYSTEM_DESKTOPSWITCH', 0x00FF: 'EVENT_SYSTEM_END', 0x0101: 'EVENT_OEM_DEFINED_START', 0x01FF: 'EVENT_OEM_DEFINED_END', 0x4E00: 'EVENT_UIA_EVENTID_START', 0x4EFF: 'EVENT_UIA_EVENTID_END', 0x7500: 'EVENT_UIA_PROPID_START', 0x75FF: 'EVENT_UIA_PROPID_END', 0x4001: 'EVENT_CONSOLE_CARET', 0x4002: 'EVENT_CONSOLE_UPDATE_REGION', 0x4003: 'EVENT_CONSOLE_UPDATE_SIMPLE', 0x4004: 'EVENT_CONSOLE_UPDATE_SCROLL', 0x4005: 'EVENT_CONSOLE_LAYOUT', 0x4006: 'EVENT_CONSOLE_START_APPLICATION', 0x4007: 'EVENT_CONSOLE_END_APPLICATION', 0x40FF: 'EVENT_CONSOLE_END', 0x8000: 'EVENT_OBJECT_CREATE', 0x8001: 'EVENT_OBJECT_DESTROY', 0x8002: 'EVENT_OBJECT_SHOW', 0x8003: 'EVENT_OBJECT_HIDE', 0x8004: 'EVENT_OBJECT_REORDER', 0x8005: 'EVENT_OBJECT_FOCUS', 0x8006: 'EVENT_OBJECT_SELECTION', 0x8007: 'EVENT_OBJECT_SELECTIONADD', 0x8008: 'EVENT_OBJECT_SELECTIONREMOVE', 0x8009: 'EVENT_OBJECT_SELECTIONWITHIN', 0x800A: 'EVENT_OBJECT_STATECHANGE', 0x800B: 'EVENT_OBJECT_LOCATIONCHANGE', 0x800C: 'EVENT_OBJECT_NAMECHANGE', 0x800D: 'EVENT_OBJECT_DESCRIPTIONCHANGE', 0x800E: 'EVENT_OBJECT_VALUECHANGE', 0x800F: 'EVENT_OBJECT_PARENTCHANGE', 0x8010: 'EVENT_OBJECT_HELPCHANGE', 0x8011: 'EVENT_OBJECT_DEFACTIONCHANGE', 0x8012: 'EVENT_OBJECT_ACCELERATORCHANGE', 0x8013: 'EVENT_OBJECT_INVOKED', 0x8014: 'EVENT_OBJECT_TEXTSELECTIONCHANGED', } # USER objects on XP/2003/Vista/2008 HANDLE_TYPE_ENUM = { 0: 'TYPE_FREE', 1: 'TYPE_WINDOW', 2: 'TYPE_MENU', 3: 'TYPE_CURSOR', 4: 'TYPE_SETWINDOWPOS', 5: 'TYPE_HOOK', 6: 'TYPE_CLIPDATA', 7: 'TYPE_CALLPROC', 8: 'TYPE_ACCELTABLE', 9: 'TYPE_DDEACCESS', 10: 'TYPE_DDECONV', 11: 'TYPE_DDEXACT', 12: 'TYPE_MONITOR', 13: 'TYPE_KBDLAYOUT', 14: 'TYPE_KBDFILE', 15: 'TYPE_WINEVENTHOOK', 16: 'TYPE_TIMER', 17: 'TYPE_INPUTCONTEXT', 18: 'TYPE_HIDDATA', 19: 'TYPE_DEVICEINFO', } # USER objects for Windows 7 HANDLE_TYPE_ENUM_SEVEN = copy.copy(HANDLE_TYPE_ENUM) HANDLE_TYPE_ENUM_SEVEN[20] = 'TYPE_TOUCH' HANDLE_TYPE_ENUM_SEVEN[21] = 'TYPE_GESTURE' # Clipboard format types CLIPBOARD_FORMAT_ENUM = { 1: 'CF_TEXT', 2: 'CF_BITMAP', 3: 'CF_METAFILEPICT', 4: 'CF_SYLK', 5: 'CF_DIF', 6: 'CF_TIFF', 7: 'CF_OEMTEXT', 8: 'CF_DIB', 9: 'CF_PALETTE', 10: 'CF_PENDATA', 11: 'CF_RIFF', 12: 'CF_WAVE', 13: 'CF_UNICODETEXT', 14: 'CF_ENHMETAFILE', 15: 'CF_HDROP', 16: 'CF_LOCALE', 17: 'CF_DIBV5', 0x80: 'CF_OWNERDISPLAY', 0x81: 'CF_DSPTEXT', 0x82: 'CF_DSPBITMAP', 0x83: 'CF_DSPMETAFILEPICT', 0x8E: 'CF_DSPENHMETAFILE', ## The following are ranges, not actual formats #0x200: 'CF_PRIVATEFIRST', #0x2FF: 'CF_PRIVATELAST', #0x300: 'CF_GDIOBJFIRST', #0x3FF: 'CF_GDIOBJLAST', } # Flags for timer objects TIMER_FLAGS = dict( TMRF_READY = 0, # 0x0001 TMRF_SYSTEM = 1, # 0x0002 TMRF_RIT = 2, # 0x0004 TMRF_INIT = 3, # 0x0008 TMRF_ONESHOT = 4, # 0x0010 TMRF_WAITING = 5, # 0x0020 TMRF_TIFROMWND = 6, # 0x0040 ) volatility-2.3.1/volatility/plugins/gui/atoms.py0000644000175000017500000001524012227253532021760 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.utils as utils import volatility.scan as scan import volatility.plugins.common as common import volatility.plugins.gui.windowstations as windowstations class PoolScanAtom(scan.PoolScanner): """Pool scanner for atom tables""" def object_offset(self, found, address_space): """ This returns the offset of the object contained within this pool allocation. """ pool_base = found - \ self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag') ## Note: all OS after XP, there are an extra 8 bytes (for 32-bit) ## or 16 bytes (for 64-bit) between the _POOL_HEADER and _RTL_ATOM_TABLE. ## This is variable length structure, so we can't use the bottom-up ## approach as we do with other object scanners - because the size of an ## _RTL_ATOM_TABLE differs depending on the number of hash buckets. build = (self.buffer.profile.metadata.get('major', 0), self.buffer.profile.metadata.get('minor', 0)) if self.buffer.profile.metadata.get('memory_model', '32bit') == '32bit': fixup = 8 if build > (5, 1) else 0 else: fixup = 16 if build > (5, 1) else 0 return pool_base + self.buffer.profile.get_obj_size('_POOL_HEADER') + fixup checks = [ ('PoolTagCheck', dict(tag = "AtmT")), ('CheckPoolSize', dict(condition = lambda x: x >= 200)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ] class AtomScan(common.AbstractWindowsCommand): """Pool scanner for _RTL_ATOM_TABLE""" def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option("SORT-BY", short_option = 'S', type = "choice", choices = ["atom", "refcount", "offset"], default = "offset", help = "Sort by [offset | atom | refcount]", action = "store") def calculate(self): flat_space = utils.load_as(self._config, astype = 'physical') kernel_space = utils.load_as(self._config) # Scan for atom tables for offset in PoolScanAtom().scan(flat_space): # There's no way to tell which session or window station # owns an atom table by *just* looking at the atom table, # so we have to instantiate it from the default kernel AS. atom_table = obj.Object('_RTL_ATOM_TABLE', offset = offset, vm = flat_space, native_vm = kernel_space) if atom_table.is_valid(): yield atom_table def render_text(self, outfd, data): self.table_header(outfd, [("TableOfs(P)", "[addr]"), ("AtomOfs(V)", "[addrpad]"), ("Atom", "[addr]"), ("Refs", "6"), ("Pinned", "6"), ("Name", ""), ]) for atom_table in data: # This defeats the purpose of having a generator, but # its required if we want to be able to sort. We also # filter string atoms here. atoms = [a for a in atom_table.atoms() if a.is_string_atom()] if self._config.SORT_BY == "atom": attr = "Atom" elif self._config.SORT_BY == "refcount": attr = "ReferenceCount" else: attr = "obj_offset" for atom in sorted(atoms, key = lambda x: getattr(x, attr)): self.table_row(outfd, atom_table.obj_offset, atom.obj_offset, atom.Atom, atom.ReferenceCount, atom.Pinned, str(atom.Name or "") ) class Atoms(common.AbstractWindowsCommand): """Print session and window station atom tables""" def calculate(self): seen = [] # Find the atom tables that belong to each window station for wndsta in windowstations.WndScan(self._config).calculate(): offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable) if offset in seen: continue seen.append(offset) # The atom table is dereferenced in the proper # session space atom_table = wndsta.AtomTable if atom_table.is_valid(): yield atom_table, wndsta # Find atom tables not linked to specific window stations. # This finds win32k!UserAtomHandleTable. for table in AtomScan(self._config).calculate(): if table.PhysicalAddress not in seen: yield table, obj.NoneObject("No windowstation") def render_text(self, outfd, data): self.table_header(outfd, [("Offset(P)", "[addr]"), ("Session", "^10"), ("WindowStation", "^18"), ("Atom", "[addr]"), ("RefCount", "^10"), ("HIndex", "^10"), ("Pinned", "^10"), ("Name", ""), ]) for atom_table, window_station in data: for atom in atom_table.atoms(): ## Filter string atoms if not atom.is_string_atom(): continue self.table_row(outfd, atom_table.PhysicalAddress, window_station.dwSessionId, window_station.Name, atom.Atom, atom.ReferenceCount, atom.HandleIndex, atom.Pinned, str(atom.Name or "") ) volatility-2.3.1/volatility/plugins/gui/clipboard.py0000644000175000017500000001310112227253532022566 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.plugins.common as common import volatility.plugins.gui.sessions as sessions import volatility.plugins.gui.windowstations as windowstations import volatility.plugins.gui.constants as consts class Clipboard(common.AbstractWindowsCommand, sessions.SessionsMixin): """Extract the contents of the windows clipboard""" def calculate(self): kernel_space = utils.load_as(self._config) # Dictionary of MM_SESSION_SPACEs by ID sesses = dict((int(session.SessionId), session) for session in self.session_spaces(kernel_space) ) # Dictionary of session USER objects by handle session_handles = {} # If various objects cannot be found or associated, # we'll return none objects e0 = obj.NoneObject("Unknown tagCLIPDATA") e1 = obj.NoneObject("Unknown tagWINDOWSTATION") e2 = obj.NoneObject("Unknown tagCLIP") # Handle type filter filters = [lambda x : str(x.bType) == "TYPE_CLIPDATA"] # Load tagCLIPDATA handles from all sessions for sid, session in sesses.items(): handles = {} shared_info = session.find_shared_info() if not shared_info: debug.debug("No shared info for session {0}".format(sid)) continue for handle in shared_info.handles(filters): handles[int(handle.phead.h)] = handle session_handles[sid] = handles # Each WindowStation for wndsta in windowstations.WndScan(self._config).calculate(): session = sesses.get(int(wndsta.dwSessionId), None) # The session is unknown if not session: continue handles = session_handles.get(int(session.SessionId), None) # No handles in the session if not handles: continue clip_array = wndsta.pClipBase.dereference() # The tagCLIP array is empty or the pointer is invalid if not clip_array: continue # Resolve tagCLIPDATA from tagCLIP.hData for clip in clip_array: handle = handles.get(int(clip.hData), e0) # Remove this handle from the list if handle: handles.pop(int(clip.hData)) yield session, wndsta, clip, handle # Any remaining tagCLIPDATA not matched. This allows us # to still find clipboard data if a window station is not # found or if pClipData or cNumClipFormats were corrupt for sid in sesses.keys(): handles = session_handles.get(sid, None) # No handles in the session if not handles: continue for handle in handles.values(): yield sesses[sid], e1, e2, handle def render_text(self, outfd, data): self.table_header(outfd, [("Session", "10"), ("WindowStation", "12"), ("Format", "18"), ("Handle", "[addr]"), ("Object", "[addrpad]"), ("Data", "50"), ]) for session, wndsta, clip, handle in data: # If no tagCLIP is provided, we do not know the format if not clip: fmt = obj.NoneObject("Format unknown") else: # Try to get the format name, but failing that, print # the format number in hex instead. if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM: fmt = str(clip.fmt) else: fmt = hex(clip.fmt.v()) # Try to get the handle from tagCLIP first, but # fall back to using _HANDLEENTRY.phead. Note: this can # be a value like DUMMY_TEXT_HANDLE (1) etc. if clip: handle_value = clip.hData else: handle_value = handle.phead.h clip_data = "" if handle and "TEXT" in fmt: clip_data = handle.reference_object().as_string(fmt) self.table_row(outfd, session.SessionId, wndsta.Name, fmt, handle_value, handle.phead.v(), clip_data) # Print an additional hexdump if --verbose is specified if self._config.VERBOSE and handle: hex_dump = handle.reference_object().as_hex() outfd.write("{0}".format(hex_dump)) volatility-2.3.1/volatility/plugins/gui/gditimers.py0000644000175000017500000000543212227253532022626 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.common as common import volatility.utils as utils import volatility.plugins.gui.sessions as sessions class GDITimers(common.AbstractWindowsCommand, sessions.SessionsMixin): """Print installed GDI timers and callbacks""" def calculate(self): kernel_as = utils.load_as(self._config) for session in self.session_spaces(kernel_as): shared_info = session.find_shared_info() if not shared_info: continue filters = [lambda x : str(x.bType) == "TYPE_TIMER"] for handle in shared_info.handles(filters): timer = handle.reference_object() yield session, handle, timer def render_text(self, outfd, data): self.table_header(outfd, [("Sess", "^6"), ("Handle", "[addr]"), ("Object", "[addrpad]"), ("Thread", "8"), ("Process", "20"), ("nID", "[addr]"), ("Rate(ms)", "10"), ("Countdown(ms)", "10"), ("Func", "[addrpad]"), ]) for session, handle, timer in data: # Get the process info from the object handle header if # available, otherwise from the timer object itself. p = handle.Process or timer.pti.ppi.Process process = "{0}:{1}".format(p.ImageFileName, p.UniqueProcessId) self.table_row(outfd, session.SessionId, handle.phead.h, timer.obj_offset, timer.pti.pEThread.Cid.UniqueThread, process, timer.nID, timer.cmsRate, timer.cmsCountdown, timer.pfn) volatility-2.3.1/volatility/plugins/gui/win32k_core.py0000644000175000017500000010203412227253532022760 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.plugins.gui.constants as consts import volatility.plugins.overlays.windows.windows as windows import volatility.utils as utils import volatility.addrspace as addrspace import volatility.conf as conf #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _MM_SESSION_SPACE(obj.CType): """A class for session spaces""" def processes(self): """Generator for processes in this session. A process is always associated with exactly one session. """ for p in self.ProcessList.list_of_type("_EPROCESS", "SessionProcessLinks"): yield p @property def Win32KBase(self): """Get the base address of the win32k.sys as mapped into this session's memory. Since win32k.sys is always the first image to be mapped, we can just grab the first list entry.""" ## An exception may be generated when a process from a terminated ## session still exists in the active process list. try: return list(self.images())[0].Address except IndexError: return obj.NoneObject("No images mapped in this session") def images(self): """Generator for images (modules) loaded into this session's space""" for i in self.ImageList.list_of_type("_IMAGE_ENTRY_IN_SESSION", "Link"): yield i def _section_chunks(self, sec_name): """Get the win32k.sys section as an array of 32-bit unsigned longs. @param sec_name: name of the PE section in win32k.sys to search for. @returns all chunks on a 4-byte boundary. """ dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = self.Win32KBase, vm = self.obj_vm) if dos_header: try: nt_header = dos_header.get_nt_header() sections = [ sec for sec in nt_header.get_sections(False) if str(sec.Name) == sec_name ] # There should be exactly one section if sections: desired_section = sections[0] return obj.Object("Array", targetType = "unsigned long", offset = desired_section.VirtualAddress + dos_header.obj_offset, count = desired_section.Misc.VirtualSize / 4, vm = self.obj_vm) except ValueError: ## This catches PE header parsing exceptions pass ## Don't try to read an address that doesn't exist if not self.Win32KBase: return [] ## In the rare case when win32k.sys PE header is paged or corrupted ## thus preventing us from parsing the sections, use the fallback ## mechanism of just reading 5 MB (max size of win32k.sys) from the ## base of the kernel module. data = self.obj_vm.zread(self.Win32KBase, 0x500000) ## Fill a Buffer AS with the zread data and set its base to win32k.sys ## so we can still instantiate an Array and have each chunk at the ## correct offset in virtual memory. buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(), data = data, base_offset = self.Win32KBase) return obj.Object("Array", targetType = "unsigned long", offset = self.Win32KBase, count = len(data) / 4, vm = buffer_as) def find_gahti(self): """Find this session's gahti. This can potentially be much faster by searching for '\0' * sizeof(tagHANDLETYPEINFO) instead of moving on a dword aligned boundary through the section. """ for chunk in self._section_chunks(".rdata"): if not chunk.is_valid(): continue gahti = obj.Object("gahti", offset = chunk.obj_offset, vm = self.obj_vm) ## The sanity check here is based on the fact that the first entry ## in the gahti is always for TYPE_FREE. The fnDestroy pointer will ## be NULL, the alloc tag will be an empty string, and the creation ## flags will be zero. We also then check the alloc tag of the first ## USER handle type which should be Uswd (TYPE_WINDOW). if (gahti.types[0].fnDestroy == 0 and str(gahti.types[0].dwAllocTag) == '' and gahti.types[0].bObjectCreateFlags == 0 and str(gahti.types[1].dwAllocTag) == "Uswd"): return gahti return obj.NoneObject("Cannot find win32k!_gahti") def find_shared_info(self): """Find this session's tagSHAREDINFO structure. This structure is embedded in win32k's .data section, (i.e. not in dynamically allocated memory). Thus we iterate over each DWORD-aligned possibility and treat it as a tagSHAREDINFO until the sanity checks are met. """ for chunk in self._section_chunks(".data"): # If the base of the value is paged if not chunk.is_valid(): continue # Treat it as a shared info struct shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset, vm = self.obj_vm) # Sanity check it try: if shared_info.is_valid(): return shared_info except obj.InvalidOffsetError: pass return obj.NoneObject("Cannot find win32k!gSharedInfo") class tagSHAREDINFO(obj.CType): """A class for shared info blocks""" def is_valid(self): """The sanity checks for tagSHAREDINFO structures""" if not obj.CType.is_valid(self): return False # The kernel's version of tagSHAREDINFO should always have # a zeroed-out shared delta member. if self.ulSharedDelta != 0: return False # The pointer to our server information structure must be valid if not self.psi.is_valid(): return False # Annoying check, but required for some samples # whose psi is a valid pointer, but cbHandleTable # cannot be read due to objects that cross page # boundaries. if self.psi.cbHandleTable == None: return False if self.psi.cbHandleTable < 0x1000: return False # The final check is that the total size in bytes of the handle # table is equal to the size of a _HANDLEENTRY multiplied by the # number of _HANDLEENTRY structures. return (self.psi.cbHandleTable / self.obj_vm.profile.get_obj_size("_HANDLEENTRY") == self.psi.cHandleEntries) def handles(self, filters = None): """Carve handles from the shared info block. @param filters: a list of callables that perform checks and return True if the handle should be included in output. """ if filters == None: filters = [] hnds = obj.Object("Array", targetType = "_HANDLEENTRY", offset = self.aheList, vm = self.obj_vm, count = self.psi.cHandleEntries) for i, h in enumerate(hnds): # Sanity check the handle value if the handle Object # has not been freed. if not h.Free: if h.phead.h != (h.wUniq << 16) | (0xFFFF & i): continue b = False # Run the filters and break if any tests fail for filt in filters: if not filt(h): b = True break if not b: yield h class _HANDLEENTRY(obj.CType): """A for USER handle entries""" def reference_object(self): """Reference the object this handle represents. If the object's type is not in our map, we don't know what type of object to instantiate so its filled with obj.NoneObject() instead. """ object_map = dict(TYPE_WINDOW = "tagWND", TYPE_HOOK = "tagHOOK", TYPE_CLIPDATA = "tagCLIPDATA", TYPE_WINEVENTHOOK = "tagEVENTHOOK", TYPE_TIMER = "tagTIMER", ) object_type = object_map.get(str(self.bType), None) if not object_type: return obj.NoneObject("Cannot reference object type") return obj.Object(object_type, offset = self.phead, vm = self.obj_vm) @property def Free(self): """Check if the handle has been freed""" return str(self.bType) == "TYPE_FREE" @property def ThreadOwned(self): """Handles of these types are always thread owned""" return str(self.bType) in [ 'TYPE_WINDOW', 'TYPE_SETWINDOWPOS', 'TYPE_HOOK', 'TYPE_DDEACCESS', 'TYPE_DDECONV', 'TYPE_DDEXACT', 'TYPE_WINEVENTHOOK', 'TYPE_INPUTCONTEXT', 'TYPE_HIDDATA', 'TYPE_TOUCH', 'TYPE_GESTURE'] @property def ProcessOwned(self): """Handles of these types are always process owned""" return str(self.bType) in [ 'TYPE_MENU', 'TYPE_CURSOR', 'TYPE_TIMER', 'TYPE_CALLPROC', 'TYPE_ACCELTABLE'] @property def Thread(self): """Return the ETHREAD if its thread owned""" if self.ThreadOwned: return self.pOwner.\ dereference_as("tagTHREADINFO").\ pEThread.dereference() return obj.NoneObject("Cannot find thread") @property def Process(self): """Return the _EPROCESS if its process or thread owned""" if self.ProcessOwned: return self.pOwner.\ dereference_as("tagPROCESSINFO").\ Process.dereference() elif self.ThreadOwned: return self.pOwner.\ dereference_as("tagTHREADINFO").\ ppi.Process.dereference() return obj.NoneObject("Cannot find process") class tagWINDOWSTATION(obj.CType): """A class for Windowstation objects""" def is_valid(self): return obj.CType.is_valid(self) and self.dwSessionId < 0xFF @property def PhysicalAddress(self): """This is a simple wrapper to always return the object's physical offset regardless of what AS its instantiated in""" if hasattr(self.obj_vm, "vtop"): return self.obj_vm.vtop(self.obj_offset) else: return self.obj_offset @property def LastRegisteredViewer(self): """The EPROCESS of the last registered clipboard viewer""" return self.spwndClipViewer.head.pti.ppi.Process @property def AtomTable(self): """This atom table belonging to this window station object""" return self.pGlobalAtomTable.dereference_as("_RTL_ATOM_TABLE") @property def Interactive(self): """Check if a window station is interactive""" return not self.dwWSF_Flags & 4 # WSF_NOIO @property def Name(self): """Get the window station name. Since window stations are securable objects, and are managed by the same object manager as processes, threads, etc, there is an object header which stores the name. """ object_hdr = obj.Object("_OBJECT_HEADER", vm = self.obj_vm, offset = self.obj_offset - \ self.obj_vm.profile.get_obj_offset('_OBJECT_HEADER', 'Body'), native_vm = self.obj_native_vm) return str(object_hdr.NameInfo.Name or '') def traverse(self): """A generator that yields window station objects""" # Include this object in the results yield self # Now walk the singly-linked list nextwinsta = self.rpwinstaNext.dereference() while nextwinsta.is_valid() and nextwinsta.v() != 0: yield nextwinsta nextwinsta = nextwinsta.rpwinstaNext.dereference() def desktops(self): """A generator that yields the window station's desktops""" desk = self.rpdeskList.dereference() while desk.is_valid() and desk.v() != 0: yield desk desk = desk.rpdeskNext.dereference() class tagDESKTOP(tagWINDOWSTATION): """A class for Desktop objects""" def is_valid(self): return (obj.CType.is_valid(self) and self.dwSessionId < 0xFF) @property def WindowStation(self): """Returns this desktop's parent window station""" return self.rpwinstaParent.dereference() @property def DeskInfo(self): """Returns the desktop info object""" return self.pDeskInfo.dereference() def threads(self): """Generator for _EPROCESS objects attached to this desktop""" for ti in self.PtiList.list_of_type("tagTHREADINFO", "PtiLink"): yield ti def hook_params(self): """ Parameters for the hooks() method. These are split out into a function so it can be subclassed by tagTHREADINFO. """ return (self.DeskInfo.fsHooks, self.DeskInfo.aphkStart) def hooks(self): """Generator for tagHOOK info. Hooks are carved using the same algorithm, but different starting points for desktop hooks and thread hooks. Thus the algorithm is presented in this function and the starting point is acquired by calling hook_params (which is then sub- classed by tagTHREADINFO. """ (fshooks, aphkstart) = self.hook_params() # Convert the WH_* index into a bit position for the fsHooks fields WHF_FROM_WH = lambda x: (1 << x + 1) for pos, (name, value) in enumerate(consts.MESSAGE_TYPES): # Is the bit for this WH_* value set ? if fshooks & WHF_FROM_WH(value): hook = aphkstart[pos].dereference() for hook in hook.traverse(): yield name, hook def windows(self, win, filter = lambda x: True, level = 0): #pylint: disable-msg=W0622 """Traverses windows in their Z order, bottom to top. @param win: an HWND to start. Usually this is the desktop window currently in focus. @param filter: a callable (usually lambda) to use for filtering the results. See below for examples: # only print subclassed windows filter = lambda x : x.lpfnWndProc == x.pcls.lpfnWndProc # only print processes named csrss.exe filter = lambda x : str(x.head.pti.ppi.Process.ImageFileName).lower() \ == "csrss.exe" if x.head.pti.ppi else False # only print processes by pid filter = lambda x : x.head.pti.pEThread.Cid.UniqueThread == 0x1020 # only print visible windows filter = lambda x : 'WS_VISIBLE' not in x.get_flags() """ seen = set() wins = [] cur = win while cur.is_valid() and cur.v() != 0: if cur in seen: break seen.add(cur) wins.append(cur) cur = cur.spwndNext.dereference() while wins: cur = wins.pop() if not filter(cur): continue yield cur, level if cur.spwndChild.is_valid() and cur.spwndChild.v() != 0: for info in self.windows(cur.spwndChild, filter = filter, level = level + 1): yield info def heaps(self): """Generator for the desktop heaps""" for segment in self.pheapDesktop.Heap.segments(): for entry in segment.heap_entries(): yield entry def traverse(self): """Generator for next desktops in the list""" # Include this object in the results yield self # Now walk the singly-linked list nextdesk = self.rpdeskNext.dereference() while nextdesk.is_valid() and nextdesk.v() != 0: yield nextdesk nextdesk = nextdesk.rpdeskNext.dereference() class tagWND(obj.CType): """A class for window structures""" @property def IsClipListener(self): """Check if this window listens to clipboard changes""" return self.bClipboardListener.v() @property def ClassAtom(self): """The class atom for this window""" return self.pcls.atomClassName @property def SuperClassAtom(self): """The window's super class""" return self.pcls.atomNVClassName @property def Process(self): """The EPROCESS that owns the window""" return self.head.pti.ppi.Process.dereference() @property def Thread(self): """The ETHREAD that owns the window""" return self.head.pti.pEThread.dereference() @property def Visible(self): """Is this window visible on the desktop""" return 'WS_VISIBLE' in self.style def _get_flags(self, member, flags): if flags.has_key(member): return flags[member] return ','.join([n for (n, v) in flags.items() if member & v == v]) @property def style(self): """The basic style flags as a string""" return self._get_flags(self.m('style').v(), consts.WINDOW_STYLES) @property def ExStyle(self): """The extended style flags as a string""" return self._get_flags(self.m('ExStyle').v(), consts.WINDOW_STYLES_EX) class tagRECT(obj.CType): """A class for window rects""" def get_tup(self): """Return a tuple of the rect's coordinates""" return (self.left, self.top, self.right, self.bottom) class tagCLIPDATA(obj.CType): """A class for clipboard objects""" def as_string(self, fmt): """Format the clipboard data as a string. @param fmt: the clipboard format. Note: we cannot simply override __str__ for this purpose, because the clipboard format is not a member of (or in a parent-child relationship with) the tagCLIPDATA structure, so we must pass it in as an argument. """ if fmt == "CF_UNICODETEXT": encoding = "utf16" else: encoding = "utf8" return obj.Object("String", offset = self.abData.obj_offset, vm = self.obj_vm, encoding = encoding, length = self.cbData) def as_hex(self): """Format the clipboard contents as a hexdump""" data = ''.join([chr(c) for c in self.abData]) return "".join(["{0:#x} {1:<48} {2}\n".format(self.abData.obj_offset + o, h, ''.join(c)) for o, h, c in utils.Hexdump(data)]) class tagTHREADINFO(tagDESKTOP): """A class for thread information objects""" def get_params(self): """Parameters for the _hooks() function""" return (self.fsHooks, self.aphkStart) class tagHOOK(obj.CType): """A class for message hooks""" def traverse(self): """Find the next hook in a chain""" hook = self while hook.is_valid() and hook.v() != 0: yield hook hook = hook.phkNext.dereference() class tagEVENTHOOK(obj.CType): """A class for event hooks""" @property def dwFlags(self): """Event hook flags need special handling so we can't use vtypes""" # First we shift the value f = self.m('dwFlags') >> 1 flags = [name for (val, name) in consts.EVENT_FLAGS.items() if f & val == val] return '|'.join(flags) class _RTL_ATOM_TABLE(tagWINDOWSTATION): """A class for atom tables""" def __init__(self, *args, **kwargs): """Give ourselves an atom cache for quick lookups""" self.atom_cache = {} tagWINDOWSTATION.__init__(self, *args, **kwargs) def is_valid(self): """Check for validity based on the atom table signature and the maximum allowed number of buckets""" return (obj.CType.is_valid(self) and self.Signature == 0x6d6f7441 and self.NumBuckets < 0xFFFF) def atoms(self): """Carve all atoms out of this atom table""" # The default hash buckets should be 0x25 for bkt in self.Buckets: cur = bkt.dereference() while cur.is_valid() and cur.v() != 0: yield cur cur = cur.HashLink.dereference() def find_atom(self, atom_to_find): """Find an atom by its ID. @param atom_to_find: the atom ID (ushort) to find @returns an _RTL_ATOM_TALE_ENTRY object """ # Use the cached results if they exist if self.atom_cache: return self.atom_cache.get(atom_to_find.v(), None) # Build the atom cache self.atom_cache = dict( (atom.Atom.v(), atom) for atom in self.atoms()) return self.atom_cache.get(atom_to_find.v(), None) class _RTL_ATOM_TABLE_ENTRY(obj.CType): """A class for atom table entries""" @property def Pinned(self): """Returns True if the atom is pinned""" return self.Flags == 1 def is_string_atom(self): """Returns True if the atom is a string atom based on its atom ID. A string atom has ID 0xC000 - 0xFFFF """ return self.Atom >= 0xC000 and self.Atom <= 0xFFFF def is_valid(self): """Perform some sanity checks on the Atom""" if not obj.CType.is_valid(self): return False # There is only one flag (and zero) if self.Flags not in (0, 1): return False # There is a maximum name length enforced return self.NameLength <= 255 #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class Win32KCoreClasses(obj.ProfileModification): """Apply the core object classes""" before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ 'tagWINDOWSTATION': tagWINDOWSTATION, 'tagDESKTOP': tagDESKTOP, '_RTL_ATOM_TABLE': _RTL_ATOM_TABLE, '_RTL_ATOM_TABLE_ENTRY': _RTL_ATOM_TABLE_ENTRY, 'tagTHREADINFO': tagTHREADINFO, 'tagHOOK': tagHOOK, '_LARGE_UNICODE_STRING': windows._UNICODE_STRING, #pylint: disable-msg=W0212 'tagWND': tagWND, '_MM_SESSION_SPACE': _MM_SESSION_SPACE, 'tagSHAREDINFO': tagSHAREDINFO, '_HANDLEENTRY': _HANDLEENTRY, 'tagEVENTHOOK': tagEVENTHOOK, 'tagRECT': tagRECT, 'tagCLIPDATA': tagCLIPDATA, }) class Win32KGahtiVType(obj.ProfileModification): """Apply a vtype for win32k!gahti. Adjust the number of handles according to the OS version""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) ## Windows 7 and above if version >= (6, 1): num_handles = len(consts.HANDLE_TYPE_ENUM_SEVEN) else: num_handles = len(consts.HANDLE_TYPE_ENUM) profile.vtypes.update({ 'gahti' : [ None, { 'types': [ 0, ['array', num_handles, ['tagHANDLETYPEINFO']]], }]}) class AtomTablex86Overlay(obj.ProfileModification): """Apply the atom table overlays for all x86 Windows""" before = ["WindowsVTypes"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): # The type we want to use is not the same as the one already defined # see http://code.google.com/p/volatility/issues/detail?id=131 profile.merge_overlay({ '_RTL_ATOM_TABLE': [ None, { 'Signature': [ 0x0, ['unsigned long']], 'NumBuckets': [ 0xC, ['unsigned long']], 'Buckets': [ 0x10, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], '_RTL_ATOM_TABLE_ENTRY': [ None, { 'Name': [ None, ['String', dict(encoding = 'utf16', length = lambda x : x.NameLength * 2)]], }]}) class AtomTablex64Overlay(obj.ProfileModification): """Apply the atom table overlays for all x64 Windows""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): # The type we want to use is not the same as the one already defined # see http://code.google.com/p/volatility/issues/detail?id=131 profile.merge_overlay({ '_RTL_ATOM_TABLE': [ None, { 'Signature': [ 0, ['unsigned long']], 'NumBuckets': [ 0x18, ['unsigned long']], 'Buckets': [ 0x20, ['array', lambda x : x.NumBuckets, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], }], '_RTL_ATOM_TABLE_ENTRY': [ None, { 'Name': [ None, ['String', dict(encoding = 'utf16', length = lambda x : x.NameLength * 2)]], }]}) class XP2003x86TimerVType(obj.ProfileModification): """Apply the tagTIMER for XP and 2003 x86""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x < 6} def modification(self, profile): # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 profile.vtypes.update({ 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x08, ['_LIST_ENTRY']], 'pti' : [ 0x10, ['pointer', ['tagTHREADINFO']]], 'spwnd' : [ 0x14, ['pointer', ['tagWND']]], 'nID' : [ 0x18, ['unsigned short']], 'cmsCountdown' : [ 0x1C, ['unsigned int']], 'cmsRate' : [ 0x20, ['unsigned int']], 'flags' : [ 0x24, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x28, ['pointer', ['void']]], }]}) class XP2003x64TimerVType(obj.ProfileModification): """Apply the tagTIMER for XP and 2003 x64""" conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x < 6} def modification(self, profile): profile.vtypes.update({ # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 'tagTIMER' : [ None, { 'head' : [ 0x00, ['_HEAD']], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'spwnd' : [ 0x28, ['pointer', ['tagWND']]], 'pti' : [ 0x20, ['pointer', ['tagTHREADINFO']]], 'nID' : [ 0x30, ['unsigned short']], 'cmsCountdown' : [ 0x38, ['unsigned int']], 'cmsRate' : [ 0x3C, ['unsigned int']], 'flags' : [ 0x40, ['Flags', {'bitmap': consts.TIMER_FLAGS}]], 'pfn' : [ 0x48, ['pointer', ['void']]], }]}) class Win32Kx86VTypes(obj.ProfileModification): """Applies to all x86 windows profiles. These are vtypes not included in win32k.sys PDB. """ conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update({ 'tagWIN32HEAP': [ None, { 'Heap': [ 0, ['_HEAP']], }], 'tagCLIPDATA' : [ None, { 'cbData' : [ 0x08, ['unsigned int']], 'abData' : [ 0x0C, ['array', lambda x: x.cbData, ['unsigned char']]], }], '_IMAGE_ENTRY_IN_SESSION': [ None, { 'Link': [ 0, ['_LIST_ENTRY']], 'Address': [ 8, ['pointer', ['address']]], 'LastAddress': [ 12, ['pointer', ['address']]], # This is optional and usually supplied as null 'DataTableEntry': [ 24, ['pointer', ['_LDR_DATA_TABLE_ENTRY']]], }], 'tagEVENTHOOK' : [ 0x30, { 'phkNext' : [ 0xC, ['pointer', ['tagEVENTHOOK']]], 'eventMin' : [ 0x10, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'eventMax' : [ 0x14, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'dwFlags' : [ 0x18, ['unsigned long']], 'idProcess' : [ 0x1C, ['unsigned long']], 'idThread' : [ 0x20, ['unsigned long']], 'offPfn' : [ 0x24, ['unsigned long']], 'ihmod' : [ 0x28, ['long']], }], 'tagHANDLETYPEINFO' : [ 12, { 'fnDestroy' : [ 0, ['pointer', ['void']]], 'dwAllocTag' : [ 4, ['String', dict(length = 4)]], 'bObjectCreateFlags' : [ 8, ['Flags', {'target': 'unsigned char', 'bitmap': {'OCF_THREADOWNED': 0, 'OCF_PROCESSOWNED': 1, 'OCF_MARKPROCESS': 2, 'OCF_USEPOOLQUOTA': 3, 'OCF_DESKTOPHEAP': 4, 'OCF_USEPOOLIFNODESKTOP': 5, 'OCF_SHAREDHEAP': 6, 'OCF_VARIABLESIZE': 7}}]], }], }) class Win32Kx64VTypes(obj.ProfileModification): """Applies to all x64 windows profiles. These are vtypes not included in win32k.sys PDB. """ conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): # Autogen'd vtypes from win32k.sys do not contain these profile.vtypes.update({ 'tagWIN32HEAP': [ None, { 'Heap': [ 0, ['_HEAP']], }], '_IMAGE_ENTRY_IN_SESSION': [ None, { 'Link': [ 0, ['_LIST_ENTRY']], 'Address': [ 0x10, ['pointer', ['void']]], 'LastAddress': [ 0x18, ['pointer', ['address']]], # This is optional and usually supplied as null 'DataTableEntry': [ 0x20, ['pointer', ['_LDR_DATA_TABLE_ENTRY']]], #?? }], 'tagCLIPDATA' : [ None, { 'cbData' : [ 0x10, ['unsigned int']], 'abData' : [ 0x14, ['array', lambda x: x.cbData, ['unsigned char']]], }], 'tagEVENTHOOK' : [ None, { 'phkNext' : [ 0x18, ['pointer', ['tagEVENTHOOK']]], 'eventMin' : [ 0x20, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'eventMax' : [ 0x24, ['Enumeration', dict(target = 'unsigned long', choices = consts.EVENT_ID_ENUM)]], 'dwFlags' : [ 0x28, ['unsigned long']], 'idProcess' : [ 0x2C, ['unsigned long']], 'idThread' : [ 0x30, ['unsigned long']], 'offPfn' : [ 0x40, ['unsigned long long']], 'ihmod' : [ 0x48, ['long']], }], 'tagHANDLETYPEINFO' : [ 16, { 'fnDestroy' : [ 0, ['pointer', ['void']]], 'dwAllocTag' : [ 8, ['String', dict(length = 4)]], 'bObjectCreateFlags' : [ 12, ['Flags', {'target': 'unsigned char', 'bitmap': {'OCF_THREADOWNED': 0, 'OCF_PROCESSOWNED': 1, 'OCF_MARKPROCESS': 2, 'OCF_USEPOOLQUOTA': 3, 'OCF_DESKTOPHEAP': 4, 'OCF_USEPOOLIFNODESKTOP': 5, 'OCF_SHAREDHEAP': 6, 'OCF_VARIABLESIZE': 7}}]], }], }) class XPx86SessionOverlay(obj.ProfileModification): """Apply the ResidentProcessCount overlay for x86 XP session spaces""" ## This just ensures we have an _MM_SESSION_SPACE to overlay before = ["WindowsOverlay"] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 1} def modification(self, profile): # This field appears in the auto-generated vtypes for all OS except XP profile.merge_overlay({ '_MM_SESSION_SPACE': [ None, { 'ResidentProcessCount': [ 0x248, ['long']], # nt!MiDereferenceSession }]}) volatility-2.3.1/volatility/plugins/gui/windows.py0000644000175000017500000001007712227253532022332 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.messagehooks as messagehooks class WinTree(messagehooks.MessageHooks): """Print Z-Order Desktop Windows Tree""" def render_text(self, outfd, data): for winsta, atom_tables in data: for desktop in winsta.desktops(): outfd.write("*" * 50 + "\n") outfd.write("Window context: {0}\\{1}\\{2}\n\n".format( winsta.dwSessionId, winsta.Name, desktop.Name)) for wnd, level in desktop.windows(desktop.DeskInfo.spwnd): outfd.write("{0}{1} {2} {3}:{4} {5}\n".format( "." * level, str(wnd.strName or '') or "#{0:x}".format(wnd.head.h), "(visible)" if wnd.Visible else "", wnd.Process.ImageFileName, wnd.Process.UniqueProcessId, self.translate_atom(winsta, atom_tables, wnd.ClassAtom), )) class Windows(messagehooks.MessageHooks): """Print Desktop Windows (verbose details)""" def render_text(self, outfd, data): for winsta, atom_tables in data: for desktop in winsta.desktops(): outfd.write("*" * 50 + "\n") outfd.write("Window context: {0}\\{1}\\{2}\n\n".format( winsta.dwSessionId, winsta.Name, desktop.Name)) for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd): outfd.write("Window Handle: #{0:x} at {1:#x}, Name: {2}\n".format( wnd.head.h, wnd.obj_offset, str(wnd.strName or '') )) outfd.write("ClassAtom: {0:#x}, Class: {1}\n".format( wnd.ClassAtom, self.translate_atom(winsta, atom_tables, wnd.ClassAtom), )) outfd.write("SuperClassAtom: {0:#x}, SuperClass: {1}\n".format( wnd.SuperClassAtom, self.translate_atom(winsta, atom_tables, wnd.SuperClassAtom), )) outfd.write("pti: {0:#x}, Tid: {1} at {2:#x}\n".format( wnd.head.pti.v(), wnd.Thread.Cid.UniqueThread, wnd.Thread.obj_offset, )) outfd.write("ppi: {0:#x}, Process: {1}, Pid: {2}\n".format( wnd.head.pti.ppi.v(), wnd.Process.ImageFileName, wnd.Process.UniqueProcessId, )) outfd.write("Visible: {0}\n".format("Yes" if wnd.Visible else "No")) outfd.write("Left: {0}, Top: {1}, Bottom: {2}, Right: {3}\n".format( wnd.rcClient.left, wnd.rcClient.top, wnd.rcClient.right, wnd.rcClient.bottom )) outfd.write("Style Flags: {0}\n".format(wnd.style)) outfd.write("ExStyle Flags: {0}\n".format(wnd.ExStyle)) outfd.write("Window procedure: {0:#x}\n".format( wnd.lpfnWndProc, )) outfd.write("\n") volatility-2.3.1/volatility/plugins/gui/desktops.py0000644000175000017500000000635012227253532022473 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.gui.windowstations as windowstations class DeskScan(windowstations.WndScan): """Poolscaner for tagDESKTOP (desktops)""" def render_text(self, outfd, data): seen = [] for window_station in data: for desktop in window_station.desktops(): offset = desktop.PhysicalAddress if offset in seen: continue seen.append(offset) outfd.write("*" * 50 + "\n") outfd.write("Desktop: {0:#x}, Name: {1}\\{2}, Next: {3:#x}\n".format( offset, desktop.WindowStation.Name, desktop.Name, desktop.rpdeskNext.v(), )) outfd.write("SessionId: {0}, DesktopInfo: {1:#x}, fsHooks: {2}\n".format( desktop.dwSessionId, desktop.pDeskInfo.v(), desktop.DeskInfo.fsHooks, )) outfd.write("spwnd: {0:#x}, Windows: {1}\n".format( desktop.DeskInfo.spwnd, len(list(desktop.windows(desktop.DeskInfo.spwnd))) )) outfd.write("Heap: {0:#x}, Size: {1:#x}, Base: {2:#x}, Limit: {3:#x}\n".format( desktop.pheapDesktop.v(), desktop.DeskInfo.pvDesktopLimit - desktop.DeskInfo.pvDesktopBase, desktop.DeskInfo.pvDesktopBase, desktop.DeskInfo.pvDesktopLimit, )) ## This is disabled until we bring in the heaps plugin #if self._config.VERBOSE: # granularity = desktop.obj_vm.profile.get_obj_size("_HEAP_ENTRY") # for entry in desktop.heaps(): # outfd.write(" Alloc: {0:#x}, Size: {1:#x} Previous: {2:#x}\n".format( # entry.obj_offset + granularity, # entry.Size, entry.PreviousSize, # )) for thrd in desktop.threads(): outfd.write(" {0} ({1} {2} parent {3})\n".format( thrd.pEThread.Cid.UniqueThread, thrd.ppi.Process.ImageFileName, thrd.ppi.Process.UniqueProcessId, thrd.ppi.Process.InheritedFromUniqueProcessId, )) volatility-2.3.1/volatility/plugins/gui/gahti.py0000644000175000017500000000434512227253532021735 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2010,2011,2012 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.plugins.gui.constants as consts import volatility.plugins.gui.sessions as sessions class Gahti(sessions.Sessions): """Dump the USER handle type information""" def render_text(self, outfd, data): profile = utils.load_as(self._config).profile # Get the OS version being analyzed version = (profile.metadata.get('major', 0), profile.metadata.get('minor', 0)) # Choose which USER handle enum to use if version >= (6, 1): handle_types = consts.HANDLE_TYPE_ENUM_SEVEN else: handle_types = consts.HANDLE_TYPE_ENUM self.table_header(outfd, [("Session", "8"), ("Type", "20"), ("Tag", "8"), ("fnDestroy", "[addrpad]"), ("Flags", ""), ]) for session in data: gahti = session.find_gahti() if gahti: for i, h in handle_types.items(): self.table_row(outfd, session.SessionId, h, gahti.types[i].dwAllocTag, gahti.types[i].fnDestroy, gahti.types[i].bObjectCreateFlags) volatility-2.3.1/volatility/plugins/getsids.py0000644000175000017500000001465012227253532021517 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # # Based heavily upon the getsids plugin by Moyix # http://kurtz.cs.wesleyan.edu/%7Ebdolangavitt/memory/getsids.py """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ import volatility.plugins.taskmods as taskmods import re def find_sid_re(sid_string, sid_re_list): for reg, name in sid_re_list: if reg.search(sid_string): return name well_known_sid_re = [ (re.compile(r'S-1-5-[0-9-]+-500'), 'Administrator'), (re.compile(r'S-1-5-[0-9-]+-501'), 'Guest'), (re.compile(r'S-1-5-[0-9-]+-502'), 'KRBTGT'), (re.compile(r'S-1-5-[0-9-]+-512'), 'Domain Admins'), (re.compile(r'S-1-5-[0-9-]+-513'), 'Domain Users'), (re.compile(r'S-1-5-[0-9-]+-514'), 'Domain Guests'), (re.compile(r'S-1-5-[0-9-]+-515'), 'Domain Computers'), (re.compile(r'S-1-5-[0-9-]+-516'), 'Domain Controllers'), (re.compile(r'S-1-5-[0-9-]+-517'), 'Cert Publishers'), (re.compile(r'S-1-5-[0-9-]+-520'), 'Group Policy Creator Owners'), (re.compile(r'S-1-5-[0-9-]+-533'), 'RAS and IAS Servers'), (re.compile(r'S-1-5-5-[0-9]+-[0-9]+'), 'Logon Session'), (re.compile(r'S-1-5-21-[0-9-]+-518'), 'Schema Admins'), (re.compile(r'S-1-5-21-[0-9-]+-519'), 'Enterprise Admins'), (re.compile(r'S-1-5-21-[0-9-]+-553'), 'RAS Servers'), ] well_known_sids = { 'S-1-0': 'Null Authority', 'S-1-0-0': 'Nobody', 'S-1-1': 'World Authority', 'S-1-1-0': 'Everyone', 'S-1-2': 'Local Authority', 'S-1-2-0': 'Local (Users with the ability to log in locally)', 'S-1-2-1': 'Console Logon (Users who are logged onto the physical console)', 'S-1-3': 'Creator Authority', 'S-1-3-0': 'Creator Owner', 'S-1-3-1': 'Creator Group', 'S-1-3-2': 'Creator Owner Server', 'S-1-3-3': 'Creator Group Server', 'S-1-3-4': 'Owner Rights', 'S-1-4': 'Non-unique Authority', 'S-1-5': 'NT Authority', 'S-1-5-1': 'Dialup', 'S-1-5-2': 'Network', 'S-1-5-3': 'Batch', 'S-1-5-4': 'Interactive', 'S-1-5-6': 'Service', 'S-1-5-7': 'Anonymous', 'S-1-5-8': 'Proxy', 'S-1-5-9': 'Enterprise Domain Controllers', 'S-1-5-10': 'Principal Self', 'S-1-5-11': 'Authenticated Users', 'S-1-5-12': 'Restricted Code', 'S-1-5-13': 'Terminal Server Users', 'S-1-5-14': 'Remote Interactive Logon', 'S-1-5-15': 'This Organization', 'S-1-5-17': 'This Organization (Used by the default IIS user)', 'S-1-5-18': 'Local System', 'S-1-5-19': 'NT Authority', 'S-1-5-20': 'NT Authority', 'S-1-5-32-544': 'Administrators', 'S-1-5-32-545': 'Users', 'S-1-5-32-546': 'Guests', 'S-1-5-32-547': 'Power Users', 'S-1-5-32-548': 'Account Operators', 'S-1-5-32-549': 'Server Operators', 'S-1-5-32-550': 'Print Operators', 'S-1-5-32-551': 'Backup Operators', 'S-1-5-32-552': 'Replicators', 'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access', 'S-1-5-32-555': 'BUILTIN\Remote Desktop Users', 'S-1-5-32-556': 'BUILTIN\Network Configuration Operators', 'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders', 'S-1-5-32-558': 'BUILTIN\Performance Monitor Users', 'S-1-5-32-559': 'BUILTIN\Performance Log Users', 'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group', 'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers', 'S-1-5-32-562': 'BUILTIN\Distributed COM Users', 'S-1-5-32-568': 'BUILTIN\IIS IUSRS', 'S-1-5-32-569': 'Cryptographic Operators', 'S-1-5-32-573': 'BUILTIN\Event Log Readers', 'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access', 'S-1-5-33': 'Write Restricted', 'S-1-5-64-10': 'NTLM Authentication', 'S-1-5-64-14': 'SChannel Authentication', 'S-1-5-64-21': 'Digest Authentication', 'S-1-5-80': 'NT Service', 'S-1-5-86-1544737700-199408000-2549878335-3519669259-381336952': 'WMI (Local Service)', 'S-1-5-86-615999462-62705297-2911207457-59056572-3668589837': 'WMI (Network Service)', 'S-1-5-1000': 'Other Organization', 'S-1-16-0': 'Untrusted Mandatory Level', 'S-1-16-4096': 'Low Mandatory Level', 'S-1-16-8192': 'Medium Mandatory Level', 'S-1-16-8448': 'Medium Plus Mandatory Level', 'S-1-16-12288': 'High Mandatory Level', 'S-1-16-16384': 'System Mandatory Level', 'S-1-16-20480': 'Protected Process Mandatory Level', 'S-1-16-28672': 'Secure Process Mandatory Level', } class GetSIDs(taskmods.DllList): """Print the SIDs owning each process""" # Declare meta information associated with this plugin meta_info = {} meta_info['author'] = 'Brendan Dolan-Gavitt' meta_info['copyright'] = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt' meta_info['contact'] = 'bdolangavitt@wesleyan.edu' meta_info['license'] = 'GNU General Public License 2.0' meta_info['url'] = 'http://moyix.blogspot.com/' meta_info['os'] = 'WIN_32_XP_SP2' meta_info['version'] = '1.0' def render_text(self, outfd, data): """Renders the sids as text""" for task in data: token = task.get_token() if not token: outfd.write("{0} ({1}): Token unreadable\n".format(task.ImageFileName, int(task.UniqueProcessId))) continue for sid_string in token.get_sids(): if sid_string in well_known_sids: sid_name = " ({0})".format(well_known_sids[sid_string]) else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " ({0})".format(sid_name_re) else: sid_name = "" outfd.write("{0} ({1}): {2}{3}\n".format(task.ImageFileName, task.UniqueProcessId, sid_string, sid_name)) volatility-2.3.1/volatility/plugins/raw2dmp.py0000644000175000017500000001604412227253532021430 0ustar mikemike00000000000000# Volatility # Copyright (C) 2009-2013 Volatility Foundation # Copyright (C) Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import volatility.obj as obj import volatility.utils as utils import volatility.addrspace as addrspace import volatility.plugins.imagecopy as imagecopy class Raw2dmp(imagecopy.ImageCopy): """Converts a physical memory sample to a windbg crash dump""" def calculate(self): blocksize = self._config.BLOCKSIZE self._config.WRITE = True pspace = utils.load_as(self._config, astype = 'physical') vspace = utils.load_as(self._config) memory_model = pspace.profile.metadata.get('memory_model', '32bit') if memory_model == "64bit": header_format = '_DMP_HEADER64' else: header_format = '_DMP_HEADER' headerlen = pspace.profile.get_obj_size(header_format) headerspace = addrspace.BufferAddressSpace(self._config, 0, "PAGE" * (headerlen / 4)) header = obj.Object(header_format, offset = 0, vm = headerspace) kuser = obj.Object("_KUSER_SHARED_DATA", offset = obj.VolMagic(vspace).KUSER_SHARED_DATA.v(), vm = vspace) kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = obj.VolMagic(vspace).KDBG.v(), vm = vspace) # Scanning the memory region near KDDEBUGGER_DATA64 for # DBGKD_GET_VERSION64 dbgkd = kdbg.dbgkd_version64() # Set the correct file magic for i in range(len("PAGE")): header.Signature[i] = [ ord(x) for x in "PAGE"][i] # Write the KeDebuggerDataBlock and ValidDump headers dumptext = "DUMP" header.KdDebuggerDataBlock = kdbg.obj_offset if memory_model == "64bit": dumptext = "DU64" header.KdDebuggerDataBlock = kdbg.obj_offset | 0xFFFF000000000000 for i in range(len(dumptext)): header.ValidDump[i] = ord(dumptext[i]) # The PaeEnabled member is essential for x86 crash files if memory_model == "32bit": if hasattr(vspace, "pae") and vspace.pae == True: header.PaeEnabled = 0x1 else: header.PaeEnabled = 0x0 # Set members of the crash header header.MajorVersion = dbgkd.MajorVersion header.MinorVersion = dbgkd.MinorVersion header.DirectoryTableBase = vspace.dtb header.PfnDataBase = kdbg.MmPfnDatabase header.PsLoadedModuleList = kdbg.PsLoadedModuleList header.PsActiveProcessHead = kdbg.PsActiveProcessHead header.MachineImageType = dbgkd.MachineType # Find the number of processors header.NumberProcessors = len(list(kdbg.kpcrs())) # In MS crash dumps, SystemTime will not be set. It will # represent the "Debug session time:". We are # using the member to represent the time the sample was # collected. header.SystemTime = kuser.SystemTime.as_windows_timestamp() # Zero out the BugCheck members header.BugCheckCode = 0x00000000 header.BugCheckCodeParameter[0] = 0x00000000 header.BugCheckCodeParameter[1] = 0x00000000 header.BugCheckCodeParameter[2] = 0x00000000 header.BugCheckCodeParameter[3] = 0x00000000 # Set the sample run information. We used to take the sum of the size # of all runs, but that assumed the base layer was raw. In the case # of base layers such as ELF64 core dump or any other run-based address # space that may have holes for device memory, that would fail because # any runs after the first hole would then be at the wrong offset. last_run = list(pspace.get_available_addresses())[-1] num_pages = (last_run[0] + last_run[1]) / 0x1000 header.PhysicalMemoryBlockBuffer.NumberOfRuns = 0x00000001 header.PhysicalMemoryBlockBuffer.NumberOfPages = num_pages header.PhysicalMemoryBlockBuffer.Run[0].BasePage = 0x0000000000000000 header.PhysicalMemoryBlockBuffer.Run[0].PageCount = num_pages header.RequiredDumpSpace = (num_pages + 2) * 0x1000 # Zero out the remaining non-essential fields ContextRecordOffset = headerspace.profile.get_obj_offset(header_format, "ContextRecord") ExceptionOffset = headerspace.profile.get_obj_offset(header_format, "Exception") headerspace.write(ContextRecordOffset, "\x00" * (ExceptionOffset - ContextRecordOffset)) # Set the "converted" comment CommentOffset = headerspace.profile.get_obj_offset(header_format, "Comment") headerspace.write(CommentOffset, "File was converted with Volatility" + "\x00") # Yield the header yield 0, headerspace.read(0, headerlen) # Write the main body for s, l in pspace.get_available_addresses(): for i in range(s, s + l, blocksize): yield i + headerlen, pspace.read(i, min(blocksize, s + l - i)) # Reset the config so volatility opens the crash dump self._config.LOCATION = "file://" + self._config.OUTPUT_IMAGE # Crash virtual space crash_vspace = utils.load_as(self._config) # The KDBG in the new crash dump crash_kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = obj.VolMagic(crash_vspace).KDBG.v(), vm = crash_vspace) # The KPCR for the first CPU kpcr = list(crash_kdbg.kpcrs())[0] # Set the CPU CONTEXT properly for the architecure if memory_model == "32bit": kpcr.PrcbData.ProcessorState.ContextFrame.SegGs = 0x00 kpcr.PrcbData.ProcessorState.ContextFrame.SegCs = 0x08 kpcr.PrcbData.ProcessorState.ContextFrame.SegDs = 0x23 kpcr.PrcbData.ProcessorState.ContextFrame.SegEs = 0x23 kpcr.PrcbData.ProcessorState.ContextFrame.SegFs = 0x30 kpcr.PrcbData.ProcessorState.ContextFrame.SegSs = 0x10 else: kpcr.Prcb.ProcessorState.ContextFrame.SegGs = 0x00 kpcr.Prcb.ProcessorState.ContextFrame.SegCs = 0x18 kpcr.Prcb.ProcessorState.ContextFrame.SegDs = 0x2b kpcr.Prcb.ProcessorState.ContextFrame.SegEs = 0x2b kpcr.Prcb.ProcessorState.ContextFrame.SegFs = 0x53 kpcr.Prcb.ProcessorState.ContextFrame.SegSs = 0x18 volatility-2.3.1/volatility/plugins/timeliner.py0000644000175000017500000005157212234427241022047 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ import volatility.plugins.registry.registryapi as registryapi import volatility.plugins.taskmods as taskmods import volatility.plugins.registry.shimcache as shimcache import volatility.plugins.filescan as filescan import volatility.plugins.sockets as sockets import volatility.plugins.sockscan as sockscan import volatility.plugins.modscan as modscan import volatility.plugins.procdump as procdump import volatility.plugins.dlldump as dlldump import volatility.plugins.moddump as moddump import volatility.plugins.netscan as netscan import volatility.plugins.evtlogs as evtlogs import volatility.plugins.userassist as userassist import volatility.plugins.imageinfo as imageinfo import volatility.win32.rawreg as rawreg import volatility.addrspace as addrspace import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.protos as protos import os, sys import struct import volatility.debug as debug import volatility.obj as obj import datetime try: from openpyxl.workbook import Workbook from openpyxl.writer.excel import ExcelWriter from openpyxl.cell import get_column_letter has_openpyxl = True except ImportError: has_openpyxl = False class TimeLiner(dlldump.DLLDump, procdump.ProcExeDump, userassist.UserAssist): """ Creates a timeline from various artifacts in memory """ def __init__(self, config, *args): config.remove_option("SAVE-EVT") userassist.UserAssist.__init__(self, config, *args) config.remove_option("HIVE-OFFSET") config.remove_option("KEY") dlldump.DLLDump.__init__(self, config, *args) config.remove_option("BASE") config.remove_option("REGEX") config.remove_option("IGNORE-CASE") procdump.ProcExeDump.__init__(self, config, *args) config.remove_option("DUMP-DIR") config.remove_option("OFFSET") config.remove_option("PID") config.remove_option("UNSAFE") config.add_option('HIVE', short_option = 'H', help = 'Gather Timestamps from a Particular Registry Hive', type = 'str') config.add_option('USER', short_option = 'U', help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str') config.add_option("REGISTRY", short_option = "R", default = False, action = 'store_true', help = 'Adds registry keys/dates to timeline') def render_text(self, outfd, data): for line in data: if line != None: outfd.write(line) def render_body(self, outfd, data): for line in data: if line != None: outfd.write(line) def render_xlsx(self, outfd, data): wb = Workbook(optimized_write = True) ws = wb.create_sheet() ws.title = 'Timeline Output' for line in data: coldata = line.split("|") ws.append(coldata) wb.save(filename = self._config.OUTPUT_FILE) def calculate(self): if self._config.OUTPUT == "xlsx" and not has_openpyxl: debug.error("You must install OpenPyxl for xlsx format:\n\thttps://bitbucket.org/ericgazoni/openpyxl/wiki/Home") elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE: debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)") if (self._config.HIVE or self._config.USER) and not (self._config.REGISTRY): debug.error("You must use -R/--registry in conjuction with -H/--hive and/or -U/--user") addr_space = utils.load_as(self._config) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) pids = {} #dictionary of process IDs/ImageFileName offsets = [] #process offsets im = imageinfo.ImageInfo(self._config).get_image_time(addr_space) body = False if self._config.OUTPUT == "body": body = True if not body: event = "{0}|[END LIVE RESPONSE]\n".format(im['ImageDatetime']) else: event = "0|[END LIVE RESPONSE]|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(im['ImageDatetime'].v()) yield event # Get EPROCESS psscan = filescan.PSScan(self._config).calculate() for eprocess in psscan: if eprocess.obj_offset not in offsets: offsets.append(eprocess.obj_offset) if not body: line = "{0}|{1}|{2}|{3}|{4}|{5}|0x{6:08x}||\n".format( eprocess.CreateTime or '-1', "[PROCESS]", eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, eprocess.ExitTime or '', eprocess.obj_offset) else: line = "0|[PROCESS] {2}/PID: {3}/PPID: {4}/POffset: 0x{5:08x}|0|---------------|0|0|0|{0}|{1}|{0}|{0}\n".format( eprocess.CreateTime.v(), eprocess.ExitTime.v(), eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, eprocess.obj_offset) pids[eprocess.UniqueProcessId.v()] = eprocess.ImageFileName yield line # Get Sockets and Evtlogs XP/2k3 only if addr_space.profile.metadata.get('major', 0) == 5: socks = sockets.Sockets(self._config).calculate() #socks = sockscan.SockScan(self._config).calculate() # you can use sockscan instead if you uncomment for sock in socks: la = "{0}:{1}".format(sock.LocalIpAddress, sock.LocalPort) if not body: line = "{0}|[SOCKET]|{1}|{2}|Protocol: {3} ({4})|{5:#010x}|||\n".format( sock.CreateTime, sock.Pid, la, sock.Protocol, protos.protos.get(sock.Protocol.v(), "-"), sock.obj_offset) else: line = "0|[SOCKET] PID: {1}/LocalIP: {2}/Protocol: {3}({4})/POffset: 0x{5:#010x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( sock.CreateTime.v(), sock.Pid, la, sock.Protocol, protos.protos.get(sock.Protocol.v(), "-"), sock.obj_offset) yield line evt = evtlogs.EvtLogs(self._config) stuff = evt.calculate() for name, buf in stuff: for fields in evt.parse_evt_info(name, buf, rawtime = True): if not body: line = '{0} |[EVT LOG]|{1}|{2}|{3}|{4}|{5}|{6}|{7}\n'.format( fields[0], fields[1], fields[2], fields[3], fields[4], fields[5], fields[6], fields[7]) else: line = "0|[EVT LOG] {1}/{2}/{3}/{4}/{5}/{6}/{7}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( fields[0].v(),fields[1], fields[2], fields[3], fields[4], fields[5], fields[6], fields[7]) yield line else: # Vista+ nets = netscan.Netscan(self._config).calculate() for net_object, proto, laddr, lport, raddr, rport, state in nets: conn = "{0}:{1} -> {2}:{3}".format(laddr, lport, raddr, rport) if not body: line = "{0}|[NETWORK CONNECTION]|{1}|{2}|{3}|{4}|{5:<#10x}||\n".format( str(net_object.CreateTime or "-1"), net_object.Owner.UniqueProcessId, conn, proto, state, net_object.obj_offset) else: line = "0|[NETWORK CONNECTION] {1}/{2}/{3}/{4}/{5:<#10x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( net_object.CreateTime.v(), net_object.Owner.UniqueProcessId, conn, proto, state, net_object.obj_offset) yield line # Get threads threads = modscan.ThrdScan(self._config).calculate() for thread in threads: image = pids.get(thread.Cid.UniqueProcess.v(), "UNKNOWN") if not body: line = "{0}|[THREAD]|{1}|{2}|{3}|{4}|||\n".format( thread.CreateTime or '-1', image, thread.Cid.UniqueProcess, thread.Cid.UniqueThread, thread.ExitTime or '', ) else: line = "0|[THREAD] {2}/PID: {3}/TID: {4}|0|---------------|0|0|0|{0}|{1}|{0}|{0}\n".format( thread.CreateTime.v(), thread.ExitTime.v(), image, thread.Cid.UniqueProcess, thread.Cid.UniqueThread, ) yield line # now we get to the PE part. All PE's are dumped in case you want to inspect them later data = moddump.ModDump(self._config).calculate() for addr_space, procs, mod_base, mod_name in data: mod_name = str(mod_name or '') space = tasks.find_space(addr_space, procs, mod_base) if space != None: try: header = procdump.ProcExeDump(self._config).get_nt_header(space, mod_base) except ValueError, ve: continue try: if not body: line = "{0}|[PE Timestamp (module)]|{1}||{2:#010x}|||||\n".format( header.FileHeader.TimeDateStamp or '-1', mod_name, mod_base) else: line = "0|[PE Timestamp (module)] {1}/Base: {2:#010x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( header.FileHeader.TimeDateStamp.v(), mod_name, mod_base) except ValueError, ve: if not body: line = "-1|[PE Timestamp (module)]|{0}||{1}|||||\n".format( mod_name, mod_base) else: line = "0|[PE Timestamp (module)] {0}/Base: {1:#010x}|0|---------------|0|0|0|0|0|0|0\n".format( mod_name, mod_base) yield line # get EPROCESS PE timestamps # XXX revert back, now in loop for o in offsets: self._config.update('OFFSET', o) data = self.filter_tasks(procdump.ProcExeDump.calculate(self)) dllskip = False for task in data: if task.Peb == None or task.Peb.ImageBaseAddress == None: dllskip = True continue try: header = procdump.ProcExeDump(self._config).get_nt_header(task.get_process_address_space(), task.Peb.ImageBaseAddress) except ValueError, ve: dllskip = True continue try: if not body: line = "{0}|[PE Timestamp (exe)]|{1}|{2}|{3}|{4}|0x{5:08x}|||\n".format( header.FileHeader.TimeDateStamp or "-1", task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.Peb.ProcessParameters.CommandLine, o) else: line = "0|[PE Timestamp (exe)] {1}/PID: {2}/PPID: {3}/Command: {4}/POffset: 0x{5:08x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( header.FileHeader.TimeDateStamp.v(), task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.Peb.ProcessParameters.CommandLine, o) except ValueError, ve: if not body: line = "-1|[PE Timestamp (exe)]|{0}|{1}|{2}|{3}|0x{4:08x}|||\n".format( task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.Peb.ProcessParameters.CommandLine, o) else: line = "0|[PE Timestamp (exe)] {1}/PID: {2}/PPID: {3}/Command: {4}/POffset: 0x{5:08x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( 0, task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, task.Peb.ProcessParameters.CommandLine, o) yield line # Get DLL PE timestamps if not dllskip: dlls = self.filter_tasks(dlldump.DLLDump.calculate(self)) else: dllskip = False dlls = [] for proc, ps_ad, base, basename in dlls: if ps_ad.is_valid_address(base): basename = str(basename or '') if basename == task.ImageFileName: continue try: header = procdump.ProcExeDump(self._config).get_nt_header(ps_ad, base) except ValueError, ve: continue try: if not body: line = "{0}|[PE Timestamp (dll)]|{1}|{2}|{3}|{4}|EPROCESS Offset: 0x{5:08x}|DLL Base: 0x{6:8x}||\n".format( header.FileHeader.TimeDateStamp or '-1', task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, basename, o, base) else: line = "0|[PE Timestamp (dll)] {4}/Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:8x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( header.FileHeader.TimeDateStamp.v(), task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, basename, o, base) except ValueError, ve: if not body: line = "-1|[PE Timestamp (dll)]|{0}|{1}|{2}|{3}|EPROCESS Offset: 0x{4:08x}|DLL Base: 0x{5:8x}||\n".format( task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, basename, o, base) else: line = "0|[PE Timestamp (dll)] {4}/Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:8x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( 0, task.ImageFileName, task.UniqueProcessId, task.InheritedFromUniqueProcessId, basename, o, base) yield line uastuff = userassist.UserAssist.calculate(self) for win7, reg, key in uastuff: ts = "{0}".format(key.LastWriteTime) for v in rawreg.values(key): tp, dat = rawreg.value_data(v) subname = v.Name if tp == 'REG_BINARY': dat_raw = dat try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in userassist.folder_guids: subname = subname.replace(guid, userassist.folder_guids[guid]) bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw) uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) ID = "N/A" count = "N/A" fc = "N/A" tf = "N/A" lw = "N/A" if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None: continue else: if hasattr(uadata, "ID"): ID = "{0}".format(uadata.ID) if hasattr(uadata, "Count"): count = "{0}".format(uadata.Count) else: count = "{0}".format(uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5) if hasattr(uadata, "FocusCount"): seconds = (uadata.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime fc = "{0}".format(uadata.FocusCount) tf = "{0}".format(time) lw = "{0}".format(uadata.LastUpdated) subname = subname.replace("|", "%7c") if not body: line = "{0}|[USER ASSIST]|{1}|{2}|{3}|{4}|{5}|{6}\n".format(lw, reg, subname, ID, count, fc, tf) else: line = "0|[USER ASSIST] Registry: {1}/Value: {2}/ID: {3}/Count: {4}/FocusCount: {5}/TimeFocused: {6}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( uadata.LastUpdated.v(), reg, subname, ID, count, fc, tf) yield line shimdata = shimcache.ShimCache(self._config).calculate() for path, lm, lu in shimdata: if lu: if not body: line = "{0}|[SHIMCACHE]|{1}|Last update: {2}\n".format(lm, path, lu) else: line = "0|[SHIMCACHE] {1}|0|---------------|0|0|0|{0}|{2}|{0}|{0}\n".format( lm.v(), path, lu.v()) else: if not body: line = "{0}|[SHIMCACHE]|{1}|Last update: N/A\n".format(lm, path) else: line = "0|[SHIMCACHE] {1}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( lm.v(), path) yield line if self._config.REGISTRY: regapi = registryapi.RegistryApi(self._config) regapi.reset_current() regdata = regapi.reg_get_all_keys(self._config.HIVE, self._config.USER, reg = True, rawtime = True) for lwtime, reg, item in regdata: if not body: item = item.replace("|", "%7c") line = "{0:<20}|{1}|{2}\n".format(lwtime, reg, item) else: line = "0|[REGISTRY] {1}/{2}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format( lwtime.v(), reg, item) yield line volatility-2.3.1/volatility/plugins/imageinfo.py0000644000175000017500000001152212227253532022006 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.win32.tasks as tasks import volatility.timefmt as timefmt import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj import volatility.cache as cache import volatility.registry as registry import volatility.plugins.kdbgscan as kdbgscan class ImageInfo(kdbgscan.KDBGScan): """ Identify information for the image """ def render_text(self, outfd, data): """Renders the calculated data as text to outfd""" for k, v in data: outfd.write("{0:>30} : {1}\n".format(k, v)) @cache.CacheDecorator("tests/imageinfo") def calculate(self): """Calculates various information about the image""" print "Determining profile based on KDBG search...\n" profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ] bestguess = None suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)] if suglist: bestguess = suglist[0] suggestion = ", ".join(set(suglist)) # Set our suggested profile first, then run through the list if bestguess in profilelist: profilelist = [bestguess] + profilelist chosen = 'no profile' # Save the original profile origprofile = self._config.PROFILE # Force user provided profile over others profilelist = [origprofile] + profilelist for profile in profilelist: debug.debug('Trying profile ' + profile) self._config.update('PROFILE', profile) addr_space = utils.load_as(self._config, astype = 'any') if hasattr(addr_space, "dtb"): chosen = profile break if bestguess != chosen: if not suggestion: suggestion = 'No suggestion' suggestion += ' (Instantiated with ' + chosen + ')' yield ('Suggested Profile(s)', suggestion) tmpas = addr_space count = 0 while tmpas: count += 1 yield ('AS Layer' + str(count), tmpas.__class__.__name__ + " (" + tmpas.name + ")") tmpas = tmpas.base if not hasattr(addr_space, "pae"): yield ('PAE type', "No PAE") else: yield ('PAE type', "PAE" if addr_space.pae else "No PAE") if hasattr(addr_space, "dtb"): yield ('DTB', hex(addr_space.dtb)) volmagic = obj.VolMagic(addr_space) if hasattr(addr_space, "dtb"): kdbgoffset = volmagic.KDBG.v() if kdbgoffset: yield ('KDBG', hex(kdbgoffset)) kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbgoffset, vm = addr_space) kpcr_list = list(kdbg.kpcrs()) yield ('Number of Processors', len(kpcr_list)) yield ('Image Type (Service Pack)', kdbg.ServicePack) for kpcr in kpcr_list: yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset)) KUSER_SHARED_DATA = volmagic.KUSER_SHARED_DATA.v() if KUSER_SHARED_DATA: yield ('KUSER_SHARED_DATA', hex(KUSER_SHARED_DATA)) data = self.get_image_time(addr_space) if data: yield ('Image date and time', data['ImageDatetime']) yield ('Image local date and time', timefmt.display_datetime(data['ImageDatetime'].as_datetime(), data['ImageTz'])) # Make sure to reset the profile to its original value to keep the invalidator from blocking the cache self._config.update('PROFILE', origprofile) def get_image_time(self, addr_space): """Get the Image Datetime""" result = {} KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v() k = obj.Object("_KUSER_SHARED_DATA", offset = KUSER_SHARED_DATA, vm = addr_space) if k == None: return k result['ImageDatetime'] = k.SystemTime result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000) return result volatility-2.3.1/volatility/plugins/addrspaces/0000755000175000017500000000000012234427260021605 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/addrspaces/lime.py0000644000175000017500000000627312227253532023116 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # attc - atcuno@gmail.com # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj import volatility.addrspace as addrspace import volatility.debug as debug class LimeTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'lime_header': [ 0x20, { 'magic': [0x0, ['unsigned int']], 'version': [0x4, ['unsigned int']], 'start': [0x8, ['unsigned long long']], 'end': [0x10, ['unsigned long long']], 'reserved': [0x18, ['unsigned long long']], }], }) class LimeAddressSpace(addrspace.AbstractRunBasedMemory): """ Address space for Lime """ order = 2 def __init__(self, base, config, *args, **kwargs): self.as_assert(base, "lime: need base") addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs) sig = base.read(0, 4) ## ARM processors are bi-endian, but little is the default and currently ## the only mode we support; unless it comes a common request. if sig == '\x4c\x69\x4d\x45': debug.debug("Big-endian ARM not supported, please submit a feature request") self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature") self.addr_cache = {} self.parse_lime() def parse_lime(self): self.runs = [] offset = 0 header = obj.Object("lime_header", offset = offset, vm = self.base) while header.magic.v() == 0x4c694d45: #print "new segment at %x end %x size: %d offset %d | %x" % (header.start, header.end, header.end - header.start, offset, offset) # Since these values will be used a lot, make sure they aren't reread (ie, no objects in the runs list) seg = (int(header.start), offset + self.profile.get_obj_size("lime_header"), header.end - header.start + 1) self.runs.append(seg) offset = offset + seg[2] + self.profile.get_obj_size("lime_header") header = obj.Object("lime_header", offset = offset, vm = self.base) def translate(self, addr): """Find the offset in the file where a memory address can be found. @param addr: a memory address """ firstram = self.runs[0][0] if addr < firstram: addr = firstram + addr return addrspace.AbstractRunBasedMemory.translate(self, addr) volatility-2.3.1/volatility/plugins/addrspaces/ieee1394.py0000644000175000017500000002210412227253532023407 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import time import urlparse import volatility.addrspace as addrspace # TODO: Remove this once we no longer support old/broken versions of urlparse (2.6.2) check = urlparse.urlsplit("firewire://method/0") urlparse_broken = False if check[1] != 'method': urlparse_broken = True def FirewireRW(netloc, location): if netloc in fw_implementations: return fw_implementations[netloc](location) return None class FWRaw1394(object): def __init__(self, location): locarr = location.split('/') self.bus = locarr[0] self.node = locarr[1] self._node = None def is_valid(self): """Initializes the firewire implementation""" self._node = None try: h = firewire.Host() self._node = h[self.bus][self.node] return True, "Valid" except IndexError: return False, "Firewire node " + str(self.node) + " on bus " + str(self.bus) + " was not accessible" except IOError, e: return False, "Firewire device IO error - " + str(e) return False, "Unknown Error occurred" def read(self, addr, length): """Reads bytes from the specified address""" return self._node.read(addr, length) def write(self, addr, buf): """Writes buf bytes at addr""" return self._node.write(addr, buf) class FWForensic1394(object): def __init__(self, location): """Initializes the firewire implementation""" self.location = location.strip('/') self._bus = forensic1394.Bus() self._bus.enable_sbp2() self._device = None def is_valid(self): try: time.sleep(2) devices = self._bus.devices() # FIXME: Base the device off the location rather than hardcoded first remote device self._device = devices[int(self.location)] # Cetain Firewire cards misreport their maximum request size, notably Ricoh onboard chipsets # Uncomment the line below for such broken hardware # self._device._request_size = 1024 if not self._device.isopen(): self._device.open() # The device requires time to settle before it can be used return True, "Valid" except IOError, e: print repr(e) return False, "Forensic1394 returned an exception: " + str(e) return False, "Unknown Error occurred" def read(self, addr, length): """Reads bytes from the specified address""" return self._device.read(addr, length) def write(self, addr, buf): """Writes buf bytes at addr""" return self._device.write(addr, buf) class FirewireAddressSpace(addrspace.BaseAddressSpace): """A physical layer address space that provides access via firewire""" ## We should be *almost* the AS of last resort order = 99 def __init__(self, base, config, **kargs): self.as_assert(base == None, 'Must be first Address Space') try: (scheme, netloc, path, _, _, _) = urlparse.urlparse(config.LOCATION) self.as_assert(scheme == 'firewire', 'Not a firewire URN') if urlparse_broken: if path.startswith('//') and path[2:].find('/') > 0: firstslash = path[2:].find('/') netloc = path[2:firstslash + 2] path = path[firstslash + 3:] self._fwimpl = FirewireRW(netloc, path) except (AttributeError, ValueError): self.as_assert(False, "Unable to parse {0} as a URL".format(config.LOCATION)) addrspace.BaseAddressSpace.__init__(self, base, config, **kargs) self.as_assert(self._fwimpl is not None, "Unable to locate {0} implementation.".format(netloc)) valid, reason = self._fwimpl.is_valid() self.as_assert(valid, reason) # We have a list of exclusions because we know that trying to read anything in these sections # will cause the target machine to bluescreen # Exceptions are in the form (start, length, "Reason") self._exclusions = sorted([(0xa0000, 0xfffff - 0xa0000, "Upper Memory Area")]) self.name = "Firewire using " + str(netloc) + " at " + str(path) # We have no way of knowing how big a firewire space is... # Set it to the maximum for the moment # TODO: Find a way of determining the size safely and reliably from the space itself self.size = 0xFFFFFFFF def intervals(self, start, size): """Returns a list of intervals, from start of length size, that do not include the exclusions""" return self._intervals(sorted(self._exclusions), start, size + start, []) def _intervals(self, exclusions, start, end, accumulator): """Accepts a sorted list of intervals and a start and end This will return a list of intervals between start and end that does not contain any of the intervals in the list of exclusions. """ if not len(exclusions): # We're done return accumulator + [(start, end - start)] e = exclusions[0] estart = e[0] eend = e[1] + estart # e and range overlap if (eend < start or estart > end): # Ignore this exclusion return self._intervals(exclusions[1:], start, end, accumulator) if estart < start: if eend < end: # Covers the start of the remaining length return self._intervals(exclusions[1:], eend, end, accumulator) else: # Covers the entire remaining area return accumulator else: if eend < end: # Covers a section of the remaining length return self._intervals(exclusions[1:], eend, end, accumulator + [(start, estart - start)]) else: # Covers the end of the remaining length return accumulator + [(start, estart - start)] def read(self, offset, length): """Reads a specified size in bytes from the current offset Fills any excluded holes with zeros (so in that sense, similar to zread) """ ints = self.intervals(offset, length) output = "\x00" * length try: for i in ints: datstart, datlen = i[0], i[1] if datlen > 0: # node.read won't work on 0 byte readdata = self._fwimpl.read(datstart, datlen) # I'm not sure why, but sometimes readdata comes out longer than the requested size # We just truncate it to the right length output = output[:datstart - offset] + readdata[:datlen] + output[(datstart - offset) + datlen:] except IOError, e: print repr(e) raise RuntimeError("Failed to read from firewire device") self.as_assert(len(output) == length, "Firewire read lengths failed to match") return output def zread(self, offset, length): """ Delegate padded reads to normal read, since errors reading the physical address should probably be reported back to the user """ return self.read(offset, length) def write(self, offset, data): """Writes a specified size in bytes""" if not self._config.WRITE: return False ints = self.intervals(offset, len(data)) try: for i in ints: datstart, datlen = i[0], i[1] if datlen > 0: self._fwimpl.write(datstart, data[(datstart - offset):(datstart - offset) + datlen]) except IOError: raise RuntimeError("Failed to write to the firewire device") return True def get_address_range(self): """Returns the size of the address range""" return [0, self.size - 1] def get_available_addresses(self): """Returns a list of available addresses""" for i in self.intervals(0, self.size): yield i fw_implementations = {} try: import firewire #pylint: disable-msg=F0401 fw_implementations['raw1394'] = FWRaw1394 except ImportError: pass try: import forensic1394 #pylint: disable-msg=F0401 fw_implementations['forensic1394'] = FWForensic1394 except ImportError: pass if not len(fw_implementations): FirewireAddressSpace = None volatility-2.3.1/volatility/plugins/addrspaces/paged.py0000644000175000017500000001422612234427241023243 0ustar mikemike00000000000000# Volatility # Copyright (c) 2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #import fractions import volatility.addrspace as addrspace import volatility.obj as obj class AbstractPagedMemory(addrspace.AbstractVirtualAddressSpace): """ Class to handle all the details of a paged virtual address space Note: Pages can be of any size """ checkname = "Intel" def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs): ## We must be stacked on someone else: self.as_assert(base, "No base Address Space") addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs) ## We can not stack on someone with a dtb self.as_assert(not (hasattr(base, 'paging_address_space') and base.paging_address_space), "Can not stack over another paging address space") self.dtb = dtb or self.load_dtb() # No need to set the base or dtb, it's already been by the inherited class self.as_assert(self.dtb != None, "No valid DTB found") if not skip_as_check: volmag = obj.VolMagic(self) if hasattr(volmag, self.checkname): self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check") else: self.as_assert(False, "Profile does not have valid Address Space check") # Reserved for future use #self.pagefile = config.PAGEFILE self.name = 'Kernel AS' def load_dtb(self): """Loads the DTB as quickly as possible from the config, then the base, then searching for it""" try: # If the user has manually specified one, then shortcircuit to that one if self._config.DTB: raise AttributeError ## Try to be lazy and see if someone else found dtb for ## us: return self.base.dtb except AttributeError: ## Ok so we need to find our dtb ourselves: dtb = obj.VolMagic(self.base).DTB.v() if dtb: ## Make sure to save dtb for other AS's ## Will this have an effect on following ASes attempts if this fails? self.base.dtb = dtb return dtb def __getstate__(self): result = addrspace.BaseAddressSpace.__getstate__(self) result['dtb'] = self.dtb return result @staticmethod def register_options(config): config.add_option("DTB", type = 'int', default = 0, help = "DTB Address") def vtop(self, addr): """Abstract function that converts virtual (paged) addresses to physical addresses""" pass def get_available_pages(self): """A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset""" pass def get_available_allocs(self): return self.get_available_pages() def get_available_addresses(self): """A generator that returns (addr, size) for each valid address block""" runLength = None currentOffset = None for (offset, size) in self.get_available_pages(): if (runLength == None): runLength = size currentOffset = offset else: if (offset <= (currentOffset + runLength)): runLength += (currentOffset + runLength - offset) + size else: yield (currentOffset, runLength) runLength = size currentOffset = offset if (runLength != None and currentOffset != None): yield (currentOffset, runLength) raise StopIteration def is_valid_address(self, vaddr): """Returns whether a virtual address is valid""" if vaddr == None or vaddr < 0: return False try: paddr = self.vtop(vaddr) except BaseException: return False if paddr == None: return False return self.base.is_valid_address(paddr) class AbstractWritablePagedMemory(AbstractPagedMemory): """ Mixin class that can be used to add write functionality to any standard address space that supports write() and vtop(). """ def write(self, vaddr, buf): """Writes the data from buf to the vaddr specified Note: writes are not transactionaly, meaning if they can write half the data and then fail""" if not self._config.WRITE: return False if not self.alignment_gcd or not self.minimum_size: self.calculate_alloc_stats() position = vaddr length = len(buf) remaining = len(buf) # For each allocation... while remaining > 0: # Determine whether we're within an alloc or not alloc_remaining = (self.alignment_gcd - (vaddr % self.alignment_gcd)) # Try to jump out early paddr = self.translate(position) datalen = min(remaining, alloc_remaining) if paddr is None: return False result = self.base.write(paddr, buf[:datalen]) if not result: return False buf = buf[datalen:] position += datalen remaining -= datalen assert (vaddr + length == position + remaining), "Address + length != position + remaining (" + hex(vaddr + length) + " != " + hex(position + remaining) + ") in " + self.base.__class__.__name__ return True volatility-2.3.1/volatility/plugins/addrspaces/macho.py0000644000175000017500000001502012234427241023243 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.plugins.addrspaces.standard as standard import volatility.obj as obj import volatility.addrspace as addrspace macho_types = { 'fat_header': [ 0x8, { 'magic': [0x0, ['unsigned int']], 'nfat_arch': [0x4, ['unsigned int']], }], 'fat_arch': [ 0x14, { 'cputype': [0x0, ['int']], 'cpusubtype': [0x4, ['int']], 'offset': [0x8, ['unsigned int']], 'size': [0xc, ['unsigned int']], 'align': [0x10, ['unsigned int']], }], 'mach_header_64': [ 0x20, { 'magic': [0x0, ['unsigned int']], 'cputype': [0x4, ['int']], 'cpusubtype': [0x8, ['int']], 'filetype': [0xc, ['unsigned int']], 'ncmds': [0x10, ['unsigned int']], 'sizeofcmds': [0x14, ['unsigned int']], 'flags': [0x18, ['unsigned int']], 'reserved': [0x1c, ['unsigned int']], }], 'mach_header': [ 0x1c, { 'magic': [0x0, ['unsigned int']], 'cputype': [0x4, ['int']], 'cpusubtype': [0x8, ['int']], 'filetype': [0xc, ['unsigned int']], 'ncmds': [0x10, ['unsigned int']], 'sizeofcmds': [0x14, ['unsigned int']], 'flags': [0x18, ['unsigned int']], }], 'symtab_command': [ 0x18, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'symoff': [0x8, ['unsigned int']], 'nsyms': [0xc, ['unsigned int']], 'stroff': [0x10, ['unsigned int']], 'strsize': [0x14, ['unsigned int']], }], 'load_command': [ 0x8, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], }], 'segment_command': [ 0x38, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'segname': [0x8, ['String', dict(length = 16)]], 'vmaddr': [0x18, ['unsigned int']], 'vmsize': [0x1c, ['unsigned int']], 'fileoff': [0x20, ['unsigned int']], 'filesize': [0x24, ['unsigned int']], 'maxprot': [0x28, ['int']], 'initprot': [0x2c, ['int']], 'nsects': [0x30, ['unsigned int']], 'flags': [0x34, ['unsigned int']], }], 'segment_command_64': [ 0x48, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'segname': [0x8, ['String', dict(length = 16)]], 'vmaddr': [0x18, ['unsigned long long']], 'vmsize': [0x20, ['unsigned long long']], 'fileoff': [0x28, ['unsigned long long']], 'filesize': [0x30, ['unsigned long long']], 'maxprot': [0x38, ['int']], 'initprot': [0x3c, ['int']], 'nsects': [0x40, ['unsigned int']], 'flags': [0x44, ['unsigned int']], }], 'symtab_command': [ 0x18, { 'cmd': [0x0, ['unsigned int']], 'cmdsize': [0x4, ['unsigned int']], 'symoff': [0x8, ['unsigned int']], 'nsyms': [0xc, ['unsigned int']], 'stroff': [0x10, ['unsigned int']], 'strsize': [0x14, ['unsigned int']], }], 'section_64': [ 0x50, { 'sectname': [0x0, ['array', 16, ['char']]], 'segname': [0x10, ['array', 16, ['char']]], 'addr': [0x20, ['unsigned long long']], 'size': [0x28, ['unsigned long long']], 'offset': [0x30, ['unsigned int']], 'align': [0x34, ['unsigned int']], 'reloff': [0x38, ['unsigned int']], 'nreloc': [0x3c, ['unsigned int']], 'flags': [0x40, ['unsigned int']], 'reserved1': [0x44, ['unsigned int']], 'reserved2': [0x48, ['unsigned int']], 'reserved3': [0x4c, ['unsigned int']], }], 'section': [ 0x44, { 'sectname': [0x0, ['array', 16, ['char']]], 'segname': [0x10, ['array', 16, ['char']]], 'addr': [0x20, ['unsigned int']], 'size': [0x24, ['unsigned int']], 'offset': [0x28, ['unsigned int']], 'align': [0x2c, ['unsigned int']], 'reloff': [0x30, ['unsigned int']], 'nreloc': [0x34, ['unsigned int']], 'flags': [0x38, ['unsigned int']], 'reserved1': [0x3c, ['unsigned int']], 'reserved2': [0x40, ['unsigned int']], }], } class MachoTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update(macho_types) class MachOAddressSpace(addrspace.AbstractRunBasedMemory): """ Address space for mach-o files to support atc-ny memory reader The created mach-o file has a bunch of segments that contain the address of the section and the size From there we can translate between incoming address requests to memory contents """ order = 1 pae = True checkname = 'MachOValidAS' def __init__(self, base, config, *args, **kwargs): self.as_assert(base, "mac: need base") addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs) sig = base.read(0, 4) if sig == '\xce\xfa\xed\xfe': self.bits = 32 elif sig == '\xcf\xfa\xed\xfe': self.bits = 64 else: self.as_assert(0, "MachO Header signature invalid") self.runs = [] self.header = None self.addr_cache = {} self.parse_macho() def get_object_name(self, object): if self.bits == 64 and object in ["mach_header", "segment_command", "section"]: object = object + "_64" return object def get_available_addresses(self): for vmaddr, _, vmsize in self.runs: yield vmaddr, vmsize def get_header(self): return self.header def parse_macho(self): self.runs = [] header_name = self.get_object_name("mach_header") header_size = self.profile.get_obj_size(header_name) self.header = obj.Object(header_name, 0, self.base) offset = header_size self.segs = [] for i in xrange(0, self.header.ncmds): structname = self.get_object_name("segment_command") seg = obj.Object(structname, offset, self.base) self.segs.append(seg) # Since these values will be used a lot, make sure they aren't reread (ie, no objects in the runs list) run = (int(seg.vmaddr), int(seg.fileoff), int(seg.vmsize)) self.runs.append(run) offset = offset + seg.cmdsize volatility-2.3.1/volatility/plugins/addrspaces/crash.py0000644000175000017500000000644612227253532023272 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2005,2006,2007 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ An AS for processing crash dumps """ import struct import volatility.obj as obj import volatility.addrspace as addrspace #pylint: disable-msg=C0111 page_shift = 12 class WindowsCrashDumpSpace32(addrspace.AbstractRunBasedMemory): """ This AS supports windows Crash Dump format """ order = 30 dumpsig = 'PAGEDUMP' headertype = "_DMP_HEADER" headerpages = 1 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Must start with the magic PAGEDUMP self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid") self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile") self.header = obj.Object(self.headertype, 0, base) offset = self.headerpages for x in self.header.PhysicalMemoryBlockBuffer.Run: self.runs.append((x.BasePage.v() * 0x1000, offset * 0x1000, x.PageCount.v() * 0x1000)) offset += x.PageCount.v() self.dtb = self.header.DirectoryTableBase.v() def get_header(self): return self.header def get_base(self): return self.base def write(self, phys_addr, buf): """This is mostly for support of raw2dmp so that it can modify the kernel CONTEXT after the crash dump has been written to disk""" if not self._config.WRITE: return False file_addr = self.translate(phys_addr) if file_addr is None: return False return self.base.write(file_addr, buf) def read_long(self, addr): _baseaddr = self.translate(addr) string = self.read(addr, 4) if not string: return obj.NoneObject("Could not read data at " + str(addr)) (longval,) = struct.unpack('=I', string) return longval def get_available_addresses(self): """ This returns the ranges of valid addresses """ for run in self.runs: yield (run[0], run[2]) def close(self): self.base.close() class WindowsCrashDumpSpace64(WindowsCrashDumpSpace32): """ This AS supports windows Crash Dump format """ order = 30 dumpsig = 'PAGEDU64' headertype = "_DMP_HEADER64" headerpages = 2 volatility-2.3.1/volatility/plugins/addrspaces/hibernate.py0000644000175000017500000002742012227253532024126 0ustar mikemike00000000000000# Volatility # # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Code found in WindowsHiberFileSpace32 for parsing meta information # is inspired by the work of Matthieu Suiche: http://sandman.msuiche.net/. # A special thanks to Matthieu for all his help integrating # this code in Volatility. """ A Hiber file Address Space """ import volatility.addrspace as addrspace import volatility.obj as obj import volatility.win32.xpress as xpress import struct #pylint: disable-msg=C0111 PAGE_SIZE = 0x1000 page_shift = 12 class Store(object): def __init__(self, limit = 50): self.limit = limit self.cache = {} self.seq = [] self.size = 0 def put(self, key, item): self.cache[key] = item self.size += len(item) self.seq.append(key) if len(self.seq) >= self.limit: key = self.seq.pop(0) self.size -= len(self.cache[key]) del self.cache[key] def get(self, key): return self.cache[key] class WindowsHiberFileSpace32(addrspace.BaseAddressSpace): """ This is a hibernate address space for windows hibernation files. In order for us to work we need to: 1) have a valid baseAddressSpace 2) the first 4 bytes must be 'hibr' or 'wake' otherwise we bruteforce to find self.header.FirstTablePage in _get_first_table_page() this occurs with a zeroed PO_MEMORY_IMAGE header """ order = 10 def __init__(self, base, config, **kwargs): self.as_assert(base, "No base Address Space") addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.runs = [] self.PageDict = {} self.HighestPage = 0 self.PageIndex = 0 self.AddressList = [] self.LookupCache = {} self.PageCache = Store(50) self.MemRangeCnt = 0 self.entry_count = 0xFF # Extract header information self.as_assert(self.profile.has_type("PO_MEMORY_IMAGE"), "PO_MEMORY_IMAGE is not available in profile") self.header = obj.Object('PO_MEMORY_IMAGE', 0, base) ## Is the signature right? if self.header.Signature.lower() not in ['hibr', 'wake']: self.header = obj.NoneObject("Invalid hibernation header") volmag = obj.VolMagic(base) self.entry_count = volmag.HibrEntryCount.v() PROC_PAGE = volmag.HibrProcPage.v() # Check it's definitely a hibernation file self.as_assert(self._get_first_table_page() is not None, "No xpress signature found") # Extract processor state self.ProcState = obj.Object("_KPROCESSOR_STATE", PROC_PAGE * 4096, base) ## This is a pointer to the page table - any ASs above us dont ## need to search for it. self.dtb = self.ProcState.SpecialRegisters.Cr3.v() # This is a lengthy process, it was cached, but it may be best to delay this # until it's absolutely necessary and/or convert it into a generator... self.build_page_cache() def _get_first_table_page(self): if self.header != None: return self.header.FirstTablePage for i in range(10): if self.base.read(i * PAGE_SIZE, 8) == "\x81\x81xpress": return i - 1 return None def build_page_cache(self): XpressIndex = 0 XpressHeader = obj.Object("_IMAGE_XPRESS_HEADER", (self._get_first_table_page() + 1) * 4096, self.base) XpressBlockSize = self.get_xpress_block_size(XpressHeader) MemoryArrayOffset = self._get_first_table_page() * 4096 while MemoryArrayOffset: MemoryArray = obj.Object('_PO_MEMORY_RANGE_ARRAY', MemoryArrayOffset, self.base) EntryCount = MemoryArray.MemArrayLink.EntryCount.v() for i in MemoryArray.RangeTable: start = i.StartPage.v() end = i.EndPage.v() LocalPageCnt = end - start self.as_assert((LocalPageCnt > 0), "Negative Page Count Range") if end > self.HighestPage: self.HighestPage = end self.AddressList.append((start * 0x1000, LocalPageCnt * 0x1000)) for j in range(0, LocalPageCnt): if (XpressIndex and ((XpressIndex % 0x10) == 0)): XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, XpressBlockSize) PageNumber = start + j XpressPage = XpressIndex % 0x10 if XpressHeader.obj_offset not in self.PageDict: self.PageDict[XpressHeader.obj_offset] = [ (PageNumber, XpressBlockSize, XpressPage)] else: self.PageDict[XpressHeader.obj_offset].append( (PageNumber, XpressBlockSize, XpressPage)) ## Update the lookup cache self.LookupCache[PageNumber] = ( XpressHeader.obj_offset, XpressBlockSize, XpressPage) self.PageIndex += 1 XpressIndex += 1 NextTable = MemoryArray.MemArrayLink.NextTable.v() # This entry count (EntryCount) should probably be calculated if (NextTable and (EntryCount == self.entry_count)): MemoryArrayOffset = NextTable * 0x1000 self.MemRangeCnt += 1 XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, XpressBlockSize) # Make sure the xpress block is after the Memory Table while (XpressHeader.obj_offset < MemoryArrayOffset): XpressHeader, XpressBlockSize = \ self.next_xpress(XpressHeader, 0) XpressIndex = 0 else: MemoryArrayOffset = 0 def next_xpress(self, XpressHeader, XpressBlockSize): XpressHeaderOffset = XpressBlockSize + XpressHeader.obj_offset + \ XpressHeader.size() ## We only search this far BLOCKSIZE = 1024 original_offset = XpressHeaderOffset while 1: data = self.base.read(XpressHeaderOffset, BLOCKSIZE) Magic_offset = data.find("\x81\x81xpress") if Magic_offset >= 0: XpressHeaderOffset += Magic_offset break else: XpressHeaderOffset += len(data) ## Only search this far in advance if XpressHeaderOffset - original_offset > 10240: return None, None XpressHeader = obj.Object("_IMAGE_XPRESS_HEADER", XpressHeaderOffset, self.base) XpressBlockSize = self.get_xpress_block_size(XpressHeader) return XpressHeader, XpressBlockSize def get_xpress_block_size(self, xpress_header): u0B = xpress_header.u0B.v() << 24 u0A = xpress_header.u0A.v() << 16 u09 = xpress_header.u09.v() << 8 Size = u0B + u0A + u09 Size = Size >> 10 Size = Size + 1 if ((Size % 8) == 0): return Size return (Size & ~7) + 8 def get_header(self): return self.header def get_base(self): return self.base def is_paging(self): return (self.ProcState.SpecialRegisters.Cr0.v() >> 31) & 1 def is_pse(self): return (self.ProcState.SpecialRegisters.Cr4.v() >> 4) & 1 def is_pae(self): return (self.ProcState.SpecialRegisters.Cr4.v() >> 5) & 1 def get_addr(self, addr): page = addr >> page_shift if page in self.LookupCache: (hoffset, size, pageoffset) = self.LookupCache[page] return hoffset, size, pageoffset return None, None, None def get_block_offset(self, _xb, addr): page = addr >> page_shift if page in self.LookupCache: (_hoffset, _size, pageoffset) = self.LookupCache[page] return pageoffset return None def is_valid_address(self, addr): XpressHeaderOffset, _XpressBlockSize, _XpressPage = self.get_addr(addr) return XpressHeaderOffset != None def read_xpress(self, baddr, BlockSize): try: return self.PageCache.get(baddr) except KeyError: data_read = self.base.read(baddr, BlockSize) if BlockSize == 0x10000: data_uz = data_read else: data_uz = xpress.xpress_decode(data_read) self.PageCache.put(baddr, data_uz) return data_uz def _partial_read(self, addr, len): """ A function which reads as much as possible from the current page. May return a short read. """ ## The offset within the page where we start page_offset = (addr & 0x00000FFF) ## How much data can we satisfy? available = min(PAGE_SIZE - page_offset, len) ImageXpressHeader, BlockSize, XpressPage = self.get_addr(addr) if not ImageXpressHeader: return None baddr = ImageXpressHeader + 0x20 data = self.read_xpress(baddr, BlockSize) ## Each block decompressed contains 2**page_shift pages. We ## need to know which page to use here. offset = XpressPage * 0x1000 + page_offset return data[offset:offset + available] def read(self, addr, length, zread = False): result = '' while length > 0: data = self._partial_read(addr, length) if not data: break addr += len(data) length -= len(data) result += data if result == '': if zread: return ('\0' * length) result = obj.NoneObject("Unable to read data at " + str(addr) + " for length " + str(length)) return result def zread(self, addr, length): stuff_read = self.read(addr, length, zread = True) return stuff_read def read_long(self, addr): _baseaddr = self.get_addr(addr) string = self.read(addr, 4) if not string: return obj.NoneObject("Could not read long at " + str(addr)) (longval,) = struct.unpack('=I', string) return longval def get_available_pages(self): page_list = [] for _i, xb in enumerate(self.PageDict.keys()): for page, _size, _offset in self.PageDict[xb]: page_list.append([page * 0x1000, 0x1000]) return page_list def get_address_range(self): """ This relates to the logical address range that is indexable """ size = self.HighestPage * 0x1000 + 0x1000 return [0, size] def check_address_range(self, addr): memrange = self.get_address_range() if addr < memrange[0] or addr > memrange[1]: raise IOError def get_available_addresses(self): """ This returns the ranges of valid addresses """ for i in self.AddressList: yield i def close(self): self.base.close() volatility-2.3.1/volatility/plugins/addrspaces/amd64.py0000644000175000017500000002260212234427241023073 0ustar mikemike00000000000000# Volatility # Copyright (C) 2013 Volatility Foundation # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.addrspaces.paged as paged import volatility.obj as obj import struct ptrs_page = 2048 entry_size = 8 pde_shift = 21 ptrs_per_pde = 512 page_shift = 12 ptrs_per_pae_pgd = 512 ptrs_per_pae_pte = 512 class AMD64PagedMemory(paged.AbstractWritablePagedMemory): """ Standard AMD 64-bit address space. This class implements the AMD64/IA-32E paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 64 bits. The first paging structure is located at the physical address found in CR3 (dtb). Additional Resources: - Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm - AMD64 Architecture Programmer's Manual Volume 2: System Programming http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf - N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006) - N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006. - Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009. """ order = 60 pae = False checkname = 'AMD64ValidAS' paging_address_space = True minimum_size = 0x1000 alignment_gcd = 0x1000 def entry_present(self, entry): if entry: if (entry & 1): return True # The page is in transition and not a prototype. # Thus, we will treat it as present. if (entry & (1 << 11)) and not (entry & (1 << 10)): return True return False def page_size_flag(self, entry): if (entry & (1 << 7)) == (1 << 7): return True return False def get_2MB_paddr(self, vaddr, pgd_entry): paddr = (pgd_entry & 0xFFFFFFFE00000) | (vaddr & 0x00000001fffff) return paddr def is_valid_profile(self, profile): ''' This method checks to make sure the address space is being used with a supported profile. ''' return profile.metadata.get('memory_model', '32bit') == '64bit' or profile.metadata.get('os', 'Unknown').lower() == 'mac' def pml4e_index(self, vaddr): ''' This method returns the Page Map Level 4 Entry Index number from the given virtual address. The index number is in bits 47:39. ''' return (vaddr & 0xff8000000000) >> 39 def get_pml4e(self, vaddr): ''' This method returns the Page Map Level 4 (PML4) entry for the virtual address. Bits 47:39 are used to the select the appropriate 8 byte entry in the Page Map Level 4 Table. "Bits 51:12 are from CR3" [Intel] "Bits 11:3 are bits 47:39 of the linear address" [Intel] "Bits 2:0 are 0" [Intel] ''' pml4e_paddr = (self.dtb & 0xffffffffff000) | ((vaddr & 0xff8000000000) >> 36) return self.read_long_long_phys(pml4e_paddr) def get_pdpi(self, vaddr, pml4e): ''' This method returns the Page Directory Pointer entry for the virtual address. Bits 32:30 are used to select the appropriate 8 byte entry in the Page Directory Pointer table. "Bits 51:12 are from the PML4E" [Intel] "Bits 11:3 are bits 38:30 of the linear address" [Intel] "Bits 2:0 are all 0" [Intel] ''' pdpte_paddr = (pml4e & 0xffffffffff000) | ((vaddr & 0x7FC0000000) >> 27) return self.read_long_long_phys(pdpte_paddr) def get_1GB_paddr(self, vaddr, pdpte): ''' If the Page Directory Pointer Table entry represents a 1-GByte page, this method extracts the physical address of the page. "Bits 51:30 are from the PDPTE" [Intel] "Bits 29:0 are from the original linear address" [Intel] ''' return (pdpte & 0xfffffc0000000) | (vaddr & 0x3fffffff) def pde_index(self, vaddr): return (vaddr >> pde_shift) & (ptrs_per_pde - 1) def pdba_base(self, pdpe): return pdpe & 0xFFFFFFFFFF000 def get_pgd(self, vaddr, pdpe): pgd_entry = self.pdba_base(pdpe) + self.pde_index(vaddr) * entry_size return self.read_long_long_phys(pgd_entry) def pte_index(self, vaddr): return (vaddr >> page_shift) & (ptrs_per_pde - 1) def ptba_base(self, pde): return pde & 0xFFFFFFFFFF000 def get_pte(self, vaddr, pgd): pgd_val = self.ptba_base(pgd) + self.pte_index(vaddr) * entry_size return self.read_long_long_phys(pgd_val) def pte_pfn(self, pte): return pte & 0xFFFFFFFFFF000 def get_paddr(self, vaddr, pte): return self.pte_pfn(pte) | (vaddr & ((1 << page_shift) - 1)) def vtop(self, vaddr): ''' This method translates an address in the virtual address space to its associated physical address. Invalid entries should be handled with operating system abstractions. ''' vaddr = long(vaddr) retVal = None pml4e = self.get_pml4e(vaddr) if not self.entry_present(pml4e): return None pdpe = self.get_pdpi(vaddr, pml4e) if not self.entry_present(pdpe): return retVal if self.page_size_flag(pdpe): return self.get_1GB_paddr(vaddr, pdpe) pgd = self.get_pgd(vaddr, pdpe) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_2MB_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def read_long_long_phys(self, addr): ''' This method returns a 64-bit little endian unsigned integer from the specified address in the physical address space. If the address cannot be accessed, then the method returns None. This code was derived directly from legacyintel.py ''' try: string = self.base.read(addr, 8) except IOError: string = None if not string: return obj.NoneObject("Unable to read_long_long_phys at " + hex(addr)) (longlongval,) = struct.unpack('. # """ @author: Nir Izraeli @license: GNU General Public License 2.0 @contact: nirizr@gmail.com This Address Space for Volatility is based on Nir's vmsnparser: http://code.google.com/p/vmsnparser. It was converted by MHL. """ import volatility.addrspace as addrspace import volatility.obj as obj class _VMWARE_HEADER(obj.CType): """A class for VMware VMSS/VMSN files""" @property def Version(self): """The vmss/vmsn storage format version""" return self.Magic & 0xF class _VMWARE_GROUP(obj.CType): """A class for VMware Groups""" def _get_header(self): """Lookup the parent VMware header object""" parent = self.obj_parent while parent.obj_name != '_VMWARE_HEADER': parent = parent.obj_parent return parent @property def Tags(self): """Generator for tags objects""" tag = obj.Object("_VMWARE_TAG", offset = self.TagsOffset, vm = self.obj_vm, parent = self._get_header()) while not (tag.Flags == 0 and tag.NameLength == 0): yield tag ## Determine the address of the next tag tag = obj.Object("_VMWARE_TAG", vm = self.obj_vm, parent = self._get_header(), offset = tag.RealDataOffset + tag.DataDiskSize) class _VMWARE_TAG(obj.CType): """A class for VMware Tags""" def _size_type(self): """Depending on the version, the 'real' data size field is either 4 or 8 bytes""" if self.obj_parent.Version == 0: obj_type = 'unsigned int' else: obj_type = 'unsigned long long' return obj_type @property def OriginalDataOffset(self): """Determine the offset to this tag's data""" return (self.Name.obj_offset + self.NameLength + (self.TagIndices.count * self.obj_vm.profile.get_obj_size("unsigned int"))) @property def RealDataOffset(self): """Determine the real offset to this tag's data""" if self.OriginalDataSize in (62, 63): ## Add the original offset plus the two 32- or 64-bit lengths offset = (self.OriginalDataOffset + (self.obj_vm.profile.get_obj_size(self._size_type()) * 2)) ## There is a 16-bit padding value padlen = obj.Object("unsigned short", offset = offset, vm = self.obj_vm) ## Final result is the offset after the pad, plus the padding value return offset + 2 + padlen else: return self.OriginalDataOffset @property def OriginalDataSize(self): return self.Flags & 0x3F @property def DataDiskSize(self): """Get the tag's data size on disk""" # these are special data sizes that signal a longer data stream if self.OriginalDataSize in (62, 63): return obj.Object(self._size_type(), offset = self.OriginalDataOffset, vm = self.obj_vm) else: return self.OriginalDataSize @property def DataMemSize(self): """Get the tag's data size in memory""" if self.OriginalDataSize in (62, 63): return obj.Object(self._size_type(), offset = self.OriginalDataOffset + \ self.obj_vm.profile.get_obj_size(self._size_type()), vm = self.obj_vm) else: return self.OriginalDataSize def cast_as(self, cast_type): """Cast the data in a tag as a specific type""" return obj.Object(cast_type, offset = self.RealDataOffset, vm = self.obj_vm) class VMwareVTypesModification(obj.ProfileModification): """Apply the necessary VTypes for parsing VMware headers""" def modification(self, profile): profile.vtypes.update({ '_VMWARE_HEADER' : [ 12, { 'Magic' : [ 0, ['unsigned int']], 'GroupCount' : [ 8, ['unsigned int']], 'Groups' : [ 12, ['array', lambda x : x.GroupCount, ['_VMWARE_GROUP']]], }], '_VMWARE_GROUP' : [ 80, { 'Name' : [ 0, ['String', dict(length = 64, encoding = 'utf8')]], 'TagsOffset' : [ 64, ['unsigned long long']], }], '_VMWARE_TAG' : [ None, { 'Flags' : [ 0, ['unsigned char']], 'NameLength' : [ 1, ['unsigned char']], 'Name' : [ 2, ['String', dict(length = lambda x : x.NameLength, encoding = 'utf8')]], 'TagIndices' : [ lambda x : x.obj_offset + 2 + x.NameLength, ['array', lambda x : (x.Flags >> 6) & 0x3, ['unsigned int']]], }], }) profile.object_classes.update({ '_VMWARE_HEADER': _VMWARE_HEADER, '_VMWARE_GROUP': _VMWARE_GROUP, '_VMWARE_TAG': _VMWARE_TAG }) class VMWareSnapshotFile(addrspace.AbstractRunBasedMemory): """ This AS supports VMware snapshot files """ order = 30 PAGE_SIZE = 4096 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) ## This is a tuple of (physical memory offset, file offset, length) self.runs = [] ## A VMware header is found at offset zero of the file self.header = obj.Object("_VMWARE_HEADER", offset = 0, vm = base) self.as_assert(self.header.Magic in [0xbed2bed0, 0xbad1bad1, 0xbed2bed2, 0xbed3bed3], "Invalid VMware signature: {0:#x}".format(self.header.Magic)) ## The number of memory regions contained in the file region_count = self._get_tag(grp_name = "memory", tag_name = "regionsCount", data_type = "unsigned int") if not region_count.is_valid() or region_count == 0: ## Create a single run from the main memory region memory_tag = self._get_tag(grp_name = "memory", tag_name = "Memory") self.as_assert(memory_tag is not None, "Cannot find the single-region Memory tag") self.runs.append((0, memory_tag.RealDataOffset, memory_tag.DataDiskSize)) else: ## Create multiple runs - one for each region in the header for i in range(region_count): memory_tag = self._get_tag(grp_name = "memory", tag_name = "Memory", indices = [0, 0]) memory_offset = self._get_tag(grp_name = "memory", tag_name = "regionPPN", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE file_offset = self._get_tag(grp_name = "memory", tag_name = "regionPageNum", indices = [i], data_type = "unsigned int") * \ self.PAGE_SIZE + memory_tag.RealDataOffset length = self._get_tag(grp_name = "memory", tag_name = "regionSize", indices = [i], data_type = "unsigned int") * self.PAGE_SIZE self.runs.append((memory_offset, file_offset, length)) ## Make sure we found at least one memory run self.as_assert(len(self.runs) > 0, "Cannot find any memory run information") ## Find the DTB from CR3. For x86 we grab an int from CR and ## for x64 we grab a long long from CR64. if self.profile.metadata.get("memory_model", "32bit") == "32bit": self.dtb = self._get_tag(grp_name = "cpu", tag_name = "CR", indices = [0, 3], data_type = "unsigned int") else: self.dtb = self._get_tag(grp_name = "cpu", tag_name = "CR64", indices = [0, 3], data_type = "unsigned long long") self.as_assert(self.dtb is not None, "Cannot find a DTB") def _get_tag(self, grp_name, tag_name, indices = None, data_type = None): """Get a tag from the VMware headers @param grp_name: the group name (from _VMWARE_GROUP.Name) @param tag_name: the tag name (from _VMWARE_TAG.Name) @param indices: a group can contain multiple tags of the same name, and tags can also contain meta-tags. this parameter lets you specify which tag or meta-tag exactly to operate on. for example the 3rd CR register (CR3) of the first CPU would use [0][3] indices. If this parameter is None, then you just match on grp_name and tag_name. @param data_type: the type of data depends on the purpose of the tag. If you supply this parameter, the function returns an object of the specified type (for example an int or long). If not supplied, you just get back the _VMWARE_TAG object itself. """ for group in self.header.Groups: ## Match on the group's name if str(group.Name) != grp_name: continue ## Iterate the tags looking for a matchah for tag in group.Tags: if str(tag.Name) != tag_name: continue ## If a set of indices was supplied, make sure it matches if indices and tag.TagIndices != indices: continue ## If a data type is specified, cast the Tag and return the ## object. Otherwise return the Tag object itself. if data_type: return tag.cast_as(data_type) else: return tag return obj.NoneObject("Cannot find [{0}][{1}]".format(grp_name, tag_name)) volatility-2.3.1/volatility/plugins/addrspaces/hpak.py0000644000175000017500000001047612227253532023113 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import zlib import volatility.obj as obj import volatility.plugins.addrspaces.standard as standard class HPAKVTypes(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'HPAK_HEADER' : [ 0x20, { 'Magic' : [ 0, ['String', dict(length = 4)]], }], 'HPAK_SECTION': [ 0xE0, { 'Header' : [ 0, ['String', dict(length = 32)]], 'Compressed' : [ 0x8C, ['unsigned int']], 'Length' : [ 0x98, ['unsigned long long']], 'Offset' : [ 0xA8, ['unsigned long long']], 'NextSection' : [ 0xB0, ['unsigned long long']], 'Name' : [ 0xD4, ['String', dict(length = 12)]], }], }) profile.object_classes.update({'HPAK_HEADER': HPAK_HEADER}) class HPAK_HEADER(obj.CType): """A class for B.S. Hairy headers""" def Sections(self): ## The initial section object section = obj.Object("HPAK_SECTION", offset = self.obj_vm.profile.get_obj_size("HPAK_HEADER"), vm = self.obj_vm) ## Iterate through the sections while section.is_valid(): yield section section = section.NextSection.dereference_as("HPAK_SECTION") class HPAKAddressSpace(standard.FileAddressSpace): """ This AS supports the HPAK format """ order = 30 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") standard.FileAddressSpace.__init__(self, base, config, layered = True, **kwargs) self.header = obj.Object("HPAK_HEADER", offset = 0, vm = base) ## Check the magic self.as_assert(self.header.Magic == 'HPAK', "Invalid magic found") self.physmem = None ## cycle though looking for the PHYSDUMP header for section in self.header.Sections(): if str(section.Header) == "HPAKSECTHPAK_SECTION_PHYSDUMP": self.physmem = section break self.as_assert(self.physmem is not None, "Cannot find the PHYSDUMP section") def read(self, addr, length): return self.base.read(addr + self.physmem.Offset, length) def zread(self, addr, length): return self.base.zread(addr + self.physmem.Offset, length) def is_valid_address(self, addr): return self.base.is_valid_address(addr + self.physmem.Offset) def get_header(self): return self.header def convert_to_raw(self, outfd): """The standard imageinfo plugin won't work on hpak images so we provide this method. It wraps the zlib compression if necessary""" d = zlib.decompressobj(16 + zlib.MAX_WBITS) chunk_size = 4096 chunks = self.physmem.Length / chunk_size def get_chunk(addr, size): buffer = self.base.read(addr, size) if self.physmem.Compressed == 1: buffer = d.decompress(buffer) return buffer for i in range(chunks): outfd.write(get_chunk(self.physmem.Offset + i * chunk_size, chunk_size)) yield i leftover = self.physmem.Length % chunk_size if leftover > 0: outfd.write(get_chunk(self.physmem.Offset + i * chunk_size, leftover)) volatility-2.3.1/volatility/plugins/addrspaces/__init__.py0000644000175000017500000000000011602715531023703 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/addrspaces/standard.py0000644000175000017500000001236412227253532023766 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2004,2005,2006 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ These are standard address spaces supported by Volatility """ import struct import volatility.addrspace as addrspace import volatility.debug as debug #pylint: disable-msg=W0611 import urllib import os #pylint: disable-msg=C0111 def write_callback(option, _opt_str, _value, parser, *_args, **_kwargs): """Callback function to ensure that write support is only enabled if user repeats a long string This call back checks whether the user really wants write support and then either enables it (for all future parses) by changing the option to store_true, or disables it permanently by ensuring all future attempts to store the value store_false. """ if not hasattr(parser.values, 'write'): # We don't want to use config.outfile, since this should always be seen by the user option.dest = "write" option.action = "store_false" parser.values.write = False for _ in range(3): testphrase = "Yes, I want to enable write support" response = raw_input("Write support requested. Please type \"" + testphrase + "\" below precisely (case-sensitive):\n") if response == testphrase: option.action = "store_true" parser.values.write = True return print "Write support disabled." class FileAddressSpace(addrspace.BaseAddressSpace): """ This is a direct file AS. For this AS to be instantiated, we need 1) A valid config.LOCATION (starting with file://) 2) no one else has picked the AS before us 3) base == None (we dont operate on anyone else so we need to be right at the bottom of the AS stack.) """ ## We should be the AS of last resort order = 100 def __init__(self, base, config, layered = False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, 'Must be first Address Space') self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme') path = urllib.url2pathname(config.LOCATION[7:]) self.as_assert(os.path.exists(path), 'Filename must be specified and exist') self.name = os.path.abspath(path) self.fname = self.name self.mode = 'rb' if config.WRITE: self.mode += '+' self.fhandle = open(self.fname, self.mode) self.fhandle.seek(0, 2) self.fsize = self.fhandle.tell() # Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here @staticmethod def register_options(config): config.add_option("WRITE", short_option = 'w', action = "callback", default = False, help = "Enable write support", callback = write_callback) def fread(self, length): length = int(length) return self.fhandle.read(length) def read(self, addr, length): addr, length = int(addr), int(length) self.fhandle.seek(addr) data = self.fhandle.read(length) if len(data) == 0: return None return data def zread(self, addr, length): data = self.read(addr, length) if data is None: data = "\x00" * length elif len(data) != length: data += "\x00" * (length - len(data)) return data def read_long(self, addr): string = self.read(addr, 4) (longval,) = struct.unpack('=I', string) return longval def get_available_addresses(self): # Since the second parameter is the length of the run # not the end location, it must be set to fsize, not fsize - 1 yield (0, self.fsize) def is_valid_address(self, addr): if addr == None: return False return 0 <= addr < self.fsize def close(self): self.fhandle.close() def write(self, addr, data): if not self._config.WRITE: return False try: self.fhandle.seek(addr) self.fhandle.write(data) except IOError: return False return True def __eq__(self, other): return self.__class__ == other.__class__ and self.base == other.base and hasattr(other, "fname") and self.fname == other.fname volatility-2.3.1/volatility/plugins/addrspaces/arm.py0000644000175000017500000001405112234427241022736 0ustar mikemike00000000000000# Volatility # # Authors: # attc - atcuno@gmail.com # Joe Sylve - joe.sylve@gmail.com # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.plugins.addrspaces.paged as paged class ArmAddressSpace(paged.AbstractWritablePagedMemory): order = 800 pae = False paging_address_space = True checkname = 'ArmValidAS' minimum_size = 0x1000 alignment_gcd = 0x1000 def read_long_phys(self, addr): ''' Returns an unsigned 32-bit integer from the address addr in physical memory. If unable to read from that location, returns None. ''' try: string = self.base.read(addr, 4) except IOError: string = None if not string: return obj.NoneObject("Could not read_long_phys at offset " + hex(addr)) (longval,) = struct.unpack('> 20) # 1st Level Descriptor def pde_value(self, vaddr): return self.read_long_phys(self.dtb | (self.pde_index(vaddr) << 2)) # 2nd Level Page Table Index (Course Pages) def pde2_index(self, vaddr): return ((vaddr >> 12) & 0x0FF) # 2nd Level Page Table Descriptor (Course Pages) def pde2_value(self, vaddr, pde): return self.read_long_phys((pde & 0xFFFFFC00) | (self.pde2_index(vaddr) << 2)) # 2nd Level Page Table Index (Fine Pages) def pde2_index_fine(self, vaddr): return ((vaddr >> 10) & 0x3FF) # 2nd Level Page Table Descriptor (Fine Pages) def pde2_value_fine(self, vaddr, pde): return self.read_long_phys((pde & 0xFFFFF000) | (self.pde2_index_fine(vaddr) << 2)) def get_pte(self, vaddr, pde_value): # page table if (pde_value & 0b11) == 0b00: # If bits[1:0] == 0b00, the associated modified virtual addresses are unmapped, # and attempts to access them generate a translation fault debug.debug("get_pte: invalid pde_value {0:x}".format(pde_value)) return None elif (pde_value & 0b11) == 0b10: # If bits[1:0] == 0b10, the entry is a section descriptor for its associated modified virtual addresses. # If bit[18] is set, optional supersections are used, which we don't support yet issuper = int(pde_value & (1 << 18)) if issuper: # TODO: Implement Supersection support if needed debug.warning("supersection found") return None else: return ((pde_value & 0xFFE00000) | (vaddr & 0x1FFFFF)) elif (pde_value & 0b11) == 0b01: # If bits[1:0] == 0b01, the entry gives the physical address of a coarse second-level table, that specifies # how the associated 1MB modified virtual address range is mapped. pde2_value = self.pde2_value(vaddr, pde_value) if not pde2_value: debug.debug("no pde2_value", 4) return None if (pde2_value & 0b11) == 0b01: # 64K large pages return ((pde2_value & 0xFFFF0000) | (vaddr & 0x0000FFFF)) elif (pde2_value & 0b11) == 0b10 or (pde2_value & 0b11) == 0b11: # 4K small pages return ((pde2_value & 0xFFFFF000) | (vaddr & 0x00000FFF)) else: debug.warning("get_pte: invalid course pde2_value {0:x}".format(pde2_value)) return None elif (pde_value & 0b11) == 0b11: # If bits[1:0] == 0b11, the entry gives the physical address of a fine second-level table. A fine # second-level page table specifies how the associated 1MB modified virtual address range is mapped. pde2_value = self.pde2_value_fine(vaddr, pde_value) if not pde2_value: debug.debug("no pde2_value", 4) return None if (pde2_value & 0b11) == 0b01: # 64K large pages return ((pde2_value & 0xFFFF0000) | (vaddr & 0x0000FFFF)) elif (pde2_value & 0b11) == 0b10: # 4K small pages return ((pde2_value & 0xFFFFF000) | (vaddr & 0x00000FFF)) elif (pde2_value & 0b11) == 0b11: #1k tiny pages return ((pde2_value & 0xFFFFFC00) | (vaddr & 0x3FF)) else: debug.warning("get_pte: invalid fine pde2_value {0:x}".format(pde2_value)) return None def vtop(self, vaddr): debug.debug("\n--vtop start: {0:x}".format(vaddr), 4) pde_value = self.pde_value(vaddr) if not pde_value: debug.debug("no pde_value", 4) return None debug.debug("!!!pde_value: {0:x}".format(pde_value), 4) pte_value = self.get_pte(vaddr, pde_value) return pte_value # FIXME # this is supposed to return all valid physical addresses based on the current dtb # this (may?) be painful to write due to ARM's different page table types and having small & large pages inside of those def get_available_pages(self): for i in xrange(0, (2 ** 32) - 1, 4096): yield (i, 0x1000) volatility-2.3.1/volatility/plugins/addrspaces/vboxelf.py0000644000175000017500000001070512227253532023630 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2005,2006,2007 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # phil@teuwen.org (Philippe Teuwen) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # References: # VirtualBox core format: # http://www.virtualbox.org/manual/ch12.html#guestcoreformat # http://www.virtualbox.org/svn/vbox/trunk/include/VBox/vmm/dbgfcorefmt.h # http://www.virtualbox.org/svn/vbox/trunk/src/VBox/VMM/VMMR3/DBGFCoreWrite.cpp import volatility.obj as obj import volatility.addrspace as addrspace #pylint: disable-msg=C0111 NT_VBOXCORE = 0xb00 NT_VBOXCPU = 0xb01 DBGFCORE_MAGIC = 0xc01ac0de DBGFCORE_FMT_VERSION = 0x00010000 class DBGFCOREDESCRIPTOR(obj.CType): """A class for VBox core dump descriptors""" @property def Major(self): return (self.u32VBoxVersion >> 24) & 0xFF @property def Minor(self): return (self.u32VBoxVersion >> 16) & 0xFF @property def Build(self): return self.u32VBoxVersion & 0xFFFF class VirtualBoxModification(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'DBGFCOREDESCRIPTOR' : [ 24, { 'u32Magic' : [ 0, ['unsigned int']], 'u32FmtVersion' : [ 4, ['unsigned int']], 'cbSelf' : [ 8, ['unsigned int']], 'u32VBoxVersion' : [ 12, ['unsigned int']], 'u32VBoxRevision' : [ 16, ['unsigned int']], 'cCpus' : [ 20, ['unsigned int']], }]}) profile.object_classes.update({'DBGFCOREDESCRIPTOR': DBGFCOREDESCRIPTOR}) class VirtualBoxCoreDumpElf64(addrspace.AbstractRunBasedMemory): """ This AS supports VirtualBox ELF64 coredump format """ order = 30 def __init__(self, base, config, **kwargs): ## We must have an AS below us self.as_assert(base, "No base Address Space") addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs) ## Quick test (before instantiating an object) ## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB self.as_assert(base.read(0, 6) == '\x7fELF\x02\x01', "ELF64 Header signature invalid") ## Base AS should be a file AS elf = obj.Object("elf64_hdr", offset = 0, vm = base) ## Make sure its a core dump self.as_assert(str(elf.e_type) == 'ET_CORE', "ELF64 type is not a Core file") ## Tuple of (physical memory address, file offset, length) self.runs = [] ## The PT_NOTE core descriptor structure self.header = None for phdr in elf.program_headers(): ## The first note should be the VBCORE segment if str(phdr.p_type) == 'PT_NOTE': note = phdr.p_offset.dereference_as("elf64_note") if note.namesz == 'VBCORE' and note.n_type == NT_VBOXCORE: self.header = note.cast_descsz("DBGFCOREDESCRIPTOR") continue # Only keep load segments with valid file sizes if (str(phdr.p_type) != 'PT_LOAD' or phdr.p_filesz == 0 or phdr.p_filesz != phdr.p_memsz): continue self.runs.append((int(phdr.p_paddr), int(phdr.p_offset), int(phdr.p_memsz))) self.as_assert(self.header, 'ELF error: did not find any PT_NOTE segment with VBCORE') self.as_assert(self.header.u32Magic == DBGFCORE_MAGIC, 'Could not find VBox core magic signature') self.as_assert(self.header.u32FmtVersion == DBGFCORE_FMT_VERSION, 'Unknown VBox core format version') self.as_assert(self.runs, 'ELF error: did not find any LOAD segment with main RAM') volatility-2.3.1/volatility/plugins/addrspaces/intel.py0000644000175000017500000002460112234427241023274 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (C) 2004,2005,2006 4tphi Research # # Authors: # {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import struct import volatility.plugins.addrspaces.paged as paged import volatility.obj as obj entry_size = 8 pointer_size = 4 page_shift = 12 ptrs_per_pte = 1024 ptrs_per_pgd = 1024 ptrs_per_pae_pte = 512 ptrs_per_pae_pgd = 512 ptrs_per_pdpi = 4 pgdir_shift = 22 pdpi_shift = 30 pdptb_shift = 5 pde_shift = 21 ptrs_per_pde = 512 ptrs_page = 2048 class IA32PagedMemory(paged.AbstractWritablePagedMemory): """ Standard IA-32 paging address space. This class implements the IA-32 paging address space. It is responsible for translating each virtual (linear) address to a physical address. This is accomplished using hierachical paging structures. Every paging structure is 4096 bytes and is composed of entries. Each entry is 32 bits. The first paging structure is located at the physical address found in CR3 (dtb). Additional Resources: - Intel(R) 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide. Section 4.3 http://www.intel.com/products/processor/manuals/index.htm - AMD64 Architecture Programmer's Manual Volume 2: System Programming http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf - N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, "FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory" ,Digital Investigation Journal 3(4):197-210, December 2006. (submitted February 2006) - N. P. Maclean, "Acquisition and Analysis of Windows Memory," University of Strathclyde, Glasgow, April 2006. - Russinovich, M., & Solomon, D., & Ionescu, A. "Windows Internals, 5th Edition", Microsoft Press, 2009. """ order = 70 pae = False paging_address_space = True checkname = 'IA32ValidAS' # Hardcoded page info to avoid expensive recalculation minimum_size = 0x1000 alignment_gcd = 0x1000 def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs): ## We must be stacked on someone else: self.as_assert(base, "No base Address Space") paged.AbstractWritablePagedMemory.__init__(self, base, config, dtb = dtb, skip_as_check = skip_as_check, *args, **kwargs) def is_valid_profile(self, profile): return profile.metadata.get('memory_model', '32bit') == '32bit' or profile.metadata.get('os', 'Unknown').lower() == 'mac' def entry_present(self, entry): if entry: if (entry & 1): return True # The page is in transition and not a prototype. # Thus, we will treat it as present. if (entry & (1 << 11)) and not (entry & (1 << 10)): return True return False def page_size_flag(self, entry): if (entry & (1 << 7)) == (1 << 7): return True return False def pgd_index(self, pgd): return (pgd >> pgdir_shift) & (ptrs_per_pgd - 1) def get_pgd(self, vaddr): pgd_entry = self.dtb + self.pgd_index(vaddr) * pointer_size return self.read_long_phys(pgd_entry) def pte_pfn(self, pte): return pte >> page_shift def pte_index(self, pte): return (pte >> page_shift) & (ptrs_per_pte - 1) def get_pte(self, vaddr, pgd): pgd_val = pgd & ~((1 << page_shift) - 1) pgd_val = pgd_val + self.pte_index(vaddr) * pointer_size return self.read_long_phys(pgd_val) def get_paddr(self, vaddr, pte): return (self.pte_pfn(pte) << page_shift) | (vaddr & ((1 << page_shift) - 1)) def get_four_meg_paddr(self, vaddr, pgd_entry): return (pgd_entry & ((ptrs_per_pgd - 1) << 22)) | (vaddr & ~((ptrs_per_pgd - 1) << 22)) def vtop(self, vaddr): retVal = None pgd = self.get_pgd(vaddr) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_four_meg_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if not pte: return None if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def read_long_phys(self, addr): try: string = self.base.read(addr, 4) except IOError: string = None if not string: return obj.NoneObject("Unable to read_long_phys at " + hex(addr)) (longval,) = struct.unpack('> pdpi_shift) def get_pdpi(self, vaddr): pdpi_entry = self.get_pdptb(self.dtb) + self.pdpi_index(vaddr) * entry_size return self._read_long_long_phys(pdpi_entry) def pde_index(self, vaddr): return (vaddr >> pde_shift) & (ptrs_per_pde - 1) def pdba_base(self, pdpe): return pdpe & 0xFFFFFF000 def get_pgd(self, vaddr, pdpe): pgd_entry = self.pdba_base(pdpe) + self.pde_index(vaddr) * entry_size return self._read_long_long_phys(pgd_entry) def pte_pfn(self, pte): return pte & 0xFFFFFF000 def pte_index(self, vaddr): return (vaddr >> page_shift) & (ptrs_per_pde - 1) def ptba_base(self, pde): return pde & 0xFFFFFF000 def get_pte(self, vaddr, pgd): pgd_val = self.ptba_base(pgd) + self.pte_index(vaddr) * entry_size return self._read_long_long_phys(pgd_val) def get_paddr(self, vaddr, pte): return self.pte_pfn(pte) | (vaddr & ((1 << page_shift) - 1)) def get_large_paddr(self, vaddr, pgd_entry): return (pgd_entry & 0xFFE00000) | (vaddr & ~((ptrs_page - 1) << 21)) def vtop(self, vaddr): retVal = None pdpe = self.get_pdpi(vaddr) if not self.entry_present(pdpe): return retVal pgd = self.get_pgd(vaddr, pdpe) if self.entry_present(pgd): if self.page_size_flag(pgd): retVal = self.get_large_paddr(vaddr, pgd) else: pte = self.get_pte(vaddr, pgd) if self.entry_present(pte): retVal = self.get_paddr(vaddr, pte) return retVal def _read_long_long_phys(self, addr): try: string = self.base.read(addr, 8) except IOError: string = None if not string: return obj.NoneObject("Unable to read base AS at " + hex(addr)) (longlongval,) = struct.unpack('. # import volatility.utils as utils import volatility.plugins.common as common import volatility.cache as cache import volatility.debug as debug import volatility.obj as obj import datetime class _DMP_HEADER(obj.CType): """A class for crash dumps""" @property def SystemUpTime(self): """Returns a string uptime""" # Some utilities write PAGEPAGE to this field when # creating the dump header. if self.m('SystemUpTime') == 0x4547415045474150: return obj.NoneObject("No uptime recorded") # 1 uptime is 100ns so convert that to microsec msec = self.m('SystemUpTime') / 10 return datetime.timedelta(microseconds = msec) class CrashInfoModification(obj.ProfileModification): """Applies overlays for crash dump headers""" conditions = {'os': lambda x: x == 'windows'} before = ["WindowsVTypes", "WindowsObjectClasses"] def modification(self, profile): profile.merge_overlay({ '_DMP_HEADER' : [ None, { 'Comment' : [ None, ['String', dict(length = 128)]], 'DumpType' : [ None, ['Enumeration', dict(choices = {0x1: "Full Dump", 0x2: "Kernel Dump"})]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_DMP_HEADER64' : [ None, { 'Comment' : [ None, ['String', dict(length = 128)]], 'DumpType' : [ None, ['Enumeration', dict(choices = {0x1: "Full Dump", 0x2: "Kernel Dump"})]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], }) ## Both x86 and x64 use the same structure for now, just ## so they can share the same SystemUpTime property. profile.object_classes.update({'_DMP_HEADER' : _DMP_HEADER, '_DMP_HEADER64' : _DMP_HEADER}) class CrashInfo(common.AbstractWindowsCommand): """Dump crash-dump information""" target_as = ['WindowsCrashDumpSpace32', 'WindowsCrashDumpSpace64'] @cache.CacheDecorator("tests/crashinfo") def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config, astype = 'physical') result = None adrs = addr_space while adrs: if adrs.__class__.__name__ in self.target_as: result = adrs adrs = adrs.base if result is None: debug.error("Memory Image could not be identified as {0}".format(self.target_as)) return result def render_text(self, outfd, data): """Renders the crashdump header as text""" hdr = data.get_header() outfd.write("{0}:\n".format(hdr.obj_name)) outfd.write(" Majorversion: 0x{0:08x} ({1})\n".format(hdr.MajorVersion, hdr.MajorVersion)) outfd.write(" Minorversion: 0x{0:08x} ({1})\n".format(hdr.MinorVersion, hdr.MinorVersion)) outfd.write(" KdSecondaryVersion 0x{0:08x}\n".format(hdr.KdSecondaryVersion)) outfd.write(" DirectoryTableBase 0x{0:08x}\n".format(hdr.DirectoryTableBase)) outfd.write(" PfnDataBase 0x{0:08x}\n".format(hdr.PfnDataBase)) outfd.write(" PsLoadedModuleList 0x{0:08x}\n".format(hdr.PsLoadedModuleList)) outfd.write(" PsActiveProcessHead 0x{0:08x}\n".format(hdr.PsActiveProcessHead)) outfd.write(" MachineImageType 0x{0:08x}\n".format(hdr.MachineImageType)) outfd.write(" NumberProcessors 0x{0:08x}\n".format(hdr.NumberProcessors)) outfd.write(" BugCheckCode 0x{0:08x}\n".format(hdr.BugCheckCode)) if hdr.obj_name != "_DMP_HEADER64": outfd.write(" PaeEnabled 0x{0:08x}\n".format(hdr.PaeEnabled)) outfd.write(" KdDebuggerDataBlock 0x{0:08x}\n".format(hdr.KdDebuggerDataBlock)) outfd.write(" ProductType 0x{0:08x}\n".format(hdr.ProductType)) outfd.write(" SuiteMask 0x{0:08x}\n".format(hdr.SuiteMask)) outfd.write(" WriterStatus 0x{0:08x}\n".format(hdr.WriterStatus)) outfd.write(" Comment {0}\n".format(hdr.Comment)) outfd.write(" DumpType {0}\n".format(hdr.DumpType)) outfd.write(" SystemTime {0}\n".format(str(hdr.SystemTime or ''))) outfd.write(" SystemUpTime {0}\n".format(str(hdr.SystemUpTime or ''))) outfd.write("\nPhysical Memory Description:\n") outfd.write("Number of runs: {0}\n".format(len(data.get_runs()))) outfd.write("FileOffset Start Address Length\n") if hdr.obj_name != "_DMP_HEADER64": foffset = 0x1000 else: foffset = 0x2000 run = [] ## FIXME. These runs differ for x86 vs x64. This is a reminder ## for MHL or AW to fix it. for run in data.get_runs(): outfd.write("{0:08x} {1:08x} {2:08x}\n".format(foffset, run[0], run[2])) foffset += (run[2]) outfd.write("{0:08x} {1:08x}\n".format(foffset - 0x1000, (run[0] + run[2] - 0x1000))) volatility-2.3.1/volatility/plugins/dumpcerts.py0000644000175000017500000002176412227253532022067 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Authors: # Michael Hale Ligh # # Contributors/References: # ## Based on sslkeyfinder: http://www.trapkit.de/research/sslkeyfinder/ # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os, sys, subprocess import volatility.obj as obj import volatility.debug as debug import volatility.plugins.procdump as procdump import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.plugins.malware.malfind as malfind try: import yara has_yara = True except ImportError: has_yara = False #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _X509_PUBLIC_CERT(obj.CType): """Class for x509 public key certificates""" @property def Size(self): """ The certificate size (in bytes) is a product of this object's Size1 and Size2 members. """ return (self.Size1 << 8 & 0xFFFF) + self.Size2 def object_as_string(self): """ Get the object's data as a string. in this case its the certificate header and body. """ return self.obj_vm.zread(self.obj_offset, self.Size + 4) def is_valid(self): """ This implements the check described in sslfinder: http://www.trapkit.de/research/sslkeyfinder/ """ if not obj.CType.is_valid(self): return False return self.Size < 0xFFF def as_openssl(self, file_name): """ Represent this object as openssl-parsed certificate. Since OpenSSL does not accept DERs from STDIN, we have to redirect it to a file first. @param file_name: a file on disk where this object has been dumped. the caller should ensure that the file exists before calling this function. """ return subprocess.Popen( ['openssl', 'x509', '-in', file_name, '-inform', 'DER', '-text'], stdout = subprocess.PIPE, stderr = subprocess.PIPE ).communicate()[0] class _PKCS_PRIVATE_CERT(_X509_PUBLIC_CERT): """Class for PKCS private key certificates""" def as_openssl(self, file_name): return subprocess.Popen( ['openssl', 'rsa', '-check', '-in', file_name, '-inform', 'DER', '-text'], stdout = subprocess.PIPE, stderr = subprocess.PIPE ).communicate()[0] class SSLKeyModification(obj.ProfileModification): """Applies to all windows profiles (maybe linux?)""" conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.vtypes.update({ '_X509_PUBLIC_CERT': [ None, { 'Size1': [ 0x2, ['unsigned char']], 'Size2': [ 0x3, ['unsigned char']], }], '_PKCS_PRIVATE_CERT': [ None, { 'Size1': [ 0x2, ['unsigned char']], 'Size2': [ 0x3, ['unsigned char']], }], }) profile.object_classes.update({ '_X509_PUBLIC_CERT': _X509_PUBLIC_CERT, '_PKCS_PRIVATE_CERT': _PKCS_PRIVATE_CERT, }) # Inherit from ProcExeDump for access to the --dump-dir option class DumpCerts(procdump.ProcExeDump): """Dump RSA private and public SSL keys""" def __init__(self, config, *args, **kwargs): procdump.ProcExeDump.__init__(self, config, *args, **kwargs) config.remove_option("UNSAFE") config.add_option("SSL", short_option = 's', default = False, help = "Use OpenSSL for certificate parsing", action = "store_true") config.add_option("PHYSICAL", short_option = 'P', default = False, help = "Scan across physical space (in deallocated/freed storage)", action = "store_true") def calculate(self): addr_space = utils.load_as(self._config) if not has_yara: debug.error("You must install yara to use this plugin") if not self._config.DUMP_DIR: debug.error("You must supply a --dump-dir parameter") # Wildcard signatures to scan for rules = yara.compile(sources = { 'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}', 'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}', }) # These signature names map to these data structures type_map = { 'x509' : '_X509_PUBLIC_CERT', 'pkcs' : '_PKCS_PRIVATE_CERT', } if self._config.PHYSICAL: # Find the FileAddressSpace while addr_space.__class__.__name__ != "FileAddressSpace": addr_space = addr_space.base scanner = malfind.DiscontigYaraScanner(address_space = addr_space, rules = rules) for hit, address in scanner.scan(): cert = obj.Object(type_map.get(hit.rule), vm = scanner.address_space, offset = address, ) if cert.is_valid(): yield None, cert else: for process in self.filter_tasks(tasks.pslist(addr_space)): scanner = malfind.VadYaraScanner(task = process, rules = rules) for hit, address in scanner.scan(): cert = obj.Object(type_map.get(hit.rule), vm = scanner.address_space, offset = address, ) if cert.is_valid(): yield process, cert def get_parsed_fields(self, openssl, fields = ["O", "OU"]): """ Get fields from the parsed openssl output. @param openssl: the output of an openssl command @param fields: fields of the SSL public or private key certificate that you want to get. @returns: a tuple of the field found and the field value. """ for line in openssl.split("\n"): if "Subject:" in line: line = line[line.find("Subject:") + 10:] pairs = line.split(",") for pair in pairs: try: val, var = pair.split("=") except ValueError: continue val = val.strip() var = var.strip() if val in fields: yield (val, var) def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Process", "16"), ("Address", "[addrpad]"), ("Type", "20"), ("Length", "8"), ("File", "24"), ("Subject", "")]) for process, cert in data: if cert.obj_name == "_X509_PUBLIC_CERT": ext = ".crt" else: ext = ".key" if process: file_name = "{0}-{1:x}{2}".format(process.UniqueProcessId, cert.obj_offset, ext) else: file_name = "phys.{0:x}{1}".format(cert.obj_offset, ext) full_path = os.path.join(self._config.DUMP_DIR, file_name) with open(full_path, "wb") as cert_file: cert_file.write(cert.object_as_string()) if self._config.SSL: openssl_string = cert.as_openssl(full_path) parsed_subject = '/'.join([v[1] for v in self.get_parsed_fields(openssl_string)]) else: parsed_subject = "" self.table_row(outfd, process.UniqueProcessId if process else "-", process.ImageFileName if process else "-", cert.obj_offset, cert.obj_name, cert.Size, file_name, parsed_subject) volatility-2.3.1/volatility/plugins/moddump.py0000644000175000017500000001036712227253532021523 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # Additional Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os import re import volatility.plugins.procdump as procdump import volatility.cache as cache import volatility.win32.modules as modules import volatility.win32.tasks as tasks import volatility.utils as utils import volatility.debug as debug class ModDump(procdump.ProcExeDump): """Dump a kernel driver to an executable file sample""" def __init__(self, config, *args, **kwargs): procdump.ProcExeDump.__init__(self, config, *args, **kwargs) config.remove_option("PID") config.remove_option("OFFSET") config.add_option('REGEX', short_option = 'r', help = 'Dump modules matching REGEX', action = 'store', type = 'string') config.add_option('IGNORE-CASE', short_option = 'i', help = 'Ignore case in pattern match', action = 'store_true', default = False) config.add_option('BASE', short_option = 'b', default = None, help = 'Dump driver with BASE address (in hex)', action = 'store', type = 'int') @cache.CacheDecorator(lambda self: "tests/moddump/regex={0}/ignore-case={1}/base={2}".format(self._config.REGEX, self._config.IGNORE_CASE, self._config.BASE)) def calculate(self): addr_space = utils.load_as(self._config) if self._config.REGEX: try: if self._config.IGNORE_CASE: mod_re = re.compile(self._config.REGEX, re.I) else: mod_re = re.compile(self._config.REGEX) except re.error, e: debug.error('Error parsing regular expression: {0}'.format(e)) mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space)) # We need the process list to find spaces for some drivers. Enumerate them here # instead of inside the find_space function, so we only have to do it once. procs = list(tasks.pslist(addr_space)) if self._config.BASE: if mods.has_key(self._config.BASE): mod_name = mods[self._config.BASE].BaseDllName else: mod_name = "UNKNOWN" yield addr_space, procs, int(self._config.BASE), mod_name else: for mod in mods.values(): if self._config.REGEX: if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')): continue yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName def render_text(self, outfd, data): if self._config.DUMP_DIR == None: debug.error("Please specify a dump directory (--dump-dir)") if not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") self.table_header(outfd, [("Module Base", "[addrpad]"), ("Module Name", "20"), ("Result", "")]) for addr_space, procs, mod_base, mod_name in data: space = tasks.find_space(addr_space, procs, mod_base) if space == None: result = "Error: Cannot acquire AS" else: dump_file = "driver.{0:x}.sys".format(mod_base) result = self.dump_pe(space, mod_base, dump_file) self.table_row(outfd, mod_base, mod_name, result) volatility-2.3.1/volatility/plugins/overlays/0000755000175000017500000000000012234427260021340 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/overlays/basic.py0000644000175000017500000002274312227253532023004 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Cohen # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This file defines some basic types which might be useful for many OS's """ import struct, socket, datetime import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.constants as constants import volatility.plugins.overlays.native_types as native_types import volatility.utils as utils import volatility.timefmt as timefmt class String(obj.BaseObject): """Class for dealing with Strings""" def __init__(self, theType, offset, vm = None, encoding = 'ascii', length = 1, parent = None, profile = None, **kwargs): ## Allow length to be a callable: if callable(length): length = length(parent) self.length = length self.encoding = encoding ## length must be an integer obj.BaseObject.__init__(self, theType, offset, vm, parent = parent, profile = profile, **kwargs) def proxied(self, name): #pylint: disable-msg=W0613 """ Return an object to be proxied """ return self.__str__() def v(self): """ Use zread to help emulate reading null-terminated C strings across page boundaries. @returns: If all bytes are available, return the full string as a raw byte buffer. If the end of the string is in a page that isn't available, return as much of the string as possible, padded with nulls to the string's length. If the string length is 0, vtop() fails, or the physical addr of the string is not valid, return NoneObject. Note: to get a null terminated string, use the __str__ method. """ result = self.obj_vm.zread(self.obj_offset, self.length) if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result def __len__(self): """This returns the length of the string""" return len(unicode(self)) def __str__(self): """ This function ensures that we always return a string from the __str__ method. Any unusual/unicode characters in the input are replaced with ?. Note: this effectively masks the NoneObject alert from .v() """ return unicode(self).encode('ascii', 'replace') or "" def __unicode__(self): """ This function returns the unicode encoding of the data retrieved by .v() Any unusual characters in the input are replaced with \ufffd. """ return self.v().decode(self.encoding, 'replace').split("\x00", 1)[0] or u'' def __format__(self, formatspec): return format(self.__str__(), formatspec) def __cmp__(self, other): if str(self) == other: return 0 return -1 if str(self) < other else 1 def __add__(self, other): """Set up mappings for concat""" return str(self) + other def __radd__(self, other): """Set up mappings for reverse concat""" return other + str(self) class Flags(obj.NativeType): """ This object decodes each flag into a string """ ## This dictionary maps each bit to a String bitmap = None ## This dictionary maps a string mask name to a bit range ## consisting of a list of start, width bits maskmap = None def __init__(self, theType = None, offset = 0, vm = None, parent = None, bitmap = None, maskmap = None, target = "unsigned long", **kwargs): self.bitmap = bitmap or {} self.maskmap = maskmap or {} self.target = target self.target_obj = obj.Object(target, offset = offset, vm = vm, parent = parent) obj.NativeType.__init__(self, theType, offset, vm, parent, **kwargs) def v(self): return self.target_obj.v() def __str__(self): result = [] value = self.v() keys = self.bitmap.keys() keys.sort() for k in keys: if value & (1 << self.bitmap[k]): result.append(k) return ', '.join(result) def __format__(self, formatspec): return format(self.__str__(), formatspec) def __getattr__(self, attr): maprange = self.maskmap.get(attr) if not maprange: return obj.NoneObject("Mask {0} not known".format(attr)) bits = 2 ** maprange[1] - 1 mask = bits << maprange[0] return self.v() & mask class IpAddress(obj.NativeType): """Provides proper output for IpAddress objects""" def __init__(self, theType, offset, vm, **kwargs): obj.NativeType.__init__(self, theType, offset, vm, format_string = vm.profile.native_types['unsigned int'][1], **kwargs) def v(self): return utils.inet_ntop(socket.AF_INET, struct.pack("= 0: proc = obj.Object("_EPROCESS", offset = offset + found, vm = self.obj_vm) if 'Idle' in proc.ImageFileName.v(): yield proc.Pcb.DirectoryTableBase.v() found = data.find(str(self.obj_parent.DTBSignature), found + 1) offset += len(data) data = self.obj_vm.read(offset, constants.SCAN_BLOCKSIZE) class UnixTimeStamp(obj.NativeType): """Class for handling Unix Time Stamps""" def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "I", **kwargs) def v(self): return obj.NativeType.v(self) def __nonzero__(self): return self.v() != 0 def __str__(self): return "{0}".format(self) def as_datetime(self): try: dt = datetime.datetime.utcfromtimestamp(self.v()) if self.is_utc: # Only do dt.replace when dealing with UTC dt = dt.replace(tzinfo = timefmt.UTC()) except ValueError, e: return obj.NoneObject("Datetime conversion failure: " + str(e)) return dt def __format__(self, formatspec): """Formats the datetime according to the timefmt module""" dt = self.as_datetime() if dt != None: return format(timefmt.display_datetime(dt), formatspec) return "-" class BasicObjectClasses(obj.ProfileModification): def modification(self, profile): profile.object_classes.update({ 'String': String, 'Flags': Flags, 'Enumeration': Enumeration, 'VOLATILITY_MAGIC': VOLATILITY_MAGIC, 'VolatilityDTB': VolatilityDTB, 'UnixTimeStamp': UnixTimeStamp, }) ### DEPRECATED FEATURES ### # # These are due from removal after version 2.2, # please do not rely upon them x86_native_types_32bit = native_types.x86_native_types x86_native_types_64bit = native_types.x64_native_types volatility-2.3.1/volatility/plugins/overlays/linux/0000755000175000017500000000000012234427260022477 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/overlays/linux/linux64.py0000644000175000017500000000315612227253532024370 0ustar mikemike00000000000000# Volatility # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ Support for 64 bit Linux systems. @author: Michael Cohen @license: GNU General Public License 2.0 @contact: scudette@gmail.com """ from volatility import obj class VolatilityDTB(obj.VolatilityMagic): """A scanner for DTB values.""" def generate_suggestions(self): """Tries to locate the DTB.""" profile = self.obj_vm.profile yield profile.get_symbol("init_level4_pgt") - 0xffffffff80000000 class Linux64ObjectClasses(obj.ProfileModification): """ Makes slight changes to the DTB checker """ conditions = {'os': lambda x: x == 'linux', 'memory_model': lambda x: x == '64bit'} before = ['LinuxObjectClasses'] def modification(self, profile): profile.object_classes.update({ 'VolatilityDTB': VolatilityDTB }) volatility-2.3.1/volatility/plugins/overlays/linux/elf.py0000644000175000017500000001140012227253532023614 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # ELF64 format: http://downloads.openwatcom.org/ftp/devel/docs/elf-64-gen.pdf import volatility.obj as obj class elf64_hdr(obj.CType): """An ELF64 header""" def program_headers(self): return obj.Object("Array", targetType = "elf64_phdr", offset = self.obj_offset + self.e_phoff, count = self.e_phnum, vm = self.obj_vm) class elf64_note(obj.CType): """An ELF64 note header""" def cast_descsz(self, obj_type): """Cast the descsz member as a specified type. @param obj_type: name of the object The descsz member is at a variable offset, which depends on the length of the namesz string which precedes it. The string is 8-byte aligned and can be zero. """ desc_offset = (self.obj_offset + self.obj_vm.profile.get_obj_size("elf64_note") + ((((self.n_namesz - 1) >> 3) + 1) << 3)) return obj.Object(obj_type, offset = desc_offset, vm = self.obj_vm) class ELF64Modification(obj.ProfileModification): def modification(self, profile): profile.vtypes.update({ 'elf64_hdr' : [ 64, { 'e_ident' : [ 0, ['String', dict(length = 16)]], 'e_type' : [ 16, ['Enumeration', dict(target = 'unsigned short', choices = { 0: 'ET_NONE', 1: 'ET_REL', 2: 'ET_EXEC', 3: 'ET_DYN', 4: 'ET_CORE', 0xff00: 'ET_LOPROC', 0xffff: 'ET_HIPROC'})]], 'e_machine' : [ 18, ['unsigned short']], 'e_version' : [ 20, ['unsigned int']], 'e_entry' : [ 24, ['unsigned long long']], 'e_phoff' : [ 32, ['unsigned long long']], 'e_shoff' : [ 40, ['unsigned long long']], 'e_flags' : [ 48, ['unsigned int']], 'e_ehsize' : [ 52, ['unsigned short']], 'e_phentsize' : [ 54, ['unsigned short']], 'e_phnum' : [ 56, ['unsigned short']], 'e_shentsize' : [ 58, ['unsigned short']], 'e_shnum' : [ 60, ['unsigned short']], 'e_shstrndx' : [ 62, ['unsigned short']], }], 'elf64_phdr' : [ 56, { 'p_type' : [ 0, ['Enumeration', dict(target = 'unsigned int', choices = { 0: 'PT_NULL', 1: 'PT_LOAD', 2: 'PT_DYNAMIC', 3: 'PT_INTERP', 4: 'PT_NOTE', 5: 'PT_SHLIB', 6: 'PT_PHDR', 7: 'PT_TLS', 0x60000000: 'PT_LOOS', 0x6fffffff: 'PT_HIOS', 0x70000000: 'PT_LOPROC', 0x7fffffff: 'PT_HIPROC'})]], 'p_flags' : [ 4, ['unsigned int']], 'p_offset' : [ 8, ['unsigned long long']], 'p_vaddr' : [ 16, ['unsigned long long']], 'p_paddr' : [ 24, ['unsigned long long']], 'p_filesz' : [ 32, ['unsigned long long']], 'p_memsz' : [ 40, ['unsigned long long']], 'p_align' : [ 48, ['unsigned long long']], }], 'elf64_note' : [ 12, { 'n_namesz' : [ 0, ['unsigned int']], 'n_descsz' : [ 4, ['unsigned int']], 'n_type' : [ 8, ['unsigned int']], ## FIXME: this must be cast to int() because the base AS (FileAddressSpace) read method doesn't understand NativeType. ## Remove the cast after http://code.google.com/p/volatility/issues/detail?id=350 is fixed. 'namesz' : [ 12, ['String', dict(length = lambda x : int(x.n_namesz))]], }], }) profile.object_classes.update({'elf64_hdr': elf64_hdr, 'elf64_note': elf64_note}) volatility-2.3.1/volatility/plugins/overlays/linux/__init__.py0000644000175000017500000000000012033140535024570 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/overlays/linux/linux.py0000644000175000017500000011064412227253532024217 0ustar mikemike00000000000000# Volatility # Copyright (C) 2010 Brendan Dolan-Gavitt # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: brendandg@gatech.edu @organization: Georgia Institute of Technology """ import os, struct, socket import copy import zipfile import volatility.plugins import volatility.plugins.overlays.basic as basic import volatility.plugins.overlays.native_types as native_types import volatility.exceptions as exceptions import volatility.obj as obj import volatility.debug as debug import volatility.dwarf as dwarf import volatility.plugins.linux.common as linux_common import volatility.plugins.linux.flags as linux_flags import volatility.addrspace as addrspace import volatility.utils as utils import volatility.protos as protos x64_native_types = copy.deepcopy(native_types.x64_native_types) x64_native_types['long'] = [8, ' output.dwarf """ dwarfdata = None sysmapdata = None # XXX Do we want to initialize this memmodel, arch = "32bit", "x86" profilename = os.path.splitext(os.path.basename(profpkg.filename))[0] for f in profpkg.filelist: if f.filename.lower().endswith('.dwarf'): dwarfdata = profpkg.read(f.filename) elif 'system.map' in f.filename.lower(): sysmapdata = profpkg.read(f.filename) arch, memmodel, sysmap = parse_system_map(profpkg.read(f.filename), "kernel") if memmodel == "64bit": arch = "x64" if not sysmapdata or not dwarfdata: # Might be worth throwing an exception here? return None class AbstractLinuxProfile(obj.Profile): __doc__ = "A Profile for Linux " + profilename + " " + arch _md_os = "linux" _md_memory_model = memmodel _md_arch = arch # Override 64-bit native_types native_mapping = {'32bit': native_types.x86_native_types, '64bit': x64_native_types} def __init__(self, *args, **kwargs): # change the name to catch any code referencing the old hash table self.sys_map = {} obj.Profile.__init__(self, *args, **kwargs) def clear(self): """Clear out the system map, and everything else""" self.sys_map = {} obj.Profile.clear(self) def reset(self): """Reset the vtypes, sysmap and apply modifications, then compile""" self.clear() self.load_vtypes() self.load_sysmap() self.load_modifications() self.compile() def _merge_anonymous_members(self, vtypesvar): members_index = 1 types_index = 1 offset_index = 0 try: for candidate in vtypesvar: done = False while not done: if any(member.startswith('__unnamed_') for member in vtypesvar[candidate][members_index]): for member in vtypesvar[candidate][members_index].keys(): if member.startswith('__unnamed_'): member_type = vtypesvar[candidate][members_index][member][types_index][0] location = vtypesvar[candidate][members_index][member][offset_index] vtypesvar[candidate][members_index].update(vtypesvar[member_type][members_index]) for name in vtypesvar[member_type][members_index].keys(): vtypesvar[candidate][members_index][name][offset_index] += location del vtypesvar[candidate][members_index][member] # Don't update done because we'll need to check if any # of the newly imported types need merging else: done = True except KeyError, e: import pdb pdb.set_trace() raise exceptions.VolatilityException("Inconsistent linux profile - unable to look up " + str(e)) def load_vtypes(self): """Loads up the vtypes data""" ntvar = self.metadata.get('memory_model', '32bit') self.native_types = copy.deepcopy(self.native_mapping.get(ntvar)) vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() self._merge_anonymous_members(vtypesvar) self.vtypes.update(vtypesvar) debug.debug("{2}: Found dwarf file {0} with {1} symbols".format(f.filename, len(vtypesvar.keys()), profilename)) def load_sysmap(self): """Loads up the system map data""" arch, _memmodel, sysmapvar = parse_system_map(sysmapdata, "kernel") debug.debug("{2}: Found system file {0} with {1} symbols".format(f.filename, len(sysmapvar.keys()), profilename)) self.sys_map.update(sysmapvar) def get_all_symbols(self, module = "kernel"): """ Gets all the symbol tuples for the given module """ ret = [] symtable = self.sys_map if module in symtable: mod = symtable[module] for (name, addrs) in mod.items(): ret.append(addrs) else: debug.info("All symbols requested for non-existent module %s" % module) return ret def get_all_addresses(self, module = "kernel"): """ Gets all the symbol addresses for the given module """ # returns a hash table for quick looks # the main use of this function is to see if an address is known ret = {} symbols = self.get_all_symbols(module) for sym in symbols: for (addr, addrtype) in sym: ret[addr] = 1 return ret def get_symbol_by_address(self, module, sym_address): ret = "" symtable = self.sys_map mod = symtable[module] for (name, addrs) in mod.items(): for (addr, addr_type) in addrs: if sym_address == addr: ret = name break return ret def get_all_symbol_names(self, module = "kernel"): symtable = self.sys_map if module in symtable: ret = symtable[module].keys() else: debug.error("get_all_symbol_names called on non-existent module") return ret def get_next_symbol_address(self, sym_name, module = "kernel"): """ This is used to find the address of the next symbol in the profile For some data structures, we cannot determine their size automaticlaly so this can be used to figure it out on the fly """ high_addr = 0xffffffffffffffff table_addr = self.get_symbol(sym_name, module = module) addrs = self.get_all_addresses(module = module) for addr in addrs.keys(): if table_addr < addr < high_addr: high_addr = addr return high_addr def get_symbol(self, sym_name, nm_type = "", module = "kernel"): """Gets a symbol out of the profile sym_name -> name of the symbol nm_tyes -> types as defined by 'nm' (man nm for examples) module -> which module to get the symbol from, default is kernel, otherwise can be any name seen in 'lsmod' This fixes a few issues from the old static hash table method: 1) Conflicting symbols can be handled, if a symbol is found to conflict on any profile, then the plugin will need to provide the nm_type to differentiate, otherwise the plugin will be errored out 2) Can handle symbols gathered from modules on disk as well from the static kernel symtable is stored as a hash table of: symtable[module][sym_name] = [(symbol address, symbol type), (symbol addres, symbol type), ...] The function has overly verbose error checking on purpose... """ symtable = self.sys_map ret = None # check if the module is there... if module in symtable: mod = symtable[module] # check if the requested symbol is in the module if sym_name in mod: sym_list = mod[sym_name] # if a symbol has multiple definitions, then the plugin needs to specify the type if len(sym_list) > 1: if nm_type == "": debug.error("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module)) else: for (addr, stype) in sym_list: if stype == nm_type: ret = addr break if ret == None: debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module)) else: # get the address of the symbol ret = sym_list[0][0] else: debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module)) else: debug.info("Requested module {0:s} not found in symbol table\n".format(module)) return ret cls = AbstractLinuxProfile cls.__name__ = 'Linux' + profilename.replace('.', '_') + arch return cls ################################ # Track down the zip files # Push them through the factory # Check whether ProfileModifications will work new_classes = [] for path in set(volatility.plugins.__path__): for path, _, files in os.walk(path): for fn in files: if zipfile.is_zipfile(os.path.join(path, fn)): new_classes.append(LinuxProfileFactory(zipfile.ZipFile(os.path.join(path, fn)))) ################################ # really 'file' but don't want to mess with python's version class linux_file(obj.CType): @property def dentry(self): if hasattr(self, "f_dentry"): ret = self.f_dentry else: ret = self.f_path.dentry return ret @property def vfsmnt(self): if hasattr(self, "f_vfsmnt"): ret = self.f_vfsmnt else: ret = self.f_path.mnt return ret # FIXME - walking backwards has not been thorougly tested class hlist_node(obj.CType): """A hlist_node makes a doubly linked list.""" def list_of_type(self, obj_type, member, offset = -1, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.next.dereference() else: nxt = self.pprev.dereference().dereference() offset = self.obj_vm.profile.get_obj_offset(obj_type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, name = obj_type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).next.dereference() else: nxt = item.m(member).pprev.dereference().dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.next) or bool(self.pprev) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class list_head(obj.CType): """A list_head makes a doubly linked list.""" def list_of_type(self, obj_type, member, offset = -1, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.next.dereference() else: nxt = self.prev.dereference() offset = self.obj_vm.profile.get_obj_offset(obj_type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(obj_type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, name = obj_type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).next.dereference() else: nxt = item.m(member).prev.dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.next) or bool(self.prev) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class files_struct(obj.CType): def get_fds(self): if hasattr(self, "fdt"): fdt = self.fdt ret = fdt.fd.dereference() else: ret = self.fd.dereference() return ret def get_max_fds(self): if hasattr(self, "fdt"): ret = self.fdt.max_fds else: ret = self.max_fds return ret class kernel_param(obj.CType): @property def get(self): if self.members.get("get"): ret = self.m("get") else: ret = self.ops.get return ret class kparam_array(obj.CType): @property def get(self): if self.members.get("get"): ret = self.m("get") else: ret = self.ops.get return ret class gate_struct64(obj.CType): @property def Address(self): low = self.offset_low middle = self.offset_middle high = self.offset_high ret = (high << 32) | (middle << 16) | low return ret class desc_struct(obj.CType): @property def Address(self): return (self.b & 0xffff0000) | (self.a & 0x0000ffff) class module_sect_attr(obj.CType): def get_name(self): if type(self.m("name")) == obj.Array: name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32) else: name = self.name.dereference_as("String", length = 255) return name class inet_sock(obj.CType): """Class for an internet socket object""" @property def protocol(self): """Return the protocol string (i.e. IPv4, IPv6)""" return protos.protos.get(self.sk.sk_protocol.v(), "UNKNOWN") @property def state(self): state = self.sk.__sk_common.skc_state #pylint: disable-msg=W0212 return linux_flags.tcp_states[state] @property def src_port(self): if hasattr(self, "sport"): return socket.htons(self.sport) elif hasattr(self, "inet_sport"): return socket.htons(self.inet_sport) else: return None @property def dst_port(self): if hasattr(self, "dport"): return socket.htons(self.dport) elif hasattr(self, "inet_dport"): return socket.htons(self.inet_dport) elif hasattr(self, "sk") and hasattr(self.sk, "__sk_common") and hasattr(self.sk.__sk_common, "skc_dport"): return self.sk.__sk_common.skc_dport else: return None @property def src_addr(self): if self.sk.__sk_common.skc_family == socket.AF_INET: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(self, "rcv_saddr"): saddr = self.rcv_saddr elif hasattr(self, "inet_rcv_saddr"): saddr = self.inet_rcv_saddr else: saddr = self.sk.__sk_common.skc_rcv_saddr return saddr.cast("IpAddress") else: return self.pinet6.saddr.cast("Ipv6Address") @property def dst_addr(self): if self.sk.__sk_common.skc_family == socket.AF_INET: # FIXME: Consider using kernel version metadata rather than checking hasattr if hasattr(self, "daddr") and self.daddr: daddr = self.daddr elif hasattr(self, "inet_daddr") and self.inet_daddr: daddr = self.inet_daddr else: daddr = self.sk.__sk_common.skc_daddr return daddr.cast("IpAddress") else: return self.pinet6.daddr.cast("Ipv6Address") class tty_ldisc(obj.CType): @property def ops(self): check = self.members.get("ops") if check: ret = self.m('ops') else: ret = self return ret class in_device(obj.CType): def devices(self): cur = self.ifa_list while cur != None and cur.is_valid(): yield cur cur = cur.ifa_next class net_device(obj.CType): @property def mac_addr(self): if self.members.has_key("perm_addr"): hwaddr = self.perm_addr else: hwaddr = self.dev_addr macaddr = ":".join(["{0:02x}".format(x) for x in hwaddr][:6]) return macaddr @property def promisc(self): return self.flags & 0x100 == 0x100 # IFF_PROMISC class task_struct(obj.CType): def is_valid_task(self): ret = self.fs.v() != 0 and self.files.v() != 0 if ret and self.members.get("cred"): ret = self.cred.is_valid() return ret @property def uid(self): ret = self.members.get("uid") if ret is None: ret = self.cred.uid else: ret = self.m("uid") return ret @property def gid(self): ret = self.members.get("gid") if ret is None: gid = self.cred.gid if hasattr(gid, 'counter'): ret = obj.Object("int", offset = gid.v(), vm = self.obj_vm) else: ret = gid else: ret = self.m("gid") return ret @property def euid(self): ret = self.members.get("euid") if ret is None: ret = self.cred.euid else: ret = self.m("euid") return ret def get_process_address_space(self): ## If we've got a NoneObject, return it maintain the reason if self.mm.pgd.v() == None: return self.mm.pgd.v() directory_table_base = self.obj_vm.vtop(self.mm.pgd.v()) try: process_as = self.obj_vm.__class__( self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS") process_as.name = "Process {0}".format(self.pid) return process_as def get_proc_maps(self): for vma in linux_common.walk_internal_list("vm_area_struct", "vm_next", self.mm.mmap): yield vma def search_process_memory(self, s, heap_only = False): # Allow for some overlap in case objects are # right on page boundaries overlap = 1024 # Make sure s in a list. This allows you to search for # multiple strings at once, without changing the API. if type(s) != list: debug.warning("Single strings to search_process_memory is deprecated, use a list instead") s = [s] scan_blk_sz = 1024 * 1024 * 10 addr_space = self.get_process_address_space() for vma in self.get_proc_maps(): if heap_only: if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk): continue offset = vma.vm_start out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start) while offset < out_of_range: # Read some data and match it. to_read = min(scan_blk_sz + overlap, out_of_range - offset) data = addr_space.zread(offset, to_read) if not data: break for x in s: for hit in utils.iterfind(data, x): yield offset + hit offset += min(to_read, scan_blk_sz) def ACTHZ(self, CLOCK_TICK_RATE, HZ): LATCH = ((CLOCK_TICK_RATE + HZ/2) / HZ) return self.SH_DIV(CLOCK_TICK_RATE, LATCH, 8) def SH_DIV(self, NOM, DEN, LSH): return ((NOM / DEN) << LSH) + (((NOM % DEN) << LSH) + DEN / 2) / DEN def TICK_NSEC(self): HZ = 1000 CLOCK_TICK_RATE = 1193182 return self.SH_DIV(1000000 * 1000, self.ACTHZ(CLOCK_TICK_RATE, HZ), 8) def get_time_vars(self): ''' Sometime in 3.[3-5], Linux switched to a global timekeeper structure This just figures out which is in use and returns the correct variables ''' wall_addr = self.obj_vm.profile.get_symbol("wall_to_monotonic") sleep_addr = self.obj_vm.profile.get_symbol("total_sleep_time") # old way if wall_addr and sleep_addr: wall = obj.Object("timespec", offset = wall_addr, vm = self.obj_vm) timeo = obj.Object("timespec", offset = sleep_addr, vm = self.obj_vm) elif wall_addr: wall = obj.Object("timespec", offset = wall_addr, vm = self.obj_vm) init_task_addr = self.obj_vm.profile.get_symbol("init_task") init_task = obj.Object("task_struct", offset = init_task_addr, vm = self.obj_vm) time_val = init_task.utime + init_task.stime nsec = time_val * self.TICK_NSEC() tv_sec = nsec / linux_common.nsecs_per tv_nsec = nsec % linux_common.nsecs_per timeo = linux_common.vol_timespec(tv_sec, tv_nsec) # timekeeper way else: timekeeper_addr = self.obj_vm.profile.get_symbol("timekeeper") timekeeper = obj.Object("timekeeper", offset = timekeeper_addr, vm = self.obj_vm) wall = timekeeper.wall_to_monotonic timeo = timekeeper.total_sleep_time return (wall, timeo) # based on 2.6.35 getboottime def get_boot_time(self): (wall, timeo) = self.get_time_vars() secs = wall.tv_sec + timeo.tv_sec nsecs = wall.tv_nsec + timeo.tv_nsec secs = secs * -1 nsecs = nsecs * -1 while nsecs >= linux_common.nsecs_per: nsecs = nsecs - linux_common.nsecs_per secs = secs + 1 while nsecs < 0: nsecs = nsecs + linux_common.nsecs_per secs = secs - 1 boot_time = secs + (nsecs / linux_common.nsecs_per / 100) return boot_time def get_task_start_time(self): start_time = self.start_time start_secs = start_time.tv_sec + (start_time.tv_nsec / linux_common.nsecs_per / 100) sec = self.get_boot_time() + start_secs # convert the integer as little endian try: data = struct.pack("> 20 @property def minor(self): return self.s_dev & ((1 << 20) - 1) class inode(obj.CType): def is_dir(self): """Mimic the S_ISDIR macro""" return self.i_mode & linux_flags.S_IFMT == linux_flags.S_IFDIR def is_reg(self): """Mimic the S_ISREG macro""" return self.i_mode & linux_flags.S_IFMT == linux_flags.S_IFREG class timespec(obj.CType): def as_timestamp(self): time_val = struct.pack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows Vista. """ #pylint: disable-msg=C0111 import windows import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class _MMVAD_SHORT(windows._MMVAD_SHORT): @property def Parent(self): return obj.Object("_MMADDRESS_NODE", vm = self.obj_vm, offset = self.u1.Parent.v() & ~0x3, parent = self.obj_parent) @property def ControlArea(self): return self.Subsection.ControlArea @property def FileObject(self): return self.Subsection.ControlArea.FilePointer.dereference_as("_FILE_OBJECT") class _MMVAD_LONG(_MMVAD_SHORT): pass class _ETHREAD(windows._ETHREAD): """A class for Windows 7 ETHREAD objects""" def owning_process(self): """Return the EPROCESS that owns this thread""" return self.Tcb.Process.dereference_as("_EPROCESS") class _POOL_HEADER(windows._POOL_HEADER): """A class for pool headers""" @property def NonPagedPool(self): return self.PoolType.v() % 2 == 0 and self.PoolType.v() > 0 @property def PagedPool(self): return self.PoolType.v() % 2 == 1 class _TOKEN(windows._TOKEN): def privileges(self): """Generator for privileges. @yields a tuple (value, present, enabled, default). """ for i in range(0, 64): bit_position = 1 << i present = self.Privileges.Present & bit_position != 0 enabled = self.Privileges.Enabled & bit_position != 0 default = self.Privileges.EnabledByDefault & bit_position != 0 yield i, present, enabled, default class VistaWin7KPCR(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os' : lambda x: x == 'windows', 'major': lambda x: x == 6} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'KPCR' : [ None, ['VolatilityKPCR', dict(configname = "KPCR")]], }]} profile.merge_overlay(overlay) class Vistax86DTB(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '32bit', } def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x20\x00")]], }]} profile.merge_overlay(overlay) class Vistax64DTB(obj.ProfileModification): before = ['WindowsOverlay', 'Windows64Overlay'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'memory_model': lambda x: x == '64bit', } def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x30\x00")]], }]} profile.merge_overlay(overlay) class VistaMMVAD(obj.ProfileModification): before = ['WindowsOverlay', 'Win2003MMVad'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, } def modification(self, profile): profile.object_classes.update({'_MMVAD_SHORT': _MMVAD_SHORT, '_MMVAD_LONG' : _MMVAD_LONG, '_ETHREAD' : _ETHREAD, '_POOL_HEADER': _POOL_HEADER, '_TOKEN': _TOKEN}) class VistaKDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0} kdbgsize = 0x328 class VistaSP1KDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay', 'VistaKDBG'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x >= 6001, } kdbgsize = 0x330 class VistaSP0x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6000} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x4)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class VistaSP1x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6001} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class VistaSP2x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x1fe)]], }]} profile.merge_overlay(overlay) class VistaSP0x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6000} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x4)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class VistaSP1x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6001} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class VistaSP2x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xfe)]], }]} profile.merge_overlay(overlay) class VistaSP0x86(obj.Profile): """ A Profile for Windows Vista SP0 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6000 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp0_x86_vtypes' class VistaSP0x64(obj.Profile): """ A Profile for Windows Vista SP0 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6000 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp0_x64_vtypes' class VistaSP1x86(obj.Profile): """ A Profile for Windows Vista SP1 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6001 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp1_x86_vtypes' class VistaSP1x64(obj.Profile): """ A Profile for Windows Vista SP1 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6001 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp1_x64_vtypes' class VistaSP2x86(obj.Profile): """ A Profile for Windows Vista SP2 x86 """ _md_major = 6 _md_minor = 0 _md_build = 6002 _md_memory_model = '32bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp2_x86_vtypes' class VistaSP2x64(obj.Profile): """ A Profile for Windows Vista SP2 x64 """ _md_major = 6 _md_minor = 0 _md_build = 6002 _md_memory_model = '64bit' _md_os = 'windows' _md_vtype_module = 'volatility.plugins.overlays.windows.vista_sp2_x64_vtypes' class Win2008SP1x64(VistaSP1x64): """ A Profile for Windows 2008 SP1 x64 """ class Win2008SP2x64(VistaSP2x64): """ A Profile for Windows 2008 SP2 x64 """ class Win2008SP1x86(VistaSP1x86): """ A Profile for Windows 2008 SP1 x86 """ class Win2008SP2x86(VistaSP2x86): """ A Profile for Windows 2008 SP2 x86 """ volatility-2.3.1/volatility/plugins/overlays/windows/kdbg_vtypes.py0000644000175000017500000003422412227253532025733 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class _KDDEBUGGER_DATA64(obj.CType): """A class for KDBG""" def is_valid(self): """Returns true if the kdbg_object appears valid""" # Check the OwnerTag is in fact the string KDBG return obj.CType.is_valid(self) and self.Header.OwnerTag == 0x4742444B @property def ServicePack(self): """Get the service pack number. This is something like 0x100 for SP1, 0x200 for SP2 etc. """ csdresult = obj.Object("unsigned long", offset = self.CmNtCSDVersion, vm = self.obj_vm) return (csdresult >> 8) & 0xffffffff def processes(self): """Enumerate processes""" # This is defined as a pointer to _LIST_ENTRY in the overlay list_head = self.PsActiveProcessHead.dereference() if not list_head: raise AttributeError("Could not list tasks, please verify your --profile with kdbgscan") for l in list_head.list_of_type("_EPROCESS", "ActiveProcessLinks"): yield l def modules(self): """Enumerate modules""" # This is defined as a pointer to _LIST_ENTRY in the overlay list_head = self.PsLoadedModuleList.dereference() if not list_head: raise AttributeError("Could not list modules, please verify your --profile with kdbgscan") for l in list_head.dereference_as("_LIST_ENTRY").list_of_type( "_LDR_DATA_TABLE_ENTRY", "InLoadOrderLinks"): yield l def dbgkd_version64(self): """Scan backwards from the base of KDBG to find the _DBGKD_GET_VERSION64. We have a winner when kernel base addresses and process list head match.""" # Account for address masking differences in x86 and x64 memory_model = self.obj_vm.profile.metadata.get('memory_model', '32bit') dbgkd_off = self.obj_offset & 0xFFFFFFFFFFFFF000 dbgkd_end = dbgkd_off + 0x1000 # The _DBGKD_GET_VERSION64 structure is autogenerated, so # this value should be correct for each profile dbgkd_size = self.obj_vm.profile.get_obj_size("_DBGKD_GET_VERSION64") while dbgkd_off <= (dbgkd_end - dbgkd_size): dbgkd = obj.Object("_DBGKD_GET_VERSION64", offset = dbgkd_off, vm = self.obj_vm) if memory_model == "32bit": KernBase = dbgkd.KernBase & 0xFFFFFFFF PsLoadedModuleList = dbgkd.PsLoadedModuleList & 0xFFFFFFFF else: KernBase = dbgkd.KernBase PsLoadedModuleList = dbgkd.PsLoadedModuleList if ((KernBase == self.KernBase) and (PsLoadedModuleList == self.PsLoadedModuleList)): return dbgkd dbgkd_off += 1 return obj.NoneObject("Cannot find _DBGKD_GET_VERSION64") def kpcrs(self): """Generator for KPCRs referenced by this KDBG. These are returned in the order in which the processors were registered. """ if self.obj_vm.profile.metadata.get('memory_model', '32bit') == '32bit': prcb_member = "PrcbData" else: prcb_member = "Prcb" cpu_array = self.KiProcessorBlock.dereference() for p in cpu_array: # Terminate the loop if an item in the array is # invalid (ie paged) or if the pointer is NULL. if p == None or p == 0: break kpcrb = p.dereference_as("_KPRCB") yield obj.Object("_KPCR", offset = kpcrb.obj_offset - self.obj_vm.profile.get_obj_offset("_KPCR", prcb_member), vm = self.obj_vm, ) class KDBGObjectClass(obj.ProfileModification): """Add the KDBG object class to all Windows profiles""" before = ["WindowsObjectClasses"] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({'_KDDEBUGGER_DATA64': _KDDEBUGGER_DATA64}) # This value is stored in nt!_KeMaximumProcessors if profile.metadata.get('memory_model', '32bit'): max_processors = 32 else: max_processors = 64 profile.merge_overlay({ '_KDDEBUGGER_DATA64': [ None, { 'NtBuildLab': [ None, ['pointer', ['String', dict(length = 32)]]], 'KiProcessorBlock': [ None, ['pointer', ['array', max_processors, ['pointer', ['_KPRCB']]]]], 'PsActiveProcessHead': [ None, ['pointer', ['_LIST_ENTRY']]], 'PsLoadedModuleList': [ None, ['pointer', ['_LIST_ENTRY']]], 'MmUnloadedDrivers' : [ None, ['pointer', ['pointer', ['array', lambda x : x.MmLastUnloadedDriver.dereference(), ['_UNLOADED_DRIVER']]]]], 'MmLastUnloadedDriver' : [ None, ['pointer', ['unsigned int']]], }]}) class UnloadedDriverVTypes(obj.ProfileModification): """Add the unloaded driver structure definitions""" conditions = {'os': lambda x: x == "windows"} def modification(self, profile): if profile.metadata.get("memory_model", "32bit") == "32bit": vtypes = {'_UNLOADED_DRIVER' : [ 24, { 'Name' : [ 0, ['_UNICODE_STRING']], 'StartAddress' : [ 8, ['address']], 'EndAddress' : [ 12, ['address']], 'CurrentTime' : [ 16, ['WinTimeStamp', {}]], }]} else: vtypes = {'_UNLOADED_DRIVER' : [ 40, { 'Name' : [ 0, ['_UNICODE_STRING']], 'StartAddress' : [ 16, ['address']], 'EndAddress' : [ 24, ['address']], 'CurrentTime' : [ 32, ['WinTimeStamp', {}]], }]} profile.vtypes.update(vtypes) kdbg_vtypes = { '_DBGKD_DEBUG_DATA_HEADER64' : [ 0x18, { 'List' : [ 0x0, ['LIST_ENTRY64']], 'OwnerTag' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], } ], '_KDDEBUGGER_DATA64' : [ 0x340, { 'Header' : [ 0x0, ['_DBGKD_DEBUG_DATA_HEADER64']], 'KernBase' : [ 0x18, ['unsigned long long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long long']], 'SavedContext' : [ 0x28, ['unsigned long long']], 'ThCallbackStack' : [ 0x30, ['unsigned short']], 'NextCallback' : [ 0x32, ['unsigned short']], 'FramePointer' : [ 0x34, ['unsigned short']], 'KiCallUserMode' : [ 0x38, ['unsigned long long']], 'KeUserCallbackDispatcher' : [ 0x40, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x48, ['unsigned long long']], 'PsActiveProcessHead' : [ 0x50, ['unsigned long long']], 'PspCidTable' : [ 0x58, ['unsigned long long']], 'ExpSystemResourcesList' : [ 0x60, ['unsigned long long']], 'ExpPagedPoolDescriptor' : [ 0x68, ['unsigned long long']], 'ExpNumberOfPagedPools' : [ 0x70, ['unsigned long long']], 'KeTimeIncrement' : [ 0x78, ['unsigned long long']], 'KeBugCheckCallbackListHead' : [ 0x80, ['unsigned long long']], 'KiBugcheckData' : [ 0x88, ['unsigned long long']], 'IopErrorLogListHead' : [ 0x90, ['unsigned long long']], 'ObpRootDirectoryObject' : [ 0x98, ['unsigned long long']], 'ObpTypeObjectType' : [ 0xa0, ['unsigned long long']], 'MmSystemCacheStart' : [ 0xa8, ['unsigned long long']], 'MmSystemCacheEnd' : [ 0xb0, ['unsigned long long']], 'MmSystemCacheWs' : [ 0xb8, ['unsigned long long']], 'MmPfnDatabase' : [ 0xc0, ['unsigned long long']], 'MmSystemPtesStart' : [ 0xc8, ['unsigned long long']], 'MmSystemPtesEnd' : [ 0xd0, ['unsigned long long']], 'MmSubsectionBase' : [ 0xd8, ['unsigned long long']], 'MmNumberOfPagingFiles' : [ 0xe0, ['unsigned long long']], 'MmLowestPhysicalPage' : [ 0xe8, ['unsigned long long']], 'MmHighestPhysicalPage' : [ 0xf0, ['unsigned long long']], 'MmNumberOfPhysicalPages' : [ 0xf8, ['unsigned long long']], 'MmMaximumNonPagedPoolInBytes' : [ 0x100, ['unsigned long long']], 'MmNonPagedSystemStart' : [ 0x108, ['unsigned long long']], 'MmNonPagedPoolStart' : [ 0x110, ['unsigned long long']], 'MmNonPagedPoolEnd' : [ 0x118, ['unsigned long long']], 'MmPagedPoolStart' : [ 0x120, ['unsigned long long']], 'MmPagedPoolEnd' : [ 0x128, ['unsigned long long']], 'MmPagedPoolInformation' : [ 0x130, ['unsigned long long']], 'MmPageSize' : [ 0x138, ['unsigned long long']], 'MmSizeOfPagedPoolInBytes' : [ 0x140, ['unsigned long long']], 'MmTotalCommitLimit' : [ 0x148, ['unsigned long long']], 'MmTotalCommittedPages' : [ 0x150, ['unsigned long long']], 'MmSharedCommit' : [ 0x158, ['unsigned long long']], 'MmDriverCommit' : [ 0x160, ['unsigned long long']], 'MmProcessCommit' : [ 0x168, ['unsigned long long']], 'MmPagedPoolCommit' : [ 0x170, ['unsigned long long']], 'MmExtendedCommit' : [ 0x178, ['unsigned long long']], 'MmZeroedPageListHead' : [ 0x180, ['unsigned long long']], 'MmFreePageListHead' : [ 0x188, ['unsigned long long']], 'MmStandbyPageListHead' : [ 0x190, ['unsigned long long']], 'MmModifiedPageListHead' : [ 0x198, ['unsigned long long']], 'MmModifiedNoWritePageListHead' : [ 0x1a0, ['unsigned long long']], 'MmAvailablePages' : [ 0x1a8, ['unsigned long long']], 'MmResidentAvailablePages' : [ 0x1b0, ['unsigned long long']], 'PoolTrackTable' : [ 0x1b8, ['unsigned long long']], 'NonPagedPoolDescriptor' : [ 0x1c0, ['unsigned long long']], 'MmHighestUserAddress' : [ 0x1c8, ['unsigned long long']], 'MmSystemRangeStart' : [ 0x1d0, ['unsigned long long']], 'MmUserProbeAddress' : [ 0x1d8, ['unsigned long long']], 'KdPrintCircularBuffer' : [ 0x1e0, ['unsigned long long']], 'KdPrintCircularBufferEnd' : [ 0x1e8, ['unsigned long long']], 'KdPrintWritePointer' : [ 0x1f0, ['unsigned long long']], 'KdPrintRolloverCount' : [ 0x1f8, ['unsigned long long']], 'MmLoadedUserImageList' : [ 0x200, ['unsigned long long']], 'NtBuildLab' : [ 0x208, ['unsigned long long']], 'KiNormalSystemCall' : [ 0x210, ['unsigned long long']], 'KiProcessorBlock' : [ 0x218, ['unsigned long long']], 'MmUnloadedDrivers' : [ 0x220, ['unsigned long long']], 'MmLastUnloadedDriver' : [ 0x228, ['unsigned long long']], 'MmTriageActionTaken' : [ 0x230, ['unsigned long long']], 'MmSpecialPoolTag' : [ 0x238, ['unsigned long long']], 'KernelVerifier' : [ 0x240, ['unsigned long long']], 'MmVerifierData' : [ 0x248, ['unsigned long long']], 'MmAllocatedNonPagedPool' : [ 0x250, ['unsigned long long']], 'MmPeakCommitment' : [ 0x258, ['unsigned long long']], 'MmTotalCommitLimitMaximum' : [ 0x260, ['unsigned long long']], 'CmNtCSDVersion' : [ 0x268, ['unsigned long long']], 'MmPhysicalMemoryBlock' : [ 0x270, ['unsigned long long']], 'MmSessionBase' : [ 0x278, ['unsigned long long']], 'MmSessionSize' : [ 0x280, ['unsigned long long']], 'MmSystemParentTablePage' : [ 0x288, ['unsigned long long']], 'MmVirtualTranslationBase' : [ 0x290, ['unsigned long long']], 'OffsetKThreadNextProcessor' : [ 0x298, ['unsigned short']], 'OffsetKThreadTeb' : [ 0x29a, ['unsigned short']], 'OffsetKThreadKernelStack' : [ 0x29c, ['unsigned short']], 'OffsetKThreadInitialStack' : [ 0x29e, ['unsigned short']], 'OffsetKThreadApcProcess' : [ 0x2a0, ['unsigned short']], 'OffsetKThreadState' : [ 0x2a2, ['unsigned short']], 'OffsetKThreadBStore' : [ 0x2a4, ['unsigned short']], 'OffsetKThreadBStoreLimit' : [ 0x2a6, ['unsigned short']], 'SizeEProcess' : [ 0x2a8, ['unsigned short']], 'OffsetEprocessPeb' : [ 0x2aa, ['unsigned short']], 'OffsetEprocessParentCID' : [ 0x2ac, ['unsigned short']], 'OffsetEprocessDirectoryTableBase' : [ 0x2ae, ['unsigned short']], 'SizePrcb' : [ 0x2b0, ['unsigned short']], 'OffsetPrcbDpcRoutine' : [ 0x2b2, ['unsigned short']], 'OffsetPrcbCurrentThread' : [ 0x2b4, ['unsigned short']], 'OffsetPrcbMhz' : [ 0x2b6, ['unsigned short']], 'OffsetPrcbCpuType' : [ 0x2b8, ['unsigned short']], 'OffsetPrcbVendorString' : [ 0x2ba, ['unsigned short']], 'OffsetPrcbProcStateContext' : [ 0x2bc, ['unsigned short']], 'OffsetPrcbNumber' : [ 0x2be, ['unsigned short']], 'SizeEThread' : [ 0x2c0, ['unsigned short']], 'KdPrintCircularBufferPtr' : [ 0x2c8, ['unsigned long long']], 'KdPrintBufferSize' : [ 0x2d0, ['unsigned long long']], 'KeLoaderBlock' : [ 0x2d8, ['unsigned long long']], 'SizePcr' : [ 0x2e0, ['unsigned short']], 'OffsetPcrSelfPcr' : [ 0x2e2, ['unsigned short']], 'OffsetPcrCurrentPrcb' : [ 0x2e4, ['unsigned short']], 'OffsetPcrContainedPrcb' : [ 0x2e6, ['unsigned short']], 'OffsetPcrInitialBStore' : [ 0x2e8, ['unsigned short']], 'OffsetPcrBStoreLimit' : [ 0x2ea, ['unsigned short']], 'OffsetPcrInitialStack' : [ 0x2ec, ['unsigned short']], 'OffsetPcrStackLimit' : [ 0x2ee, ['unsigned short']], 'OffsetPrcbPcrPage' : [ 0x2f0, ['unsigned short']], 'OffsetPrcbProcStateSpecialReg' : [ 0x2f2, ['unsigned short']], 'GdtR0Code' : [ 0x2f4, ['unsigned short']], 'GdtR0Data' : [ 0x2f6, ['unsigned short']], 'GdtR0Pcr' : [ 0x2f8, ['unsigned short']], 'GdtR3Code' : [ 0x2fa, ['unsigned short']], 'GdtR3Data' : [ 0x2fc, ['unsigned short']], 'GdtR3Teb' : [ 0x2fe, ['unsigned short']], 'GdtLdt' : [ 0x300, ['unsigned short']], 'GdtTss' : [ 0x302, ['unsigned short']], 'Gdt64R3CmCode' : [ 0x304, ['unsigned short']], 'Gdt64R3CmTeb' : [ 0x306, ['unsigned short']], 'IopNumTriageDumpDataBlocks' : [ 0x308, ['unsigned long long']], 'IopTriageDumpDataBlocks' : [ 0x310, ['unsigned long long']], 'VfCrashDataBlock' : [ 0x318, ['unsigned long long']], 'MmBadPagesDetected' : [ 0x320, ['unsigned long long']], 'MmZeroedPageSingleBitErrorsDetected' : [ 0x328, ['unsigned long long']], 'EtwpDebuggerData' : [ 0x330, ['unsigned long long']], 'OffsetPrcbContext' : [ 0x338, ['unsigned short']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/kpcr_vtypes.py0000644000175000017500000000544112227253532025762 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj class _KPCROnx86(obj.CType): """KPCR for 32bit windows""" def idt_entries(self): for i, entry in enumerate(self.IDT.dereference()): yield i, entry def gdt_entries(self): for i, entry in enumerate(self.GDT.dereference()): yield i, entry def get_kdbg(self): """Find this CPUs KDBG. Please note the KdVersionBlock pointer is NULL on all KPCR structures except the one for the first CPU. In some cases on x64, even the first CPU has a NULL KdVersionBlock, so this is really a hit-or-miss. """ DebuggerDataList = self.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList # DebuggerDataList is a pointer to unsigned long on x86 # and a pointer to unsigned long long on x64. The first # dereference() dereferences the pointer, and the second # dereference() dereferences the unsigned long or long long # as the actual KDBG address. return DebuggerDataList.dereference().dereference_as("_KDDEBUGGER_DATA64") @property def ProcessorBlock(self): return self.PrcbData class _KPCROnx64(_KPCROnx86): """KPCR for x64 windows""" @property def ProcessorBlock(self): return self.Prcb @property def IDT(self): return self.IdtBase @property def GDT(self): return self.GdtBase class KPCRProfileModification(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): if profile.metadata.get('memory_model', '32bit') == '32bit': kpcr_class = _KPCROnx86 else: kpcr_class = _KPCROnx64 profile.object_classes.update({'_KPCR': kpcr_class}) profile.merge_overlay({ '_KPRCB': [ None, { 'VendorString': [ None, ['String', dict(length = 13)]], }]}) volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp0_x86_vtypes.py0000644000175000017500000134265611732225561027456 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x1f98, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'PrcbPad0' : [ 0x3c0, ['array', 88, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DpcTimeCount' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'PollSlot' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'DpcTimeLimit' : [ 0x55c, ['unsigned long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x578, ['long']], 'IoReadOperationCount' : [ 0x57c, ['long']], 'IoWriteOperationCount' : [ 0x580, ['long']], 'IoOtherOperationCount' : [ 0x584, ['long']], 'IoReadTransferCount' : [ 0x588, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x590, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x598, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x5a0, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x5a4, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x5a8, ['unsigned long']], 'CcMapDataNoWait' : [ 0x5ac, ['unsigned long']], 'CcMapDataWait' : [ 0x5b0, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x5b4, ['unsigned long']], 'CcPinReadNoWait' : [ 0x5b8, ['unsigned long']], 'CcPinReadWait' : [ 0x5bc, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x5c0, ['unsigned long']], 'CcMdlReadWait' : [ 0x5c4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x5c8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x5cc, ['unsigned long']], 'CcLazyWritePages' : [ 0x5d0, ['unsigned long']], 'CcDataFlushes' : [ 0x5d4, ['unsigned long']], 'CcDataPages' : [ 0x5d8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x5dc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x5e0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x5e4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x5e8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x5ec, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x5f0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x5f8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x5fc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x600, ['unsigned long']], 'CcReadAheadIos' : [ 0x604, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x608, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x60c, ['unsigned long']], 'KeSystemCalls' : [ 0x610, ['unsigned long']], 'PrcbPad1' : [ 0x614, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x620, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x6a0, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xfa0, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x18a0, ['unsigned long']], 'ReverseStall' : [ 0x18a4, ['long']], 'IpiFrame' : [ 0x18a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x18ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x18e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x18ec, ['unsigned long']], 'WorkerRoutine' : [ 0x18f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x18f4, ['unsigned long']], 'PrcbPad3' : [ 0x18f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x1920, ['unsigned long']], 'SignalDone' : [ 0x1924, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x1928, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x1960, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1988, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x198c, ['long']], 'DpcRequestRate' : [ 0x1990, ['unsigned long']], 'MinimumDpcRate' : [ 0x1994, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1998, ['unsigned char']], 'DpcThreadRequested' : [ 0x1999, ['unsigned char']], 'DpcRoutineActive' : [ 0x199a, ['unsigned char']], 'DpcThreadActive' : [ 0x199b, ['unsigned char']], 'PrcbLock' : [ 0x199c, ['unsigned long']], 'DpcLastCount' : [ 0x19a0, ['unsigned long']], 'TimerHand' : [ 0x19a4, ['unsigned long']], 'TimerRequest' : [ 0x19a8, ['unsigned long']], 'PrcbPad41' : [ 0x19ac, ['pointer', ['void']]], 'DpcEvent' : [ 0x19b0, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x19c0, ['unsigned char']], 'QuantumEnd' : [ 0x19c1, ['unsigned char']], 'PrcbPad50' : [ 0x19c2, ['unsigned char']], 'IdleSchedule' : [ 0x19c3, ['unsigned char']], 'DpcSetEventRequest' : [ 0x19c4, ['long']], 'Sleeping' : [ 0x19c8, ['long']], 'PeriodicCount' : [ 0x19cc, ['unsigned long']], 'PeriodicBias' : [ 0x19d0, ['unsigned long']], 'PrcbPad5' : [ 0x19d4, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x19dc, ['long']], 'CallDpc' : [ 0x19e0, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a00, ['long']], 'ClockCheckSlot' : [ 0x1a04, ['unsigned char']], 'ClockPollCycle' : [ 0x1a05, ['unsigned char']], 'PrcbPad6' : [ 0x1a06, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a08, ['long']], 'DpcWatchdogCount' : [ 0x1a0c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a10, ['long']], 'ThreadWatchdogCount' : [ 0x1a14, ['long']], 'PrcbPad70' : [ 0x1a18, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1a20, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1a28, ['unsigned long']], 'ReadySummary' : [ 0x1a2c, ['unsigned long']], 'QueueIndex' : [ 0x1a30, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1a34, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1a38, ['unsigned long long']], 'CycleTime' : [ 0x1a40, ['unsigned long long']], 'PrcbPad71' : [ 0x1a48, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1a60, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1b60, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1b64, ['long']], 'MmPageFaultCount' : [ 0x1b68, ['long']], 'MmCopyOnWriteCount' : [ 0x1b6c, ['long']], 'MmTransitionCount' : [ 0x1b70, ['long']], 'MmCacheTransitionCount' : [ 0x1b74, ['long']], 'MmDemandZeroCount' : [ 0x1b78, ['long']], 'MmPageReadCount' : [ 0x1b7c, ['long']], 'MmPageReadIoCount' : [ 0x1b80, ['long']], 'MmCacheReadCount' : [ 0x1b84, ['long']], 'MmCacheIoCount' : [ 0x1b88, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1b8c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1b90, ['long']], 'MmMappedPagesWriteCount' : [ 0x1b94, ['long']], 'MmMappedWriteIoCount' : [ 0x1b98, ['long']], 'CachedCommit' : [ 0x1b9c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1ba0, ['unsigned long']], 'HyperPte' : [ 0x1ba4, ['pointer', ['void']]], 'CpuVendor' : [ 0x1ba8, ['unsigned char']], 'PrcbPad9' : [ 0x1ba9, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1bac, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1bb9, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x1bba, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1bbb, ['unsigned char']], 'MHz' : [ 0x1bbc, ['unsigned long']], 'FeatureBits' : [ 0x1bc0, ['unsigned long']], 'UpdateSignature' : [ 0x1bc8, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1bd0, ['unsigned long long']], 'SpareField1' : [ 0x1bd8, ['unsigned long long']], 'NpxSaveArea' : [ 0x1be0, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1df0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1ed0, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1ef0, ['_KTIMER']], 'WheaInfo' : [ 0x1f18, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f1c, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f20, ['_SLIST_HEADER']], 'HypercallPagePhysical' : [ 0x1f28, ['_LARGE_INTEGER']], 'HypercallPageVirtual' : [ 0x1f30, ['pointer', ['void']]], 'RateControl' : [ 0x1f34, ['pointer', ['void']]], 'Cache' : [ 0x1f38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1f74, ['unsigned long']], 'CacheProcessorMask' : [ 0x1f78, ['array', 5, ['unsigned long']]], 'LogicalProcessorsPerCore' : [ 0x1f8c, ['unsigned char']], 'PrcbPad8' : [ 0x1f8d, ['array', 3, ['unsigned char']]], 'PackageProcessorSet' : [ 0x1f90, ['unsigned long']], 'CoreProcessorSet' : [ 0x1f94, ['unsigned long']], } ], '_KPCR' : [ 0x20b8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'Spare02' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'Iopl' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'VadFreeHint' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'SparePsFlags1' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11f4' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11f9' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11fb' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11f9']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1206' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1208' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_1206']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11f4']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11fb']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_1208']], } ], '__unnamed_120e' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1212' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1216' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1218' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_121c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_121e' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1220' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], } ], '__unnamed_1222' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1224' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1226' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122a' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_122c' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_122f' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1231' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1233' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1235' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1239' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_123d' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1241' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1245' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_124c' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1250' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1254' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1256' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1258' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_125c' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1260' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1264' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1268' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_126c' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1274' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1278' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127a' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_127c' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_127e' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_120e']], 'CreatePipe' : [ 0x0, ['__unnamed_1212']], 'CreateMailslot' : [ 0x0, ['__unnamed_1216']], 'Read' : [ 0x0, ['__unnamed_1218']], 'Write' : [ 0x0, ['__unnamed_1218']], 'QueryDirectory' : [ 0x0, ['__unnamed_121c']], 'NotifyDirectory' : [ 0x0, ['__unnamed_121e']], 'QueryFile' : [ 0x0, ['__unnamed_1220']], 'SetFile' : [ 0x0, ['__unnamed_1222']], 'QueryEa' : [ 0x0, ['__unnamed_1224']], 'SetEa' : [ 0x0, ['__unnamed_1226']], 'QueryVolume' : [ 0x0, ['__unnamed_122a']], 'SetVolume' : [ 0x0, ['__unnamed_122a']], 'FileSystemControl' : [ 0x0, ['__unnamed_122c']], 'LockControl' : [ 0x0, ['__unnamed_122f']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1231']], 'QuerySecurity' : [ 0x0, ['__unnamed_1233']], 'SetSecurity' : [ 0x0, ['__unnamed_1235']], 'MountVolume' : [ 0x0, ['__unnamed_1239']], 'VerifyVolume' : [ 0x0, ['__unnamed_1239']], 'Scsi' : [ 0x0, ['__unnamed_123d']], 'QueryQuota' : [ 0x0, ['__unnamed_1241']], 'SetQuota' : [ 0x0, ['__unnamed_1226']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1245']], 'QueryInterface' : [ 0x0, ['__unnamed_124c']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1250']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1254']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1256']], 'SetLock' : [ 0x0, ['__unnamed_1258']], 'QueryId' : [ 0x0, ['__unnamed_125c']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1260']], 'UsageNotification' : [ 0x0, ['__unnamed_1264']], 'WaitWake' : [ 0x0, ['__unnamed_1268']], 'PowerSequence' : [ 0x0, ['__unnamed_126c']], 'Power' : [ 0x0, ['__unnamed_1274']], 'StartDevice' : [ 0x0, ['__unnamed_1278']], 'WMI' : [ 0x0, ['__unnamed_127a']], 'Others' : [ 0x0, ['__unnamed_127c']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_127e']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xd0, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x88, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['unsigned short']], 'ValidationBits' : [ 0xa, ['unsigned char']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '__unnamed_1332' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIX_BUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIX_DEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'RawDataLength' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeOther', 6: 'WheaErrSrcTypeMax'})]], 'Reserved1' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1332']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrorStatusFormatIPFSalRecord', 1: 'WheaErrorStatusFormatIA32MCA', 2: 'WheaErrorStatusFormatEM64TMCA', 3: 'WheaErrorStatusFormatAMD64MCA', 4: 'WheaErrorStatusFormatPCIExpress', 5: 'WheaErrorStatusFormatNMIPort', 6: 'WheaErrorStatusFormatOther', 7: 'WheaErrorStatusFormatMax'})]], 'Reserved2' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13e7' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13e7']], } ], '_PTE_QUEUE_POINTER' : [ 0x8, { 'PointerPte' : [ 0x0, ['long']], 'TimeStamp' : [ 0x4, ['long']], 'Data' : [ 0x0, ['long long']], } ], '__unnamed_13ff' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ff']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1423' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1423']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'NonDirectHash' : [ 0x38, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x3c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x44, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'Spare0' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'Spare' : [ 0x2c, ['array', 1, ['unsigned long']]], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitEvent' : [ 0x3c, ['pointer', ['_KEVENT']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1445' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1447' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1449' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1447']], } ], '__unnamed_1455' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1457' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1455']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1445']], 'u1' : [ 0x20, ['__unnamed_1449']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_EVENT']]], 'u2' : [ 0x34, ['__unnamed_1457']], 'LockedPages' : [ 0x40, ['long long']], } ], '__unnamed_1463' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1465' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1468' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_146a' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_146c' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1468']], 'e3' : [ 0x0, ['__unnamed_146a']], } ], '__unnamed_1471' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1463']], 'u2' : [ 0x4, ['__unnamed_1465']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_146c']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1471']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_14a3' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a6' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a9' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14b3' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], 'u2' : [ 0x20, ['__unnamed_14b3']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '__unnamed_14c5' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_14c5']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_14ca' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14ca']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14d0' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14d2' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14d0']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14d2']], } ], '__unnamed_14db' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14dd' : [ 0x4, { 'LastPageToWrite' : [ 0x0, ['unsigned long']], 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14db']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14dd']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14e5' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14e5']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15bd' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xe0, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'IdleStates' : [ 0x4, ['pointer', ['PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'LastIdleTime' : [ 0x10, ['unsigned long long']], 'IdleTimes' : [ 0x18, ['PROCESSOR_IDLE_TIMES']], 'IdleAccounting' : [ 0x38, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x3c, ['pointer', ['PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x40, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x44, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x48, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x50, ['unsigned long long']], 'ThermalConstraint' : [ 0x58, ['unsigned char']], 'LastBusyPercentage' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['__unnamed_15bd']], 'PerfTimer' : [ 0x60, ['_KTIMER']], 'PerfDpc' : [ 0x88, ['_KDPC']], 'LastSysTime' : [ 0xa8, ['unsigned long']], 'PStateMaster' : [ 0xac, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0xb0, ['unsigned long']], 'CurrentPState' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'DesiredPState' : [ 0xbc, ['unsigned long']], 'Reserved1' : [ 0xc0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xc4, ['unsigned long']], 'PStateIdleTime' : [ 0xc8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xcc, ['unsigned long']], 'PStateStartTime' : [ 0xd0, ['unsigned long']], 'WmiDispatchPtr' : [ 0xd4, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xd8, ['long']], } ], '__unnamed_15c4' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15c4']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15ed' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15ed']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15ff' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1601' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1605' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15ff']], 'OverUsed2' : [ 0x114, ['__unnamed_1601']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_1605']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16aa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16aa']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b1']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f2' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f2']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1700' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1702' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1704' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1706' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1708' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1700']], 'Write' : [ 0x0, ['__unnamed_1702']], 'Event' : [ 0x0, ['__unnamed_1704']], 'Notification' : [ 0x0, ['__unnamed_1706']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1708']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x270, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'LoggerName' : [ 0x30, ['_UNICODE_STRING']], 'LogFileName' : [ 0x38, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x40, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x48, ['_UNICODE_STRING']], 'ClockType' : [ 0x50, ['unsigned long']], 'CollectionOn' : [ 0x54, ['long']], 'MaximumFileSize' : [ 0x58, ['unsigned long']], 'LoggerMode' : [ 0x5c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x60, ['unsigned long']], 'FlushTimer' : [ 0x64, ['unsigned long']], 'ByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x70, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x78, ['unsigned long']], 'BuffersAvailable' : [ 0x7c, ['long']], 'NumberOfBuffers' : [ 0x80, ['long']], 'MaximumBuffers' : [ 0x84, ['unsigned long']], 'EventsLost' : [ 0x88, ['unsigned long']], 'BuffersWritten' : [ 0x8c, ['unsigned long']], 'LogBuffersLost' : [ 0x90, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x94, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x98, ['unsigned long']], 'BufferSize' : [ 0x9c, ['unsigned long']], 'MaximumEventSize' : [ 0xa0, ['unsigned long']], 'SequencePtr' : [ 0xa4, ['pointer', ['long']]], 'LocalSequence' : [ 0xa8, ['unsigned long']], 'InstanceGuid' : [ 0xac, ['_GUID']], 'GetCpuClock' : [ 0xbc, ['pointer', ['void']]], 'FileCounter' : [ 0xc0, ['long']], 'BufferCallback' : [ 0xc4, ['pointer', ['void']]], 'PoolType' : [ 0xc8, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd0, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe0, ['unsigned char']], 'Consumers' : [ 0xe4, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xec, ['unsigned long']], 'Connecting' : [ 0xf0, ['_LIST_ENTRY']], 'NewConsumer' : [ 0xf8, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0xfc, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x100, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x128, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x140, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x144, ['unsigned long']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushDpc' : [ 0x16c, ['_KDPC']], 'LoggerMutex' : [ 0x18c, ['_KMUTANT']], 'ClientSecurityContext' : [ 0x1ac, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1e8, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x1f0, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x238, ['long long']], 'AcceptNewEvents' : [ 0x240, ['long']], 'Flags' : [ 0x244, ['unsigned long']], 'Persistent' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x244, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x244, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x244, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x248, ['unsigned long']], 'RequestNewFie' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x24c, ['unsigned short']], 'StackTraceFilter' : [ 0x24e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Spare0' : [ 0x20, ['unsigned long']], 'Spare1' : [ 0x24, ['unsigned long']], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'SlistEntry' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x38, ['pointer', ['_WMI_BUFFER_HEADER']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LegacyEnableContext' : [ 0x28, ['_TRACE_ENABLE_CONTEXT']], 'LegacyProviderEnabled' : [ 0x30, ['unsigned long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_WHEA_NMI_ERROR' : [ 0x8, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'KeyBodyLock' : [ 0x24, ['_EX_PUSH_LOCK']], 'ContextListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_188f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1891' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_188f']], 'Private' : [ 0x0, ['__unnamed_1891']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_CMHIVE' : [ 0x5d0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['pointer', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x318, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x31c, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x320, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x324, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x32c, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x334, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x33c, ['unsigned short']], 'PinnedViewCount' : [ 0x33e, ['unsigned short']], 'UseCount' : [ 0x340, ['unsigned long']], 'ViewsPerHive' : [ 0x344, ['unsigned long']], 'FileObject' : [ 0x348, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x34c, ['unsigned long']], 'ActualFileSize' : [ 0x350, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x358, ['_UNICODE_STRING']], 'FileUserName' : [ 0x360, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x368, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x370, ['unsigned long']], 'SecurityCacheSize' : [ 0x374, ['unsigned long']], 'SecurityHitHint' : [ 0x378, ['long']], 'SecurityCache' : [ 0x37c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x380, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x580, ['unsigned long']], 'UnloadEventArray' : [ 0x584, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x588, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x58c, ['unsigned char']], 'UnloadWorkItem' : [ 0x590, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x594, ['unsigned char']], 'GrowOffset' : [ 0x598, ['unsigned long']], 'KcbConvertListHead' : [ 0x59c, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5a4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5ac, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5b0, ['unsigned long']], 'TrustClassEntry' : [ 0x5b4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5bc, ['unsigned long']], 'CmRm' : [ 0x5c0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5c4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5c8, ['long']], 'CreatorOwner' : [ 0x5cc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '__unnamed_18b9' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_18bf' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_14a3']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a6']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a9']], 'u2' : [ 0x20, ['__unnamed_14b3']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_18b9']], 'u4' : [ 0x38, ['__unnamed_18bf']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_18ce']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_18e8' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_18e8']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_18ef' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_18f5' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_18f7' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_18ef']], 'Bits' : [ 0x0, ['__unnamed_18f5']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_18f7']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x88, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['unsigned short']], 'Reserved1' : [ 0x6, ['unsigned short']], 'Reserved2' : [ 0x8, ['unsigned short']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidationBits' : [ 0x10, ['unsigned long']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['unsigned long']], 'PersistenceInfo' : [ 0x70, ['_WHEA_PERSISTENCE_INFO']], 'Reserved3' : [ 0x78, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_PCIX_BUS_ERROR' : [ 0x48, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_BUS_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['unsigned short']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['unsigned long long']], 'BusRequestorId' : [ 0x30, ['unsigned long long']], 'BusCompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1969' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1969']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_19f1' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_PERF_STATES' : [ 0x68, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'MaxPerfState' : [ 0x8, ['unsigned long']], 'MinPerfState' : [ 0xc, ['unsigned long']], 'LowestPState' : [ 0x10, ['unsigned long']], 'IncreaseTime' : [ 0x14, ['unsigned long']], 'DecreaseTime' : [ 0x18, ['unsigned long']], 'BusyAdjThreshold' : [ 0x1c, ['unsigned char']], 'Reserved' : [ 0x1d, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x1e, ['unsigned char']], 'PolicyType' : [ 0x1f, ['unsigned char']], 'TimerInterval' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['__unnamed_19f1']], 'TargetProcessors' : [ 0x28, ['unsigned long']], 'PStateHandler' : [ 0x2c, ['pointer', ['void']]], 'PStateContext' : [ 0x30, ['unsigned long']], 'TStateHandler' : [ 0x34, ['pointer', ['void']]], 'TStateContext' : [ 0x38, ['unsigned long']], 'FeedbackHandler' : [ 0x3c, ['pointer', ['void']]], 'State' : [ 0x40, ['array', 1, ['PPM_PERF_STATE']]], } ], 'PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], 'PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['unsigned long']], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_WHEA_PCIX_DEVICE_ERROR' : [ 0x68, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_DEV_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['array', 16, ['unsigned char']]], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 64, ['unsigned char']]], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x20, ['_SEGMENT_FLAGS']], 'LastSubsectionHint' : [ 0x24, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1a49' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1a49']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5e8, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'Extension' : [ 0x94, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x98, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x9c, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa0, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa4, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x344, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e4, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x50, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequestorId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ab2' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ab8' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1aba' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1abc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1abe' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1ac0' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ac2' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac4' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac6' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ac8' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1ab2']], 'Memory' : [ 0x0, ['__unnamed_1ab2']], 'Interrupt' : [ 0x0, ['__unnamed_1ab8']], 'Dma' : [ 0x0, ['__unnamed_1aba']], 'Generic' : [ 0x0, ['__unnamed_1ab2']], 'DevicePrivate' : [ 0x0, ['__unnamed_1abc']], 'BusNumber' : [ 0x0, ['__unnamed_1abe']], 'ConfigData' : [ 0x0, ['__unnamed_1ac0']], 'Memory40' : [ 0x0, ['__unnamed_1ac2']], 'Memory48' : [ 0x0, ['__unnamed_1ac4']], 'Memory64' : [ 0x0, ['__unnamed_1ac6']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1ac8']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1b, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1a, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1b06' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1b06']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_MI_SECTION_CREATION_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '__unnamed_1b3c' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b3e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b3c']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b40' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b42' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b40']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1b3e']], 'u2' : [ 0x4, ['__unnamed_1b42']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1b6d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b6f' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b71' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b73' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1b71']], 'Translated' : [ 0x0, ['__unnamed_1b6f']], } ], '__unnamed_1b75' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b77' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b79' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7b' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b7f' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b81' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1b6d']], 'Port' : [ 0x0, ['__unnamed_1b6d']], 'Interrupt' : [ 0x0, ['__unnamed_1b6f']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1b73']], 'Memory' : [ 0x0, ['__unnamed_1b6d']], 'Dma' : [ 0x0, ['__unnamed_1b75']], 'DevicePrivate' : [ 0x0, ['__unnamed_1abc']], 'BusNumber' : [ 0x0, ['__unnamed_1b77']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1b79']], 'Memory40' : [ 0x0, ['__unnamed_1b7b']], 'Memory48' : [ 0x0, ['__unnamed_1b7d']], 'Memory64' : [ 0x0, ['__unnamed_1b7f']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1b81']], } ], '__unnamed_1b86' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1b86']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1b9a' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1b9a']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1ba4' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14ca']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1ba4']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x50, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], 'PreviousIdleCount' : [ 0x4c, ['unsigned long']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PciExpressEndpoint', 1: 'PciExpressLegacyEndpoint', 4: 'PciExpressRootPort', 5: 'PciExpressUpstreamSwitchPort', 6: 'PciExpressDownstreamSwitchPort', 7: 'PciExpressToPciXBridge', 8: 'PciXToExpressBridge', 9: 'PciExpressRootComplexIntegratedEndpoint', 10: 'PciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['unsigned long']], 'CommandStatus' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_PCIE_DEVICE_ID']], 'DeviceSN' : [ 0x28, ['unsigned long long']], 'BridgeCtrlSts' : [ 0x30, ['unsigned long']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x130, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 32, ['_EX_PUSH_LOCK']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'SystemContext' : [ 0x50, ['_SYSTEM_POWER_STATE_CONTEXT']], 'FilteredCapabilities' : [ 0x54, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c7e' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1c80' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1c7e']], 'Button' : [ 0xc, ['__unnamed_1c80']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x7c, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1d17' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1d17']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachEvent' : [ 0x64, ['_KEVENT']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SessionPteFreeHead' : [ 0x1e40, ['_MMPTE']], 'SystemPteInfo' : [ 0x1e44, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e54, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e58, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e5c, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e60, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e64, ['_RTL_BITMAP']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['unsigned long long']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequestorId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1d8f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1d91' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1d8f']], 'Merged' : [ 0x10, ['__unnamed_1d91']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '__unnamed_1d96' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1d96']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14ca']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1ba4']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x2c, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1dac' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1db0' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x20, ['_SEGMENT_FLAGS']], 'u1' : [ 0x24, ['__unnamed_1dac']], 'u2' : [ 0x28, ['__unnamed_1db0']], 'PrototypePte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIX_BUS_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorTypeValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusIdValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddressValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusDataValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'CommandValid' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequestorIdValid' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterIdValid' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetIdValid' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x40d8, ['unsigned long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x210, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'TmRmHandle' : [ 0x188, ['pointer', ['void']]], 'TmRm' : [ 0x18c, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x190, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a0, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b0, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1b8, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1c8, ['_ERESOURCE']], 'LogFlags' : [ 0x200, ['unsigned long']], 'LogFullStatus' : [ 0x204, ['long']], 'RecoveryStatus' : [ 0x208, ['long']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '__unnamed_1e42' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1e42']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1a8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionSavepointing', 12: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'NextSavepoint' : [ 0x13c, ['unsigned long']], 'Tm' : [ 0x140, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x148, ['long long']], 'TransactionHistory' : [ 0x150, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x1a0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1e7a' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1e7a']], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 46, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 48, native_type='unsigned long long')]], 'Signature' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x34, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PCIE_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_WHEA_PCIX_DEV_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfoValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumberValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumberValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1a, { 'PerUserPolicy' : [ 0x0, ['array', 26, ['unsigned char']]], } ], '__unnamed_1eca' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1ecc' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1ed0' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed4' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_1ed6' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1eca']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1ecc']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ed0']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_1ed4']], 'Others' : [ 0x0, ['__unnamed_1ed6']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xf8, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'CurrentMcb' : [ 0x4c, ['pointer', ['void']]], 'DumpStack' : [ 0x50, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x54, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x58, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x4, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '__unnamed_1efb' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_1efb']], } ], '__unnamed_1eff' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_1eff']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'LastFilePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'NoBootLoaderLogPages' : [ 0xb8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xbc, ['array', 8, ['unsigned long']]], 'TotalPhysicalMemoryCount' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_1f1c' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f1e' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f20' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f22' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f24' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1f26' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f28' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f2a' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f2c' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f2e' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f30' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_1f1c']], 'TargetDevice' : [ 0x0, ['__unnamed_1f1e']], 'InstallDevice' : [ 0x0, ['__unnamed_1f20']], 'CustomNotification' : [ 0x0, ['__unnamed_1f22']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f24']], 'PowerNotification' : [ 0x0, ['__unnamed_1f26']], 'VetoNotification' : [ 0x0, ['__unnamed_1f28']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f2a']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f2c']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f2e']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1f30']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1f47' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f49' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1f4b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1f47']], 'Gpt' : [ 0x0, ['__unnamed_1f49']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_1f4b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x10, { 'FirstFreePte' : [ 0x0, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x4, ['pointer', ['unsigned long']]], 'GlobalMutex' : [ 0x8, ['pointer', ['_KGUARDED_MUTEX']]], 'TbFlushTimeStamp' : [ 0xc, ['unsigned long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp2_x86_vtypes.py0000644000175000017500000112471011732225561027421 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_100d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_100d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0xec0, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DebugDpcTime' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'Spare1' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'Sleeping' : [ 0x55c, ['long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x578, ['unsigned long']], 'SpareCounter0' : [ 0x57c, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x580, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x584, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x588, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x58c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x590, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x594, ['unsigned long']], 'KeSystemCalls' : [ 0x598, ['unsigned long']], 'IoReadOperationCount' : [ 0x59c, ['long']], 'IoWriteOperationCount' : [ 0x5a0, ['long']], 'IoOtherOperationCount' : [ 0x5a4, ['long']], 'IoReadTransferCount' : [ 0x5a8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x5b0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x5b8, ['_LARGE_INTEGER']], 'SpareCounter1' : [ 0x5c0, ['array', 8, ['unsigned long']]], 'PPLookasideList' : [ 0x5e0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x660, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x760, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x860, ['unsigned long']], 'ReverseStall' : [ 0x864, ['unsigned long']], 'IpiFrame' : [ 0x868, ['pointer', ['void']]], 'PrcbPad2' : [ 0x86c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x8a0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x8ac, ['unsigned long']], 'WorkerRoutine' : [ 0x8b0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x8b4, ['unsigned long']], 'PrcbPad3' : [ 0x8b8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x8e0, ['unsigned long']], 'SignalDone' : [ 0x8e4, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x8e8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x920, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x948, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x94c, ['unsigned long']], 'DpcRequestRate' : [ 0x950, ['unsigned long']], 'MinimumDpcRate' : [ 0x954, ['unsigned long']], 'DpcInterruptRequested' : [ 0x958, ['unsigned char']], 'DpcThreadRequested' : [ 0x959, ['unsigned char']], 'DpcRoutineActive' : [ 0x95a, ['unsigned char']], 'DpcThreadActive' : [ 0x95b, ['unsigned char']], 'PrcbLock' : [ 0x95c, ['unsigned long']], 'DpcLastCount' : [ 0x960, ['unsigned long']], 'TimerHand' : [ 0x964, ['unsigned long']], 'TimerRequest' : [ 0x968, ['unsigned long']], 'DpcThread' : [ 0x96c, ['pointer', ['void']]], 'DpcEvent' : [ 0x970, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x980, ['unsigned char']], 'QuantumEnd' : [ 0x981, ['unsigned char']], 'PrcbPad50' : [ 0x982, ['unsigned char']], 'IdleSchedule' : [ 0x983, ['unsigned char']], 'DpcSetEventRequest' : [ 0x984, ['long']], 'PrcbPad5' : [ 0x988, ['array', 18, ['unsigned char']]], 'TickOffset' : [ 0x99c, ['long']], 'CallDpc' : [ 0x9a0, ['_KDPC']], 'PrcbPad7' : [ 0x9c0, ['array', 8, ['unsigned long']]], 'WaitListHead' : [ 0x9e0, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x9e8, ['unsigned long']], 'QueueIndex' : [ 0x9ec, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x9f0, ['array', 32, ['_LIST_ENTRY']]], 'DeferredReadyListHead' : [ 0xaf0, ['_SINGLE_LIST_ENTRY']], 'PrcbPad72' : [ 0xaf4, ['array', 11, ['unsigned long']]], 'ChainedInterruptList' : [ 0xb20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0xb24, ['long']], 'MmPageFaultCount' : [ 0xb28, ['long']], 'MmCopyOnWriteCount' : [ 0xb2c, ['long']], 'MmTransitionCount' : [ 0xb30, ['long']], 'MmCacheTransitionCount' : [ 0xb34, ['long']], 'MmDemandZeroCount' : [ 0xb38, ['long']], 'MmPageReadCount' : [ 0xb3c, ['long']], 'MmPageReadIoCount' : [ 0xb40, ['long']], 'MmCacheReadCount' : [ 0xb44, ['long']], 'MmCacheIoCount' : [ 0xb48, ['long']], 'MmDirtyPagesWriteCount' : [ 0xb4c, ['long']], 'MmDirtyWriteIoCount' : [ 0xb50, ['long']], 'MmMappedPagesWriteCount' : [ 0xb54, ['long']], 'MmMappedWriteIoCount' : [ 0xb58, ['long']], 'SpareFields0' : [ 0xb5c, ['array', 1, ['unsigned long']]], 'VendorString' : [ 0xb60, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0xb6d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0xb6e, ['unsigned char']], 'MHz' : [ 0xb70, ['unsigned long']], 'FeatureBits' : [ 0xb74, ['unsigned long']], 'UpdateSignature' : [ 0xb78, ['_LARGE_INTEGER']], 'IsrTime' : [ 0xb80, ['unsigned long long']], 'SpareField1' : [ 0xb88, ['unsigned long long']], 'NpxSaveArea' : [ 0xb90, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xda0, ['_PROCESSOR_POWER_STATE']], } ], '_KPCR' : [ 0xfe0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'PerfGlobalGroupMask' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x1b8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'KernelStack' : [ 0x20, ['pointer', ['void']]], 'ThreadLock' : [ 0x24, ['unsigned long']], 'ApcState' : [ 0x28, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x28, ['array', 23, ['unsigned char']]], 'ApcQueueable' : [ 0x3f, ['unsigned char']], 'NextProcessor' : [ 0x40, ['unsigned char']], 'DeferredProcessor' : [ 0x41, ['unsigned char']], 'AdjustReason' : [ 0x42, ['unsigned char']], 'AdjustIncrement' : [ 0x43, ['unsigned char']], 'ApcQueueLock' : [ 0x44, ['unsigned long']], 'ContextSwitches' : [ 0x48, ['unsigned long']], 'State' : [ 0x4c, ['unsigned char']], 'NpxState' : [ 0x4d, ['unsigned char']], 'WaitIrql' : [ 0x4e, ['unsigned char']], 'WaitMode' : [ 0x4f, ['unsigned char']], 'WaitStatus' : [ 0x50, ['long']], 'WaitBlockList' : [ 0x54, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x54, ['pointer', ['_KGATE']]], 'Alertable' : [ 0x58, ['unsigned char']], 'WaitNext' : [ 0x59, ['unsigned char']], 'WaitReason' : [ 0x5a, ['unsigned char']], 'Priority' : [ 0x5b, ['unsigned char']], 'EnableStackSwap' : [ 0x5c, ['unsigned char']], 'SwapBusy' : [ 0x5d, ['unsigned char']], 'Alerted' : [ 0x5e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x68, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x6c, ['unsigned long']], 'KernelApcDisable' : [ 0x70, ['short']], 'SpecialApcDisable' : [ 0x72, ['short']], 'CombinedApcDisable' : [ 0x70, ['unsigned long']], 'Teb' : [ 0x74, ['pointer', ['void']]], 'Timer' : [ 0x78, ['_KTIMER']], 'TimerFill' : [ 0x78, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'GuiThread' : [ 0xa0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ReservedFlags' : [ 0xa0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xa0, ['long']], 'WaitBlock' : [ 0xa8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xa8, ['array', 23, ['unsigned char']]], 'SystemAffinityActive' : [ 0xbf, ['unsigned char']], 'WaitBlockFill1' : [ 0xa8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xd7, ['unsigned char']], 'WaitBlockFill2' : [ 0xa8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xef, ['unsigned char']], 'WaitBlockFill3' : [ 0xa8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x107, ['unsigned char']], 'QueueListEntry' : [ 0x108, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x110, ['pointer', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x114, ['pointer', ['void']]], 'ServiceTable' : [ 0x118, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x11c, ['unsigned char']], 'IdealProcessor' : [ 0x11d, ['unsigned char']], 'Preempted' : [ 0x11e, ['unsigned char']], 'ProcessReadyQueue' : [ 0x11f, ['unsigned char']], 'KernelStackResident' : [ 0x120, ['unsigned char']], 'BasePriority' : [ 0x121, ['unsigned char']], 'PriorityDecrement' : [ 0x122, ['unsigned char']], 'Saturation' : [ 0x123, ['unsigned char']], 'UserAffinity' : [ 0x124, ['unsigned long']], 'Process' : [ 0x128, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x12c, ['unsigned long']], 'ApcStatePointer' : [ 0x130, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x138, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x138, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x14f, ['unsigned char']], 'SuspendCount' : [ 0x150, ['unsigned char']], 'UserIdealProcessor' : [ 0x151, ['unsigned char']], 'CalloutActive' : [ 0x152, ['unsigned char']], 'Iopl' : [ 0x153, ['unsigned char']], 'Win32Thread' : [ 0x154, ['pointer', ['void']]], 'StackBase' : [ 0x158, ['pointer', ['void']]], 'SuspendApc' : [ 0x15c, ['_KAPC']], 'SuspendApcFill0' : [ 0x15c, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x15d, ['unsigned char']], 'SuspendApcFill1' : [ 0x15c, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x15f, ['unsigned char']], 'SuspendApcFill2' : [ 0x15c, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x160, ['unsigned long']], 'SuspendApcFill3' : [ 0x15c, ['array', 36, ['unsigned char']]], 'TlsArray' : [ 0x180, ['pointer', ['void']]], 'SuspendApcFill4' : [ 0x15c, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x184, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x15c, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x18b, ['unsigned char']], 'UserTime' : [ 0x18c, ['unsigned long']], 'SuspendSemaphore' : [ 0x190, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x190, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1a4, ['unsigned long']], 'ThreadListEntry' : [ 0x1a8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1b0, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x250, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c0, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1c8, ['long']], 'OfsChain' : [ 0x1c8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1cc, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1d4, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1d4, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1d4, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1d8, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'Cid' : [ 0x1e4, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x200, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x200, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x204, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x208, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x210, ['unsigned long']], 'DeviceToVerify' : [ 0x214, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x218, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x21c, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x220, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x220, ['unsigned long']], 'ThreadListEntry' : [ 0x224, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x22c, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x230, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x234, ['unsigned long']], 'ReadClusterSize' : [ 0x238, ['unsigned long']], 'GrantedAccess' : [ 0x23c, ['unsigned long']], 'CrossThreadFlags' : [ 0x240, ['unsigned long']], 'Terminated' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x244, ['unsigned long']], 'ActiveExWorker' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x248, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x249, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x249, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x24c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x24d, ['unsigned char']], 'ActiveFaultCount' : [ 0x24e, ['unsigned char']], } ], '_EPROCESS' : [ 0x278, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x80, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x88, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x90, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x94, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x98, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa0, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xac, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xb8, ['unsigned long']], 'PeakVirtualSize' : [ 0xbc, ['unsigned long']], 'VirtualSize' : [ 0xc0, ['unsigned long']], 'SessionProcessLinks' : [ 0xc4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xcc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xd0, ['pointer', ['void']]], 'ObjectTable' : [ 0xd4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xd8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xdc, ['unsigned long']], 'AddressCreationLock' : [ 0xe0, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x100, ['unsigned long']], 'ForkInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x108, ['unsigned long']], 'PhysicalVadRoot' : [ 0x10c, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x110, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'QuotaBlock' : [ 0x12c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'VadFreeHint' : [ 0x140, ['pointer', ['void']]], 'VdmObjects' : [ 0x144, ['pointer', ['void']]], 'DeviceMap' : [ 0x148, ['pointer', ['void']]], 'Spare0' : [ 0x14c, ['array', 3, ['pointer', ['void']]]], 'PageDirectoryPte' : [ 0x158, ['_HARDWARE_PTE']], 'Filler' : [ 0x158, ['unsigned long long']], 'Session' : [ 0x160, ['pointer', ['void']]], 'ImageFileName' : [ 0x164, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x174, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x17c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x180, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x188, ['pointer', ['void']]], 'PaeTop' : [ 0x18c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x190, ['unsigned long']], 'GrantedAccess' : [ 0x194, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x198, ['unsigned long']], 'LastThreadExitStatus' : [ 0x19c, ['long']], 'Peb' : [ 0x1a0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1a4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1d8, ['unsigned long']], 'CommitChargePeak' : [ 0x1dc, ['unsigned long']], 'AweInfo' : [ 0x1e0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1e4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x230, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x238, ['unsigned long']], 'JobStatus' : [ 0x23c, ['unsigned long']], 'Flags' : [ 0x240, ['unsigned long']], 'CreateReported' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x240, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x240, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x240, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x240, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x240, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x240, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x240, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x240, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x240, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x240, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x240, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x240, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x240, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x240, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x240, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x240, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x240, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x244, ['long']], 'NextPageColor' : [ 0x248, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x24a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x24b, ['unsigned char']], 'SubSystemVersion' : [ 0x24a, ['unsigned short']], 'PriorityClass' : [ 0x24c, ['unsigned char']], 'VadRoot' : [ 0x250, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x270, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1152' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1152']], } ], '__unnamed_115f' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1161' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1164' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1166' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1164']], } ], '__unnamed_116b' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_115f']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1161']], 'u3' : [ 0xc, ['__unnamed_1166']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_116b']], } ], '__unnamed_1172' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1175' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_117a' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117a']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x4, ['array', 33, ['pointer', ['void']]]], } ], '__unnamed_118c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_118c']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x3c, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'HighestPage' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x28, ['_UNICODE_STRING']], 'Bitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x38, ['pointer', ['void']]], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_11b9' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_11b9']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1227' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1227']], } ], '__unnamed_122e' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_122e']], } ], '_SHARED_CACHE_MAP' : [ 0x138, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_1253' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1253']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_1268' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_126a' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_1268']], 'u2' : [ 0x168, ['__unnamed_126a']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned char']], 'TokenInUse' : [ 0x89, ['unsigned char']], 'ProxyData' : [ 0x8c, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0x94, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long']], 'pDeviceMap' : [ 0x14, ['pointer', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['pointer', ['void']]]], 'SubProcessTag' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x128, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x60, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x64, ['unsigned long']], 'TotalReleases' : [ 0x68, ['unsigned long']], 'RootNodesDeleted' : [ 0x6c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x70, ['unsigned long']], 'PoolTrimCounter' : [ 0x74, ['unsigned long']], 'FreeResourceList' : [ 0x78, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x80, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x88, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x90, ['unsigned long']], 'FreeThreadCount' : [ 0x94, ['unsigned long']], 'FreeNodeCount' : [ 0x98, ['unsigned long']], 'Instigator' : [ 0x9c, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0xa0, ['unsigned long']], 'Participant' : [ 0xa4, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x124, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x1d8, { 'BufferSpinLock' : [ 0x0, ['unsigned long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer', ['void']]], 'LoggerSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x28, ['pointer', ['_ETHREAD']]], 'LoggerEvent' : [ 0x2c, ['_KEVENT']], 'FlushEvent' : [ 0x3c, ['_KEVENT']], 'LoggerStatus' : [ 0x4c, ['long']], 'LoggerId' : [ 0x50, ['unsigned long']], 'BuffersAvailable' : [ 0x54, ['long']], 'UsePerfClock' : [ 0x58, ['unsigned long']], 'WriteFailureLimit' : [ 0x5c, ['unsigned long']], 'BuffersDirty' : [ 0x60, ['long']], 'BuffersInUse' : [ 0x64, ['long']], 'SwitchingInProgress' : [ 0x68, ['unsigned long']], 'FreeList' : [ 0x70, ['_SLIST_HEADER']], 'FlushList' : [ 0x78, ['_SLIST_HEADER']], 'WaitList' : [ 0x80, ['_SLIST_HEADER']], 'GlobalList' : [ 0x88, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0x90, ['pointer', ['pointer', ['_WMI_BUFFER_HEADER']]]], 'LoggerName' : [ 0x94, ['_UNICODE_STRING']], 'LogFileName' : [ 0x9c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xa4, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xac, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0xb4, ['pointer', ['unsigned char']]], 'CollectionOn' : [ 0xb8, ['long']], 'KernelTraceOn' : [ 0xbc, ['unsigned long']], 'PerfLogInTransition' : [ 0xc0, ['long']], 'RequestFlag' : [ 0xc4, ['unsigned long']], 'EnableFlags' : [ 0xc8, ['unsigned long']], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'LoggerMode' : [ 0xd0, ['unsigned long']], 'LoggerModeFlags' : [ 0xd0, ['_WMI_LOGGER_MODE']], 'Wow' : [ 0xd4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xd8, ['unsigned long']], 'RefCount' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'FirstBufferOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0xf0, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0xf8, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0x100, ['unsigned long']], 'MinimumBuffers' : [ 0x104, ['unsigned long']], 'EventsLost' : [ 0x108, ['unsigned long']], 'BuffersWritten' : [ 0x10c, ['unsigned long']], 'LogBuffersLost' : [ 0x110, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x114, ['unsigned long']], 'BufferSize' : [ 0x118, ['unsigned long']], 'NumberOfBuffers' : [ 0x11c, ['long']], 'SequencePtr' : [ 0x120, ['pointer', ['long']]], 'InstanceGuid' : [ 0x124, ['_GUID']], 'LoggerHeader' : [ 0x134, ['pointer', ['void']]], 'GetCpuClock' : [ 0x138, ['pointer', ['void']]], 'ClientSecurityContext' : [ 0x13c, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x178, ['pointer', ['void']]], 'ReleaseQueue' : [ 0x17c, ['long']], 'EnableFlagExtension' : [ 0x180, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x184, ['unsigned long']], 'MaximumIrql' : [ 0x188, ['unsigned long']], 'EnableFlagArray' : [ 0x18c, ['pointer', ['unsigned long']]], 'LoggerMutex' : [ 0x190, ['_KMUTANT']], 'MutexCount' : [ 0x1b0, ['long']], 'FileCounter' : [ 0x1b4, ['long']], 'BufferCallback' : [ 0x1b8, ['pointer', ['void']]], 'CallbackContext' : [ 0x1bc, ['pointer', ['void']]], 'PoolType' : [ 0x1c0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x1d0, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1388' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1388']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x8, ['_LARGE_INTEGER']], 'Flags' : [ 0x10, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x14, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x1c, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x20, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x24, ['unsigned long']], 'VmWorkingSetList' : [ 0x28, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1388']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], 'StartingFrame' : [ 0x38, ['unsigned long']], 'UserGlobalList' : [ 0x3c, ['_LIST_ENTRY']], 'SessionId' : [ 0x44, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x1c, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0xc, ['unsigned long']], 'CmHiveFlags' : [ 0x10, ['unsigned long']], 'CmHive2' : [ 0x14, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x18, ['unsigned char']], 'ThreadStarted' : [ 0x19, ['unsigned char']], 'Allocate' : [ 0x1a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_1430' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1432' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1436' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x120, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_1430']], 'OverUsed2' : [ 0xe4, ['__unnamed_1432']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_1436']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], 'PreviousParent' : [ 0x118, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x11c, ['unsigned long']], } ], '__unnamed_143b' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_143b']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0x78, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1457' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'GlobalVirtualAddress' : [ 0x0, ['pointer', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x4, ['long']], 'u' : [ 0x8, ['__unnamed_1457']], 'SessionId' : [ 0xc, ['unsigned long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x34, ['pointer', ['_MMPTE']]], 'Color' : [ 0x38, ['unsigned long']], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachEvent' : [ 0x60, ['_KEVENT']], 'LastProcess' : [ 0x70, ['pointer', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0x74, ['long']], 'WsListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 26, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xdc0, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xde0, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xe00, ['_MMSUPPORT']], 'Wsle' : [ 0xe48, ['pointer', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xe4c, ['pointer', ['void']]], 'PagedPool' : [ 0xe50, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'ImageLoadingCount' : [ 0x1e84, ['long']], } ], '_PEB' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'SparePtr2' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['pointer', ['void']]]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_1488' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_1488']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'Mdl' : [ 0x40, ['_MDL']], 'Page' : [ 0x5c, ['array', 1, ['unsigned long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_149e' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_149e']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer', ['void']]], 'SlistEntry' : [ 0x1c, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x54, ['unsigned long']], 'PackageIdleStartTime' : [ 0x58, ['unsigned long']], 'PackageIdleTime' : [ 0x5c, ['unsigned long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'EnableIdleAccounting' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'LastPackageIdleTime' : [ 0x11c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x57c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2d0, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x2dc, ['_LIST_ENTRY']], 'HiveList' : [ 0x2e4, ['_LIST_ENTRY']], 'HiveLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x2f0, ['pointer', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x2f4, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x2f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x2fc, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x300, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x308, ['_LIST_ENTRY']], 'FileObject' : [ 0x310, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x314, ['_UNICODE_STRING']], 'FileUserName' : [ 0x31c, ['_UNICODE_STRING']], 'MappedViews' : [ 0x324, ['unsigned short']], 'PinnedViews' : [ 0x326, ['unsigned short']], 'UseCount' : [ 0x328, ['unsigned long']], 'SecurityCount' : [ 0x32c, ['unsigned long']], 'SecurityCacheSize' : [ 0x330, ['unsigned long']], 'SecurityHitHint' : [ 0x334, ['long']], 'SecurityCache' : [ 0x338, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x33c, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x53c, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x540, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x544, ['unsigned char']], 'UnloadWorkItem' : [ 0x548, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x54c, ['unsigned char']], 'GrowOffset' : [ 0x550, ['unsigned long']], 'KcbConvertListHead' : [ 0x554, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x55c, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x564, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x568, ['unsigned long']], 'TrustClassEntry' : [ 0x56c, ['_LIST_ENTRY']], 'FlushCount' : [ 0x574, ['unsigned long']], 'CreatorOwner' : [ 0x578, ['pointer', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2d0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'DirtyFlag' : [ 0x43, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x14, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], 'Owner' : [ 0x10, ['pointer', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_157f' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_157f']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_15cb' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_15d1' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117a']], 'u3' : [ 0x28, ['__unnamed_15cb']], 'u4' : [ 0x30, ['__unnamed_15d1']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1030, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'TotalBytes' : [ 0x28, ['unsigned long']], 'Spare0' : [ 0x2c, ['unsigned long']], 'ListHeads' : [ 0x30, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x20, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x10, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'PagedPoolCommit' : [ 0x18, ['unsigned long']], 'AllocatedPagedPool' : [ 0x1c, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x40, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'BitmapFailures' : [ 0x38, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], 'QuotaObject' : [ 0xc, ['pointer', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'IDEInNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x59, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_1640' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1642' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1640']], 'Merged' : [ 0x10, ['__unnamed_1642']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1666' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_166d' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_166f' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1666']], 'Bits' : [ 0x0, ['__unnamed_166d']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_166f']], } ], '__unnamed_1679' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_1679']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_167d' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_167f' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1681' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1683' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1685' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1687' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1689' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_167d']], 'Port' : [ 0x0, ['__unnamed_167d']], 'Interrupt' : [ 0x0, ['__unnamed_167f']], 'Memory' : [ 0x0, ['__unnamed_167d']], 'Dma' : [ 0x0, ['__unnamed_1681']], 'DevicePrivate' : [ 0x0, ['__unnamed_1683']], 'BusNumber' : [ 0x0, ['__unnamed_1685']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1687']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1689']], } ], '_SYSPTES_HEADER' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x68, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_16c5' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_16cb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_16cd' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_16cb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_16d5' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_16d7' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_16d5']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_16c5']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_16cd']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_16d7']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_16e2' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_16e2']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_16e8' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_16e8']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_16fe' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_16fe']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '__unnamed_1706' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1706']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_172b' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_172d' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_172b']], 'type1' : [ 0x0, ['__unnamed_172d']], 'type2' : [ 0x0, ['__unnamed_172d']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['unsigned long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x698, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x14, ['unsigned long']], 'NonDirectCount' : [ 0x18, ['unsigned long']], 'HashTable' : [ 0x1c, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x20, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x24, ['unsigned long']], 'HashTableStart' : [ 0x28, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x2c, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x30, ['unsigned long']], 'VadBitMapHint' : [ 0x34, ['unsigned long']], 'UsedPageTableEntries' : [ 0x38, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x638, ['array', 24, ['unsigned long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '__unnamed_179f' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_17a3' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'Spare0' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x24, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_179f']], 'u2' : [ 0x30, ['__unnamed_17a3']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_17ce' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_17ce']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x8, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x10, ['unsigned long']], 'Color' : [ 0x14, ['unsigned char']], 'Seed' : [ 0x15, ['unsigned char']], 'NodeNumber' : [ 0x16, ['unsigned char']], 'Flags' : [ 0x17, ['_flags']], 'MmShiftedColor' : [ 0x18, ['unsigned long']], 'FreeCount' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1172']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1175']], } ], '__unnamed_1816' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1816']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_18b6' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ba' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_18be' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_18c0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_18c4' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_18c6' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_18c8' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], } ], '__unnamed_18ca' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18cc' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18d2' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_18d4' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18d6' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_18d8' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18da' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_18dc' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_18de' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_18e2' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_18e6' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_18ea' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_18ec' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18f0' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_18f2' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_18f4' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_18f6' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_18fa' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_18fe' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1902' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1904' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1908' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_190c' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_190e' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1910' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1912' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1914' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_18b6']], 'CreatePipe' : [ 0x0, ['__unnamed_18ba']], 'CreateMailslot' : [ 0x0, ['__unnamed_18be']], 'Read' : [ 0x0, ['__unnamed_18c0']], 'Write' : [ 0x0, ['__unnamed_18c0']], 'QueryDirectory' : [ 0x0, ['__unnamed_18c4']], 'NotifyDirectory' : [ 0x0, ['__unnamed_18c6']], 'QueryFile' : [ 0x0, ['__unnamed_18c8']], 'SetFile' : [ 0x0, ['__unnamed_18ca']], 'QueryEa' : [ 0x0, ['__unnamed_18cc']], 'SetEa' : [ 0x0, ['__unnamed_18ce']], 'QueryVolume' : [ 0x0, ['__unnamed_18d2']], 'SetVolume' : [ 0x0, ['__unnamed_18d2']], 'FileSystemControl' : [ 0x0, ['__unnamed_18d4']], 'LockControl' : [ 0x0, ['__unnamed_18d6']], 'DeviceIoControl' : [ 0x0, ['__unnamed_18d8']], 'QuerySecurity' : [ 0x0, ['__unnamed_18da']], 'SetSecurity' : [ 0x0, ['__unnamed_18dc']], 'MountVolume' : [ 0x0, ['__unnamed_18de']], 'VerifyVolume' : [ 0x0, ['__unnamed_18de']], 'Scsi' : [ 0x0, ['__unnamed_18e2']], 'QueryQuota' : [ 0x0, ['__unnamed_18e6']], 'SetQuota' : [ 0x0, ['__unnamed_18ce']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_18ea']], 'QueryInterface' : [ 0x0, ['__unnamed_18ec']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_18f0']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_18f2']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_18f4']], 'SetLock' : [ 0x0, ['__unnamed_18f6']], 'QueryId' : [ 0x0, ['__unnamed_18fa']], 'QueryDeviceText' : [ 0x0, ['__unnamed_18fe']], 'UsageNotification' : [ 0x0, ['__unnamed_1902']], 'WaitWake' : [ 0x0, ['__unnamed_1904']], 'PowerSequence' : [ 0x0, ['__unnamed_1908']], 'Power' : [ 0x0, ['__unnamed_190c']], 'StartDevice' : [ 0x0, ['__unnamed_190e']], 'WMI' : [ 0x0, ['__unnamed_1910']], 'Others' : [ 0x0, ['__unnamed_1912']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1914']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_191b' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_191d' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_191f' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1921' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1923' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1925' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_191b']], 'Memory' : [ 0x0, ['__unnamed_191b']], 'Interrupt' : [ 0x0, ['__unnamed_191d']], 'Dma' : [ 0x0, ['__unnamed_191f']], 'Generic' : [ 0x0, ['__unnamed_191b']], 'DevicePrivate' : [ 0x0, ['__unnamed_1683']], 'BusNumber' : [ 0x0, ['__unnamed_1921']], 'ConfigData' : [ 0x0, ['__unnamed_1923']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1925']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '__unnamed_192e' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1930' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_192e']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1932' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1934' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1932']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1930']], 'u2' : [ 0x4, ['__unnamed_1934']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_196a' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_196c' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_196a']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_196c']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_199b' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_199d' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_19a1' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_19a3' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_19a5' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_19a7' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_199b']], 'RetestAllocation' : [ 0x0, ['__unnamed_199b']], 'BootAllocation' : [ 0x0, ['__unnamed_199d']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_19a1']], 'QueryConflict' : [ 0x0, ['__unnamed_19a3']], 'QueryArbitrate' : [ 0x0, ['__unnamed_199d']], 'AddReserved' : [ 0x0, ['__unnamed_19a5']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_19a7']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '__unnamed_19c7' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_19c9' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cb' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cd' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_19cf' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_19d1' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_19d3' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_19d5' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_19d7' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19d9' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_19c7']], 'TargetDevice' : [ 0x0, ['__unnamed_19c9']], 'InstallDevice' : [ 0x0, ['__unnamed_19cb']], 'CustomNotification' : [ 0x0, ['__unnamed_19cd']], 'ProfileNotification' : [ 0x0, ['__unnamed_19cf']], 'PowerNotification' : [ 0x0, ['__unnamed_19d1']], 'VetoNotification' : [ 0x0, ['__unnamed_19d3']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_19d5']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_19d7']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_19d9']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_19f0' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_19f2' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_19f4' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_19f0']], 'Gpt' : [ 0x0, ['__unnamed_19f2']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_19f4']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1a24' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1a24']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '__unnamed_1aad' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1aaf' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1ab3' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ab5' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1aad']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1aaf']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ab3']], 'Others' : [ 0x0, ['__unnamed_1ab5']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/xp.py0000644000175000017500000000513712227253532024042 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu This file provides support for Windows XP. """ #pylint: disable-msg=C0111 import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class XPOverlay(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature' : [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1b\x00")]], 'KDBGHeader' : [ None, ['VolatilityMagic', dict(value = '\x00\x00\x00\x00\x00\x00\x00\x00KDBG\x90\x02')]], 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }], '_EPROCESS' : [ None, { 'VadRoot' : [ None, ['pointer', ['_MMVAD']]] }] } profile.merge_overlay(overlay) class WinXPSP2x86(obj.Profile): """ A Profile for Windows XP SP2 x86 """ _md_major = 5 _md_minor = 1 _md_os = 'windows' _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.xp_sp2_x86_vtypes' class WinXPSP3x86(obj.Profile): """ A Profile for Windows XP SP3 x86 """ _md_major = 5 _md_minor = 1 _md_os = 'windows' _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.xp_sp3_x86_vtypes' volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp0_x86_vtypes.py0000644000175000017500000163117011732225561027204 0ustar mikemike00000000000000ntkrnlmp_types = { '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '__unnamed_2008' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_2008']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x3c, ['pointer', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long']], 'TStateHandler' : [ 0x44, ['pointer', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long']], 'FeedbackHandler' : [ 0x4c, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x50, ['pointer', ['void']]], 'State' : [ 0x58, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x50, ['unsigned long long']], 'WakeOnRTC' : [ 0x58, ['unsigned char']], 'WakeTimerInfo' : [ 0x5c, ['pointer', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_204b' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_204d' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_204b']], 'Button' : [ 0xc, ['__unnamed_204d']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xe8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x14, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x18, ['unsigned long']], 'TriageDumpBlock' : [ 0x1c, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x20, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x24, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x28, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x2c, ['pointer', ['void']]], 'DrvDBSize' : [ 0x30, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x34, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x38, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x3c, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x40, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x48, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x4c, ['unsigned long']], 'LastBootSucceeded' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x54, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x58, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x60, ['pointer', ['void']]], 'BootIdentifier' : [ 0x64, ['_GUID']], 'ResumePages' : [ 0x74, ['unsigned long']], 'DumpHeader' : [ 0x78, ['pointer', ['void']]], 'BgContext' : [ 0x7c, ['pointer', ['void']]], 'NumaLocalityInfo' : [ 0x80, ['pointer', ['void']]], 'NumaGroupAssignment' : [ 0x84, ['pointer', ['void']]], 'AttachedHives' : [ 0x88, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0x90, ['unsigned long']], 'MemoryCachingRequirements' : [ 0x94, ['pointer', ['void']]], 'TpmBootEntropyResult' : [ 0x98, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0xe0, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x298, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_20df' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_20df']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachGate' : [ 0x60, ['_KGATE']], 'WsListEntry' : [ 0x70, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xddc, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xde0, ['pointer', ['void']]], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1f40, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1f44, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f68, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f88, ['long']], 'PagedPoolPdeCount' : [ 0x1f8c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f90, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f94, ['unsigned long']], 'SystemPteInfo' : [ 0x1f98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fc8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fcc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fd0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fd4, ['unsigned long']], 'IoState' : [ 0x1fd8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fdc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fe0, ['_KEVENT']], 'SessionPoolPdes' : [ 0x1ff0, ['_RTL_BITMAP']], 'CpuQuotaBlock' : [ 0x1ff8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x78, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x18, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x1c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x20, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x24, ['pointer', ['void']]], 'PerfHandler' : [ 0x28, ['pointer', ['void']]], 'Processors' : [ 0x2c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x30, ['unsigned long long']], 'ProcessorCount' : [ 0x38, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x3c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x40, ['unsigned long']], 'PreviousFrequency' : [ 0x44, ['unsigned long']], 'CurrentFrequency' : [ 0x48, ['unsigned long']], 'CurrentPerfContext' : [ 0x4c, ['unsigned long']], 'DesiredFrequency' : [ 0x50, ['unsigned long']], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MaxPercent' : [ 0x60, ['unsigned long']], 'MinPercent' : [ 0x64, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x68, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x6c, ['unsigned long']], 'Coordination' : [ 0x70, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0x74, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x10, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x8, ['array', 2, ['pointer', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x24, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'Lock' : [ 0x4, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x18, ['long']], 'SpecialPoolPdes' : [ 0x1c, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_216f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2171' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_216f']], 'Merged' : [ 0x10, ['__unnamed_2171']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_2179' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_2179']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef2']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1f80']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x8, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x4, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_218f' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2193' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_218f']], 'u2' : [ 0x24, ['__unnamed_2193']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_219c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_219e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_219c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_219e']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'SessionId' : [ 0x14, ['unsigned long']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1a8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x190, ['_LIST_ENTRY']], 'Status' : [ 0x198, ['long']], 'FailedDevice' : [ 0x19c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1a0, ['unsigned char']], 'Cancelled' : [ 0x1a1, ['unsigned char']], 'IgnoreErrors' : [ 0x1a2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1a3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1a4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0xc, ['pointer', ['void']]], 'IdleHandler' : [ 0x10, ['pointer', ['void']]], 'HvConfig' : [ 0x18, ['unsigned long long']], 'Context' : [ 0x20, ['pointer', ['void']]], 'Latency' : [ 0x24, ['unsigned long']], 'Power' : [ 0x28, ['unsigned long']], 'TimeCheck' : [ 0x2c, ['unsigned long']], 'StateFlags' : [ 0x30, ['unsigned long']], 'PromotePercent' : [ 0x34, ['unsigned char']], 'DemotePercent' : [ 0x35, ['unsigned char']], 'PromotePercentBase' : [ 0x36, ['unsigned char']], 'DemotePercentBase' : [ 0x37, ['unsigned char']], 'StateType' : [ 0x38, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2215' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x4, ['pointer', ['void']]], 'NodeRangeSize' : [ 0x8, ['unsigned long']], 'NodeCount' : [ 0xc, ['unsigned long']], 'Tables' : [ 0x10, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_2215']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2270' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2272' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2270']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2272']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2285' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2285']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x3c, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_22db' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_22dd' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_22e1' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_22e5' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_22e7' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_22db']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_22dd']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_22e1']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_22e5']], 'Others' : [ 0x0, ['__unnamed_22e7']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0xa0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x10, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x18, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x20, ['unsigned long']], 'NextCloneRange' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x28, ['unsigned long']], 'LoaderMdl' : [ 0x2c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x30, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x38, ['unsigned long long']], 'IoPages' : [ 0x40, ['pointer', ['void']]], 'IoPagesCount' : [ 0x44, ['unsigned long']], 'CurrentMcb' : [ 0x48, ['pointer', ['void']]], 'DumpStack' : [ 0x4c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x50, ['pointer', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x54, ['unsigned long']], 'IoProgress' : [ 0x58, ['unsigned long']], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0x70, ['pointer', ['void']]], 'CompressedWriteBuffer' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0x78, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0x7c, ['unsigned long']], 'PerformanceStats' : [ 0x80, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x84, ['pointer', ['void']]], 'DmaIO' : [ 0x88, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x8c, ['pointer', ['void']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x94, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_230b' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_230b']], } ], '__unnamed_230f' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_230f']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'FirstTablePage' : [ 0x4c, ['unsigned long']], 'PerfInfo' : [ 0x50, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xa8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xac, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xb0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xb4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xd4, ['unsigned long']], 'ResumeContextCheck' : [ 0xd8, ['unsigned long']], 'ResumeContextPages' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x18, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x10, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '__unnamed_2337' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2339' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_233b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2337']], 'Gpt' : [ 0x0, ['__unnamed_2339']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_233b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x30, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x170, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1041' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1041']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1045' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1045']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105e' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1060' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105e']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1060']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TP_TASK' : [ 0x20, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], 'PostGuard' : [ 0xc, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x1c, ['pointer', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_DIRECT' : [ 0xc, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], } ], '_TEB' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x3748, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x3628, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'PrcbPad1' : [ 0x3d0, ['array', 72, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1820, ['unsigned long']], 'ReverseStall' : [ 0x1824, ['long']], 'IpiFrame' : [ 0x1828, ['pointer', ['void']]], 'PrcbPad3' : [ 0x182c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1860, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x186c, ['unsigned long']], 'WorkerRoutine' : [ 0x1870, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1874, ['unsigned long']], 'PrcbPad4' : [ 0x1878, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x18a0, ['unsigned long']], 'SignalDone' : [ 0x18a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x18a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x18e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1908, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x190c, ['long']], 'DpcRequestRate' : [ 0x1910, ['unsigned long']], 'MinimumDpcRate' : [ 0x1914, ['unsigned long']], 'DpcLastCount' : [ 0x1918, ['unsigned long']], 'PrcbLock' : [ 0x191c, ['unsigned long']], 'DpcGate' : [ 0x1920, ['_KGATE']], 'ThreadDpcEnable' : [ 0x1930, ['unsigned char']], 'QuantumEnd' : [ 0x1931, ['unsigned char']], 'DpcRoutineActive' : [ 0x1932, ['unsigned char']], 'IdleSchedule' : [ 0x1933, ['unsigned char']], 'DpcRequestSummary' : [ 0x1934, ['long']], 'DpcRequestSlot' : [ 0x1934, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x1934, ['short']], 'DpcThreadActive' : [ 0x1936, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x1936, ['short']], 'TimerHand' : [ 0x1938, ['unsigned long']], 'LastTick' : [ 0x193c, ['unsigned long']], 'MasterOffset' : [ 0x1940, ['long']], 'PrcbPad41' : [ 0x1944, ['array', 2, ['unsigned long']]], 'PeriodicCount' : [ 0x194c, ['unsigned long']], 'PeriodicBias' : [ 0x1950, ['unsigned long']], 'TickOffset' : [ 0x1958, ['unsigned long long']], 'TimerTable' : [ 0x1960, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x31a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x31c0, ['long']], 'ClockCheckSlot' : [ 0x31c4, ['unsigned char']], 'ClockPollCycle' : [ 0x31c5, ['unsigned char']], 'PrcbPad6' : [ 0x31c6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x31c8, ['long']], 'DpcWatchdogCount' : [ 0x31cc, ['long']], 'ThreadWatchdogPeriod' : [ 0x31d0, ['long']], 'ThreadWatchdogCount' : [ 0x31d4, ['long']], 'KeSpinLockOrdering' : [ 0x31d8, ['long']], 'PrcbPad70' : [ 0x31dc, ['array', 1, ['unsigned long']]], 'WaitListHead' : [ 0x31e0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x31e8, ['unsigned long']], 'ReadySummary' : [ 0x31ec, ['unsigned long']], 'QueueIndex' : [ 0x31f0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x31f4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x31f8, ['unsigned long long']], 'CycleTime' : [ 0x3200, ['unsigned long long']], 'HighCycleTime' : [ 0x3208, ['unsigned long']], 'PrcbPad71' : [ 0x320c, ['unsigned long']], 'PrcbPad72' : [ 0x3210, ['array', 2, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3220, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3320, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3324, ['long']], 'MmPageFaultCount' : [ 0x3328, ['long']], 'MmCopyOnWriteCount' : [ 0x332c, ['long']], 'MmTransitionCount' : [ 0x3330, ['long']], 'MmCacheTransitionCount' : [ 0x3334, ['long']], 'MmDemandZeroCount' : [ 0x3338, ['long']], 'MmPageReadCount' : [ 0x333c, ['long']], 'MmPageReadIoCount' : [ 0x3340, ['long']], 'MmCacheReadCount' : [ 0x3344, ['long']], 'MmCacheIoCount' : [ 0x3348, ['long']], 'MmDirtyPagesWriteCount' : [ 0x334c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3350, ['long']], 'MmMappedPagesWriteCount' : [ 0x3354, ['long']], 'MmMappedWriteIoCount' : [ 0x3358, ['long']], 'CachedCommit' : [ 0x335c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3360, ['unsigned long']], 'HyperPte' : [ 0x3364, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3368, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x336c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3379, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x337a, ['unsigned char']], 'PrcbPad9' : [ 0x337b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3380, ['unsigned long']], 'UpdateSignature' : [ 0x3388, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3390, ['unsigned long long']], 'RuntimeAccumulation' : [ 0x3398, ['unsigned long long']], 'PowerState' : [ 0x33a0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x3468, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3488, ['_KTIMER']], 'WheaInfo' : [ 0x34b0, ['pointer', ['void']]], 'EtwSupport' : [ 0x34b4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x34b8, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x34c0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x34c8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x34cc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x34d0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x34d4, ['pointer', ['void']]], 'Cache' : [ 0x34d8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3514, ['unsigned long']], 'CacheProcessorMask' : [ 0x3518, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x352c, ['_KAFFINITY_EX']], 'PrcbPad91' : [ 0x3538, ['array', 1, ['unsigned long']]], 'CoreProcessorSet' : [ 0x353c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x3540, ['_KDPC']], 'SpinLockAcquireCount' : [ 0x3560, ['unsigned long']], 'SpinLockContentionCount' : [ 0x3564, ['unsigned long']], 'SpinLockSpinCount' : [ 0x3568, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x356c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x3570, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x3574, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x3578, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x357c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x3580, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x3584, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x3588, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x358c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x3590, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x3594, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x3598, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x359c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x35a0, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x35a4, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x35a8, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x35ac, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x35b0, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x35b4, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x35b8, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x35bc, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x35c0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x35c4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x35c8, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x35cc, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x35d0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x35d4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x35d8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x35dc, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x35e0, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x35e4, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x35e8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x35ec, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x35f0, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x35f4, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x35f8, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x35fc, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x3600, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x3604, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x3608, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x360c, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x3610, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x3614, ['unsigned long']], 'Context' : [ 0x3618, ['pointer', ['_CONTEXT']]], 'ContextFlags' : [ 0x361c, ['unsigned long']], 'ExtendedState' : [ 0x3620, ['pointer', ['_XSAVE_AREA']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x200, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'WaitRegister' : [ 0x38, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x39, ['unsigned char']], 'Alerted' : [ 0x3a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x3c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x3c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x3c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x3c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x3c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x3c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x3c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x3c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x3c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x3c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Reserved' : [ 0x3c, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x3c, ['long']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x40, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x57, ['unsigned char']], 'NextProcessor' : [ 0x58, ['unsigned long']], 'DeferredProcessor' : [ 0x5c, ['unsigned long']], 'ApcQueueLock' : [ 0x60, ['unsigned long']], 'ContextSwitches' : [ 0x64, ['unsigned long']], 'State' : [ 0x68, ['unsigned char']], 'NpxState' : [ 0x69, ['unsigned char']], 'WaitIrql' : [ 0x6a, ['unsigned char']], 'WaitMode' : [ 0x6b, ['unsigned char']], 'WaitStatus' : [ 0x6c, ['long']], 'WaitBlockList' : [ 0x70, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x74, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x74, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x7c, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x80, ['unsigned long']], 'KernelApcDisable' : [ 0x84, ['short']], 'SpecialApcDisable' : [ 0x86, ['short']], 'CombinedApcDisable' : [ 0x84, ['unsigned long']], 'Teb' : [ 0x88, ['pointer', ['void']]], 'Timer' : [ 0x90, ['_KTIMER']], 'AutoAlignment' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb8, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb8, ['long']], 'ServiceTable' : [ 0xbc, ['pointer', ['void']]], 'WaitBlock' : [ 0xc0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x120, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x128, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x12c, ['pointer', ['void']]], 'CallbackStack' : [ 0x130, ['pointer', ['void']]], 'CallbackDepth' : [ 0x130, ['unsigned long']], 'ApcStateIndex' : [ 0x134, ['unsigned char']], 'BasePriority' : [ 0x135, ['unsigned char']], 'PriorityDecrement' : [ 0x136, ['unsigned char']], 'ForegroundBoost' : [ 0x136, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x136, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x137, ['unsigned char']], 'AdjustReason' : [ 0x138, ['unsigned char']], 'AdjustIncrement' : [ 0x139, ['unsigned char']], 'PreviousMode' : [ 0x13a, ['unsigned char']], 'Saturation' : [ 0x13b, ['unsigned char']], 'SystemCallNumber' : [ 0x13c, ['unsigned long']], 'FreezeCount' : [ 0x140, ['unsigned long']], 'UserAffinity' : [ 0x144, ['_GROUP_AFFINITY']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x154, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x160, ['unsigned long']], 'UserIdealProcessor' : [ 0x164, ['unsigned long']], 'ApcStatePointer' : [ 0x168, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x170, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x170, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x187, ['unsigned char']], 'SuspendCount' : [ 0x188, ['unsigned char']], 'Spare1' : [ 0x189, ['unsigned char']], 'OtherPlatformFill' : [ 0x18a, ['unsigned char']], 'Win32Thread' : [ 0x18c, ['pointer', ['void']]], 'StackBase' : [ 0x190, ['pointer', ['void']]], 'SuspendApc' : [ 0x194, ['_KAPC']], 'SuspendApcFill0' : [ 0x194, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x195, ['unsigned char']], 'SuspendApcFill1' : [ 0x194, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x197, ['unsigned char']], 'SuspendApcFill2' : [ 0x194, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x198, ['unsigned long']], 'SuspendApcFill3' : [ 0x194, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b8, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x194, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1bc, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x194, ['array', 47, ['unsigned char']]], 'LargeStack' : [ 0x1c3, ['unsigned char']], 'UserTime' : [ 0x1c4, ['unsigned long']], 'SuspendSemaphore' : [ 0x1c8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1c8, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1dc, ['unsigned long']], 'ThreadListEntry' : [ 0x1e0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1e8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1f0, ['pointer', ['void']]], 'ThreadCounters' : [ 0x1f4, ['pointer', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x1f8, ['pointer', ['_XSTATE_SAVE']]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x2b8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x200, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x208, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x208, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x210, ['long']], 'PostBlockList' : [ 0x214, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x214, ['pointer', ['void']]], 'StartAddress' : [ 0x218, ['pointer', ['void']]], 'TerminationPort' : [ 0x21c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x21c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x21c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x220, ['unsigned long']], 'ActiveTimerListHead' : [ 0x224, ['_LIST_ENTRY']], 'Cid' : [ 0x22c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x248, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x24c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x254, ['unsigned long']], 'DeviceToVerify' : [ 0x258, ['pointer', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x25c, ['pointer', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x260, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x264, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x268, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x270, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x274, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x278, ['unsigned long']], 'MmLockOrdering' : [ 0x27c, ['long']], 'CrossThreadFlags' : [ 0x280, ['unsigned long']], 'Terminated' : [ 0x280, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x280, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x280, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x280, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x280, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x280, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x280, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x280, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x280, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x280, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x280, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x280, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x280, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x280, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x284, ['unsigned long']], 'ActiveExWorker' : [ 0x284, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x284, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x284, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x284, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x284, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x284, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x284, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x288, ['unsigned long']], 'Spare' : [ 0x288, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x288, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x288, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x289, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x289, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x289, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x289, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x289, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x289, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x289, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x289, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x28a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x28a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x28b, ['unsigned char']], 'CacheManagerActive' : [ 0x28c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x28d, ['unsigned char']], 'ActiveFaultCount' : [ 0x28e, ['unsigned char']], 'LockOrderState' : [ 0x28f, ['unsigned char']], 'AlpcMessageId' : [ 0x290, ['unsigned long']], 'AlpcMessage' : [ 0x294, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x294, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x298, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x2a0, ['unsigned long']], 'IoBoostCount' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x2c0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x98, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0xc0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xc8, ['array', 2, ['unsigned long']]], 'CommitCharge' : [ 0xd0, ['unsigned long']], 'QuotaBlock' : [ 0xd4, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0xd8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0xdc, ['unsigned long']], 'VirtualSize' : [ 0xe0, ['unsigned long']], 'SessionProcessLinks' : [ 0xe4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xec, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xf4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xf8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xfc, ['unsigned long']], 'AddressCreationLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x10c, ['unsigned long']], 'PhysicalVadRoot' : [ 0x110, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x114, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x118, ['unsigned long']], 'NumberOfLockedPages' : [ 0x11c, ['unsigned long']], 'Win32Process' : [ 0x120, ['pointer', ['void']]], 'Job' : [ 0x124, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x128, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x12c, ['pointer', ['void']]], 'Cookie' : [ 0x130, ['unsigned long']], 'Spare8' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'VdmObjects' : [ 0x148, ['pointer', ['void']]], 'ConsoleHostProcess' : [ 0x14c, ['unsigned long']], 'DeviceMap' : [ 0x150, ['pointer', ['void']]], 'EtwDataSource' : [ 0x154, ['pointer', ['void']]], 'FreeTebHint' : [ 0x158, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x160, ['_HARDWARE_PTE']], 'Filler' : [ 0x160, ['unsigned long long']], 'Session' : [ 0x168, ['pointer', ['void']]], 'ImageFileName' : [ 0x16c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17b, ['unsigned char']], 'JobLinks' : [ 0x17c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x184, ['pointer', ['void']]], 'ThreadListHead' : [ 0x188, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x190, ['pointer', ['void']]], 'PaeTop' : [ 0x194, ['pointer', ['void']]], 'ActiveThreads' : [ 0x198, ['unsigned long']], 'ImagePathHash' : [ 0x19c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a4, ['long']], 'Peb' : [ 0x1a8, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e0, ['unsigned long']], 'CommitChargePeak' : [ 0x1e4, ['unsigned long']], 'AweInfo' : [ 0x1e8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1ec, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x25c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x264, ['pointer', ['void']]], 'ModifiedPageCount' : [ 0x268, ['unsigned long']], 'Flags2' : [ 0x26c, ['unsigned long']], 'JobNotReallyActive' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x26c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x26c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x26c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x26c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x26c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x26c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x26c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x26c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x26c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x26c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x26c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x26c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x26c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x26c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x26c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x270, ['unsigned long']], 'CreateReported' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x270, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x270, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x270, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x270, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x270, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x270, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x270, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x270, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x270, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x270, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x270, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x270, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x270, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x270, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x270, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x270, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x270, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x270, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x270, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x274, ['long']], 'VadRoot' : [ 0x278, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x2bc, ['pointer', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x98, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Unused3' : [ 0x63, ['unsigned char']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Flags' : [ 0x6c, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0x6d, ['unsigned char']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'Unused4' : [ 0x70, ['unsigned long']], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'KernelTime' : [ 0x88, ['unsigned long']], 'UserTime' : [ 0x8c, ['unsigned long']], 'VdmTrapcHandler' : [ 0x90, ['pointer', ['void']]], } ], '__unnamed_1291' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1291']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc0, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], } ], '__unnamed_12a0' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_12a5' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12a7' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12a5']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12b2' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_12b4' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_12b2']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_12a0']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_12a7']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_12b4']], } ], '__unnamed_12bb' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12bf' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_12c3' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_12c5' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12c9' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12cb' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_12cd' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_12cf' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12d1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12d3' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_12d7' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_12d9' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12dc' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12de' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12e0' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_12e2' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12e6' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_12ea' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_12ee' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12f2' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_12f8' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12fc' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1300' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1302' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1304' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1308' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_130c' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1310' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1314' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1318' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1320' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1324' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1326' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1328' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132a' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_12bb']], 'CreatePipe' : [ 0x0, ['__unnamed_12bf']], 'CreateMailslot' : [ 0x0, ['__unnamed_12c3']], 'Read' : [ 0x0, ['__unnamed_12c5']], 'Write' : [ 0x0, ['__unnamed_12c5']], 'QueryDirectory' : [ 0x0, ['__unnamed_12c9']], 'NotifyDirectory' : [ 0x0, ['__unnamed_12cb']], 'QueryFile' : [ 0x0, ['__unnamed_12cd']], 'SetFile' : [ 0x0, ['__unnamed_12cf']], 'QueryEa' : [ 0x0, ['__unnamed_12d1']], 'SetEa' : [ 0x0, ['__unnamed_12d3']], 'QueryVolume' : [ 0x0, ['__unnamed_12d7']], 'SetVolume' : [ 0x0, ['__unnamed_12d7']], 'FileSystemControl' : [ 0x0, ['__unnamed_12d9']], 'LockControl' : [ 0x0, ['__unnamed_12dc']], 'DeviceIoControl' : [ 0x0, ['__unnamed_12de']], 'QuerySecurity' : [ 0x0, ['__unnamed_12e0']], 'SetSecurity' : [ 0x0, ['__unnamed_12e2']], 'MountVolume' : [ 0x0, ['__unnamed_12e6']], 'VerifyVolume' : [ 0x0, ['__unnamed_12e6']], 'Scsi' : [ 0x0, ['__unnamed_12ea']], 'QueryQuota' : [ 0x0, ['__unnamed_12ee']], 'SetQuota' : [ 0x0, ['__unnamed_12d3']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_12f2']], 'QueryInterface' : [ 0x0, ['__unnamed_12f8']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_12fc']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1300']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1302']], 'SetLock' : [ 0x0, ['__unnamed_1304']], 'QueryId' : [ 0x0, ['__unnamed_1308']], 'QueryDeviceText' : [ 0x0, ['__unnamed_130c']], 'UsageNotification' : [ 0x0, ['__unnamed_1310']], 'WaitWake' : [ 0x0, ['__unnamed_1314']], 'PowerSequence' : [ 0x0, ['__unnamed_1318']], 'Power' : [ 0x0, ['__unnamed_1320']], 'StartDevice' : [ 0x0, ['__unnamed_1324']], 'WMI' : [ 0x0, ['__unnamed_1326']], 'Others' : [ 0x0, ['__unnamed_1328']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_132a']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1340' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1340']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_14ad' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_14ad']], } ], '__unnamed_14be' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x88, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x18, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x28, ['unsigned long']], 'Prcb' : [ 0x2c, ['unsigned long']], 'Process' : [ 0x30, ['unsigned long']], 'Thread' : [ 0x34, ['unsigned long']], 'RegistryLength' : [ 0x38, ['unsigned long']], 'RegistryBase' : [ 0x3c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x40, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x44, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x48, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x4c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x50, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x54, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x58, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x5c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x60, ['pointer', ['void']]], 'Extension' : [ 0x64, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x68, ['__unnamed_14be']], 'FirmwareInformation' : [ 0x74, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_14ef' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_14f1' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_14f4' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_14f6' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_14f4']], } ], '__unnamed_14fb' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_14ef']], 'u2' : [ 0x4, ['__unnamed_14f1']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_14f6']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_14fb']], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x6c, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'RepurposeCount' : [ 0x60, ['unsigned long']], 'Spare' : [ 0x64, ['array', 1, ['unsigned long']]], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextAgingSlot' : [ 0x1c, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x20, ['unsigned long']], 'VadBitMapHint' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LastVadBit' : [ 0x2c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x30, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'NonDirectHash' : [ 0x3c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x44, ['pointer', ['_MMWSLE_HASH']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '__unnamed_152b' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_152b']], } ], '__unnamed_153a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1544' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1546' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1544']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_153a']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1546']], 'LockedPages' : [ 0x40, ['long long']], 'ViewList' : [ 0x48, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'ToBeEvictedCount' : [ 0x3c, ['unsigned long']], 'PageFileNumber' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x42, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x42, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x44, ['pointer', ['void']]], 'Lock' : [ 0x48, ['unsigned long']], 'LockOwner' : [ 0x4c, ['pointer', ['_ETHREAD']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_1580' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1583' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1586' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], } ], '__unnamed_158e' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_158e']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_1593' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], 'u2' : [ 0x20, ['__unnamed_1593']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], } ], '__unnamed_159e' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_159e']], } ], '__unnamed_15a4' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15a6' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_15a4']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_15a6']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2ec, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x24, ['pointer', ['void']]], 'BaseBlock' : [ 0x28, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x2c, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x34, ['unsigned long']], 'DirtyAlloc' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['unsigned char']], 'ReadOnly' : [ 0x45, ['unsigned char']], 'DirtyFlag' : [ 0x46, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'LogSize' : [ 0x60, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x68, ['unsigned long']], 'StorageTypeCount' : [ 0x6c, ['unsigned long']], 'Version' : [ 0x70, ['unsigned long']], 'Storage' : [ 0x74, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_CMHIVE' : [ 0x630, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2ec, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x304, ['_LIST_ENTRY']], 'HiveList' : [ 0x30c, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x314, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x31c, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x320, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x328, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x32c, ['unsigned long']], 'Identity' : [ 0x330, ['unsigned long']], 'HiveLock' : [ 0x334, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x338, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x33c, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x340, ['unsigned long']], 'ViewUnLockLast' : [ 0x344, ['unsigned long']], 'WriterLock' : [ 0x348, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x34c, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x350, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x358, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x35c, ['unsigned long']], 'FlushHiveTruncated' : [ 0x360, ['unsigned long']], 'FlushLock2' : [ 0x364, ['pointer', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x36c, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x374, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x37c, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x384, ['unsigned short']], 'PinnedViewCount' : [ 0x386, ['unsigned short']], 'UseCount' : [ 0x388, ['unsigned long']], 'ViewsPerHive' : [ 0x38c, ['unsigned long']], 'FileObject' : [ 0x390, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x394, ['unsigned long']], 'ActualFileSize' : [ 0x398, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x3a0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x3a8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x3b0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x3b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x3bc, ['unsigned long']], 'SecurityHitHint' : [ 0x3c0, ['long']], 'SecurityCache' : [ 0x3c4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x3c8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x5c8, ['unsigned long']], 'UnloadEventArray' : [ 0x5cc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x5d0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x5d4, ['unsigned char']], 'UnloadWorkItem' : [ 0x5d8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x5dc, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x5f0, ['unsigned char']], 'GrowOffset' : [ 0x5f4, ['unsigned long']], 'KcbConvertListHead' : [ 0x5f8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x600, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x608, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x60c, ['unsigned long']], 'TrustClassEntry' : [ 0x610, ['_LIST_ENTRY']], 'FlushCount' : [ 0x618, ['unsigned long']], 'CmRm' : [ 0x61c, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x620, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x624, ['long']], 'CreatorOwner' : [ 0x628, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x62c, ['pointer', ['_KTHREAD']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '__unnamed_162b' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_162e' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1630' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1632' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1634' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1638' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_163c' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_163e' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_162b']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_162b']]], 'RegistryIO' : [ 0xcc, ['__unnamed_162e']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1630']], 'CheckKey' : [ 0xdc, ['__unnamed_1632']], 'CheckValueList' : [ 0xec, ['__unnamed_1634']], 'CheckHive' : [ 0xfc, ['__unnamed_1638']], 'CheckHive1' : [ 0x108, ['__unnamed_1638']], 'CheckBin' : [ 0x114, ['__unnamed_163c']], 'RecoverData' : [ 0x11c, ['__unnamed_163e']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_FXSAVE_FORMAT' : [ 0x1e0, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_KSTACK_AREA' : [ 0x210, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'NpxFrame' : [ 0x0, ['_FXSAVE_FORMAT']], 'StackControl' : [ 0x1e0, ['_KERNEL_STACK_CONTROL']], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], 'Padding' : [ 0x200, ['array', 4, ['unsigned long']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_1740' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1742' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1746' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x188, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'Notify' : [ 0x2c, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x7c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x80, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xd0, ['unsigned long']], 'CompletionStatus' : [ 0xd4, ['long']], 'Flags' : [ 0xd8, ['unsigned long']], 'UserFlags' : [ 0xdc, ['unsigned long']], 'Problem' : [ 0xe0, ['unsigned long']], 'ResourceList' : [ 0xe4, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0xec, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xf0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf8, ['unsigned long']], 'ChildInterfaceType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x100, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x104, ['unsigned short']], 'RemovalPolicy' : [ 0x106, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x107, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x110, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x118, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x120, ['unsigned short']], 'QueryTranslatorMask' : [ 0x122, ['unsigned short']], 'NoArbiterMask' : [ 0x124, ['unsigned short']], 'QueryArbiterMask' : [ 0x126, ['unsigned short']], 'OverUsed1' : [ 0x128, ['__unnamed_1740']], 'OverUsed2' : [ 0x12c, ['__unnamed_1742']], 'BootResources' : [ 0x130, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x134, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x138, ['unsigned long']], 'DockInfo' : [ 0x13c, ['__unnamed_1746']], 'DisableableDepends' : [ 0x14c, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x150, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x158, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x160, ['unsigned long']], 'PreviousParent' : [ 0x164, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x168, ['unsigned long']], 'NumaNodeIndex' : [ 0x16c, ['unsigned long']], 'ContainerID' : [ 0x170, ['_GUID']], 'OverrideFlags' : [ 0x180, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x181, ['unsigned char']], 'PendingEjectRelations' : [ 0x184, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x20, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x2c, ['unsigned long']], 'NodeNumber' : [ 0x30, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x32, ['unsigned short']], 'MaximumProcessors' : [ 0x34, ['unsigned char']], 'Color' : [ 0x35, ['unsigned char']], 'Flags' : [ 0x36, ['_flags']], 'NodePad0' : [ 0x37, ['unsigned char']], 'Seed' : [ 0x38, ['unsigned long']], 'MmShiftedColor' : [ 0x3c, ['unsigned long']], 'FreeCount' : [ 0x40, ['array', 2, ['unsigned long']]], 'CachedKernelStacks' : [ 0x48, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0x60, ['long']], 'NodePad1' : [ 0x64, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_17ef' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_17ef']], } ], '__unnamed_17f6' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_17f6']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x20, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x1c, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x158, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'LogHandle' : [ 0x98, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x9c, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa0, ['unsigned long']], 'LazyWritePassCount' : [ 0xa4, ['unsigned long']], 'UninitializeEvent' : [ 0xa8, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xac, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'Event' : [ 0xd8, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf0, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x148, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x14c, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x150, ['unsigned long']], 'WritesInProgress' : [ 0x154, ['unsigned long']], } ], '__unnamed_1866' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1866']], 'Links' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1884' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1886' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1888' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_188a' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_188c' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1884']], 'Write' : [ 0x0, ['__unnamed_1886']], 'Event' : [ 0x0, ['__unnamed_1888']], 'Notification' : [ 0x0, ['__unnamed_188a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_188c']], 'Function' : [ 0xc, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x138, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x130, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18dd' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_18dd']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pContextData' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x78, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], 'ContextInformation' : [ 0x68, ['pointer', ['void']]], 'OriginalBase' : [ 0x6c, ['unsigned long']], 'LoadTime' : [ 0x70, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '__unnamed_195c' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_195e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_195c']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1960' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1962' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1960']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_195e']], 'u2' : [ 0x4, ['__unnamed_1962']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '__unnamed_197e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1980' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_197e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1980']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1992' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1994' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1992']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1994']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_199a' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_199c' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_199a']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_199c']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19a2' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19a4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a2']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19a4']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19c0' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19c2' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c0']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xfc, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x5c, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x64, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x6c, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x74, ['_LIST_ENTRY']], 'Semaphore' : [ 0x7c, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x80, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0xac, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb4, ['_LIST_ENTRY']], 'CompletionList' : [ 0xbc, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc0, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xc4, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xc8, ['pointer', ['void']]], 'CanceledQueue' : [ 0xcc, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xd4, ['long']], 'u1' : [ 0xd8, ['__unnamed_19c2']], 'TargetQueuePort' : [ 0xdc, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xe0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xe4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe8, ['unsigned long']], 'PendingQueueLength' : [ 0xec, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf0, ['unsigned long']], 'CanceledQueueLength' : [ 0xf4, ['unsigned long']], 'WaitQueueLength' : [ 0xf8, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x88, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'Key' : [ 0x7c, ['unsigned long']], 'CallbackList' : [ 0x80, ['_LIST_ENTRY']], } ], '__unnamed_19da' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_19dc' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19da']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_19dc']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x40, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x5c, ['pointer', ['void']]], 'DataSystemVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a19' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a1b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a19']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a1b']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'DriverCreateContext' : [ 0x5c, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x238, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer', ['void']]], 'LoggerThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x30, ['long']], 'NBQHead' : [ 0x34, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x38, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x40, ['_SLIST_HEADER']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'MaximumFileSize' : [ 0x78, ['unsigned long']], 'LastFlushedBuffer' : [ 0x7c, ['unsigned long']], 'FlushTimer' : [ 0x80, ['unsigned long']], 'FlushThreshold' : [ 0x84, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'BuffersWritten' : [ 0xa4, ['unsigned long']], 'LogBuffersLost' : [ 0xa8, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xac, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb0, ['unsigned long']], 'SequencePtr' : [ 0xb4, ['pointer', ['long']]], 'LocalSequence' : [ 0xb8, ['unsigned long']], 'InstanceGuid' : [ 0xbc, ['_GUID']], 'FileCounter' : [ 0xcc, ['long']], 'BufferCallback' : [ 0xd0, ['pointer', ['void']]], 'PoolType' : [ 0xd4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0xe8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf0, ['unsigned long']], 'TransitionConsumer' : [ 0xf4, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0xf8, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0xfc, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x128, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x130, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x170, ['_KTIMER']], 'FlushDpc' : [ 0x198, ['_KDPC']], 'LoggerMutex' : [ 0x1b8, ['_KMUTANT']], 'LoggerLock' : [ 0x1d8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1dc, ['unsigned long']], 'BufferListPushLock' : [ 0x1dc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1e0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x21c, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x220, ['long long']], 'Flags' : [ 0x228, ['unsigned long']], 'Persistent' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x22c, ['unsigned long']], 'RequestNewFie' : [ 0x22c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x22c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x22c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x22c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x230, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x8, { 'TraceBuffer' : [ 0x0, ['pointer', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x4, ['pointer', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x18, { 'SListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Next' : [ 0x8, ['unsigned long long']], 'Data' : [ 0x10, ['unsigned long long']], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['array', 8, ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'LogonSession' : [ 0xbc, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'SidHash' : [ 0xc8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x150, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1d8, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x1dc, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockedExclusive' : [ 0xf, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x54, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x40, ['unsigned long']], 'InBlockDeccommits' : [ 0x44, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x48, ['unsigned long']], 'HighWatermarkSize' : [ 0x4c, ['unsigned long']], 'LastPolledSize' : [ 0x50, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_HANDLE_TABLE' : [ 0x3c, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x38, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'BlockState' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_1c1b' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c1d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c1b']], 'Private' : [ 0x0, ['__unnamed_1c1d']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c3f' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c45' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x48, { 'u1' : [ 0x0, ['__unnamed_1580']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1583']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1586']], 'u2' : [ 0x20, ['__unnamed_1593']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], 'u3' : [ 0x3c, ['__unnamed_1c3f']], 'u4' : [ 0x44, ['__unnamed_1c45']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x138, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0x98, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'LimitFlags' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0xb4, ['unsigned char']], 'AccessState' : [ 0xb8, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xbc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x108, ['unsigned long']], 'JobMemoryLimit' : [ 0x10c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x110, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x114, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x118, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x124, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x12c, ['unsigned long']], 'JobFlags' : [ 0x130, ['unsigned long']], } ], '__unnamed_1c56' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x68, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c56']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'NewlyUnparked' : [ 0x14, ['unsigned char']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x28, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1c5f' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_1c5f']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x50, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned long']], 'ShutDownRequested' : [ 0x34, ['unsigned char']], 'NewBuffersLost' : [ 0x35, ['unsigned char']], 'Disconnected' : [ 0x36, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x38, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x40, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x44, ['unsigned long']], 'UserPagesAllocated' : [ 0x48, ['unsigned long']], 'UserPagesReused' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1c68' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1c6e' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c70' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1c68']], 'Bits' : [ 0x0, ['__unnamed_1c6e']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1c70']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer', ['pointer', ['void']]]], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x278, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'Pad' : [ 0x39, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x44, ['unsigned long']], 'DispatchCount' : [ 0x48, ['unsigned long']], 'Rsvd1' : [ 0x50, ['unsigned long long']], 'DispatchCode' : [ 0x58, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x64, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x40, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0xc, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x28, ['unsigned long']], 'ThermalConstraint' : [ 0x2c, ['unsigned char']], 'PerfHistoryCount' : [ 0x2d, ['unsigned char']], 'PerfHistorySlot' : [ 0x2e, ['unsigned char']], 'Reserved' : [ 0x2f, ['unsigned char']], 'LastSysTime' : [ 0x30, ['unsigned long']], 'WmiDispatchPtr' : [ 0x34, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0x38, ['long']], 'FFHThrottleStateInfo' : [ 0x40, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x60, ['_KDPC']], 'PerfActionMask' : [ 0x80, ['long']], 'IdleCheck' : [ 0x88, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x98, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xa8, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xac, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xb0, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xb4, ['pointer', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xb8, ['unsigned long']], 'OverUtilizedHistory' : [ 0xbc, ['unsigned long']], 'AffinityCount' : [ 0xc0, ['unsigned long']], 'AffinityHistory' : [ 0xc4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1dc5' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1dc5']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1e1e' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e20' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e1e']], } ], '__unnamed_1e22' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e1e']], } ], '__unnamed_1e24' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e20']], 'NewCell' : [ 0x0, ['__unnamed_1e22']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e24']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x24, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PercentageCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'TargetFrequency' : [ 0x10, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x14, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x18, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x1c, ['unsigned long']], 'AverageFrequency' : [ 0x20, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'Pad0' : [ 0x14, ['unsigned long']], } ], '__unnamed_1e37' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e3b' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1e3d' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e3f' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e41' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e43' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e45' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e47' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e49' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4b' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e37']], 'Memory' : [ 0x0, ['__unnamed_1e37']], 'Interrupt' : [ 0x0, ['__unnamed_1e3b']], 'Dma' : [ 0x0, ['__unnamed_1e3d']], 'Generic' : [ 0x0, ['__unnamed_1e37']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e3f']], 'BusNumber' : [ 0x0, ['__unnamed_1e41']], 'ConfigData' : [ 0x0, ['__unnamed_1e43']], 'Memory40' : [ 0x0, ['__unnamed_1e45']], 'Memory48' : [ 0x0, ['__unnamed_1e47']], 'Memory64' : [ 0x0, ['__unnamed_1e49']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e4b']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1e88' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1e8a' : [ 0xc, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1e88']], } ], '_VF_TARGET_DRIVER' : [ 0x18, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1e8a']], 'VerifiedData' : [ 0x14, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1e92' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1e94' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e96' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e98' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1e9a' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1e9c' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e9e' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1ea0' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1ea2' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ea4' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ea6' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1e92']], 'TargetDevice' : [ 0x0, ['__unnamed_1e94']], 'InstallDevice' : [ 0x0, ['__unnamed_1e96']], 'CustomNotification' : [ 0x0, ['__unnamed_1e98']], 'ProfileNotification' : [ 0x0, ['__unnamed_1e9a']], 'PowerNotification' : [ 0x0, ['__unnamed_1e9c']], 'VetoNotification' : [ 0x0, ['__unnamed_1e9e']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1ea0']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1ea2']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ea4']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1e96']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1ea6']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], 'StackControl' : [ 0x1e0, ['array', 7, ['unsigned long']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x880, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'CpuShareWeight' : [ 0xc, ['unsigned long']], 'CapturedWeightData' : [ 0x10, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x18, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 32, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1ec1' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1ec1']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '__unnamed_1ef2' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef2']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x8, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x10, ['unsigned long long']], 'CyclesRemaining' : [ 0x18, ['long long']], 'CurrentGeneration' : [ 0x20, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0xc, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f53' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f55' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f57' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f59' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1f57']], 'Translated' : [ 0x0, ['__unnamed_1f55']], } ], '__unnamed_1f5b' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5d' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5f' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f61' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f63' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f65' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f67' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1f53']], 'Port' : [ 0x0, ['__unnamed_1f53']], 'Interrupt' : [ 0x0, ['__unnamed_1f55']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1f59']], 'Memory' : [ 0x0, ['__unnamed_1f53']], 'Dma' : [ 0x0, ['__unnamed_1f5b']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e3f']], 'BusNumber' : [ 0x0, ['__unnamed_1f5d']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1f5f']], 'Memory40' : [ 0x0, ['__unnamed_1f61']], 'Memory48' : [ 0x0, ['__unnamed_1f63']], 'Memory64' : [ 0x0, ['__unnamed_1f65']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1f67']], } ], '__unnamed_1f6c' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1f6c']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1f76' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1f76']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f80' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_1ef2']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1f80']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f88' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8a' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1f88']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_1f8a']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'WorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x34, ['long']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp12_x86_syscalls.py0000644000175000017500000007661312227253532030013 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP1/2. """ syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtApphelpCacheControl', # 0x13 'NtAreMappedFilesTheSame', # 0x14 'NtAssignProcessToJobObject', # 0x15 'NtCallbackReturn', # 0x16 'NtCancelDeviceWakeupRequest', # 0x17 'NtCancelIoFile', # 0x18 'NtCancelTimer', # 0x19 'NtClearEvent', # 0x1a 'NtClose', # 0x1b 'NtCloseObjectAuditAlarm', # 0x1c 'NtCompactKeys', # 0x1d 'NtCompareTokens', # 0x1e 'NtCompleteConnectPort', # 0x1f 'NtCompressKey', # 0x20 'NtConnectPort', # 0x21 'NtContinue', # 0x22 'NtCreateDebugObject', # 0x23 'NtCreateDirectoryObject', # 0x24 'NtCreateEvent', # 0x25 'NtCreateEventPair', # 0x26 'NtCreateFile', # 0x27 'NtCreateIoCompletion', # 0x28 'NtCreateJobObject', # 0x29 'NtCreateJobSet', # 0x2a 'NtCreateKey', # 0x2b 'NtCreateMailslotFile', # 0x2c 'NtCreateMutant', # 0x2d 'NtCreateNamedPipeFile', # 0x2e 'NtCreatePagingFile', # 0x2f 'NtCreatePort', # 0x30 'NtCreateProcess', # 0x31 'NtCreateProcessEx', # 0x32 'NtCreateProfile', # 0x33 'NtCreateSection', # 0x34 'NtCreateSemaphore', # 0x35 'NtCreateSymbolicLinkObject', # 0x36 'NtCreateThread', # 0x37 'NtCreateTimer', # 0x38 'NtCreateToken', # 0x39 'NtCreateWaitablePort', # 0x3a 'NtDebugActiveProcess', # 0x3b 'NtDebugContinue', # 0x3c 'NtDelayExecution', # 0x3d 'NtDeleteAtom', # 0x3e 'NtDeleteBootEntry', # 0x3f 'NtDeleteDriverEntry', # 0x40 'NtDeleteFile', # 0x41 'NtDeleteKey', # 0x42 'NtDeleteObjectAuditAlarm', # 0x43 'NtDeleteValueKey', # 0x44 'NtDeviceIoControlFile', # 0x45 'NtDisplayString', # 0x46 'NtDuplicateObject', # 0x47 'NtDuplicateToken', # 0x48 'NtEnumerateBootEntries', # 0x49 'NtEnumerateDriverEntries', # 0x4a 'NtEnumerateKey', # 0x4b 'NtEnumerateSystemEnvironmentValuesEx', # 0x4c 'NtEnumerateValueKey', # 0x4d 'NtExtendSection', # 0x4e 'NtFilterToken', # 0x4f 'NtFindAtom', # 0x50 'NtFlushBuffersFile', # 0x51 'NtFlushInstructionCache', # 0x52 'NtFlushKey', # 0x53 'NtFlushVirtualMemory', # 0x54 'NtFlushWriteBuffer', # 0x55 'NtFreeUserPhysicalPages', # 0x56 'NtFreeVirtualMemory', # 0x57 'NtFsControlFile', # 0x58 'NtGetContextThread', # 0x59 'NtGetDevicePowerState', # 0x5a 'NtGetPlugPlayEvent', # 0x5b 'NtGetWriteWatch', # 0x5c 'NtImpersonateAnonymousToken', # 0x5d 'NtImpersonateClientOfPort', # 0x5e 'NtImpersonateThread', # 0x5f 'NtInitializeRegistry', # 0x60 'NtInitiatePowerAction', # 0x61 'NtIsProcessInJob', # 0x62 'NtIsSystemResumeAutomatic', # 0x63 'NtListenPort', # 0x64 'NtLoadDriver', # 0x65 'NtLoadKey', # 0x66 'NtLoadKey2', # 0x67 'NtLoadKeyEx', # 0x68 'NtLockFile', # 0x69 'NtLockProductActivationKeys', # 0x6a 'NtLockRegistryKey', # 0x6b 'NtLockVirtualMemory', # 0x6c 'NtMakePermanentObject', # 0x6d 'NtMakeTemporaryObject', # 0x6e 'NtMapUserPhysicalPages', # 0x6f 'NtMapUserPhysicalPagesScatter', # 0x70 'NtMapViewOfSection', # 0x71 'NtModifyBootEntry', # 0x72 'NtModifyDriverEntry', # 0x73 'NtNotifyChangeDirectoryFile', # 0x74 'NtNotifyChangeKey', # 0x75 'NtNotifyChangeMultipleKeys', # 0x76 'NtOpenDirectoryObject', # 0x77 'NtOpenEvent', # 0x78 'NtOpenEventPair', # 0x79 'NtOpenFile', # 0x7a 'NtOpenIoCompletion', # 0x7b 'NtOpenJobObject', # 0x7c 'NtOpenKey', # 0x7d 'NtOpenMutant', # 0x7e 'NtOpenObjectAuditAlarm', # 0x7f 'NtOpenProcess', # 0x80 'NtOpenProcessToken', # 0x81 'NtOpenProcessTokenEx', # 0x82 'NtOpenSection', # 0x83 'NtOpenSemaphore', # 0x84 'NtOpenSymbolicLinkObject', # 0x85 'NtOpenThread', # 0x86 'NtOpenThreadToken', # 0x87 'NtOpenThreadTokenEx', # 0x88 'NtOpenTimer', # 0x89 'NtPlugPlayControl', # 0x8a 'NtPowerInformation', # 0x8b 'NtPrivilegeCheck', # 0x8c 'NtPrivilegeObjectAuditAlarm', # 0x8d 'NtPrivilegedServiceAuditAlarm', # 0x8e 'NtProtectVirtualMemory', # 0x8f 'NtPulseEvent', # 0x90 'NtQueryAttributesFile', # 0x91 'NtQueryBootEntryOrder', # 0x92 'NtQueryBootOptions', # 0x93 'NtQueryDebugFilterState', # 0x94 'NtQueryDefaultLocale', # 0x95 'NtQueryDefaultUILanguage', # 0x96 'NtQueryDirectoryFile', # 0x97 'NtQueryDirectoryObject', # 0x98 'NtQueryDriverEntryOrder', # 0x99 'NtQueryEaFile', # 0x9a 'NtQueryEvent', # 0x9b 'NtQueryFullAttributesFile', # 0x9c 'NtQueryInformationAtom', # 0x9d 'NtQueryInformationFile', # 0x9e 'NtQueryInformationJobObject', # 0x9f 'NtQueryInformationPort', # 0xa0 'NtQueryInformationProcess', # 0xa1 'NtQueryInformationThread', # 0xa2 'NtQueryInformationToken', # 0xa3 'NtQueryInstallUILanguage', # 0xa4 'NtQueryIntervalProfile', # 0xa5 'NtQueryIoCompletion', # 0xa6 'NtQueryKey', # 0xa7 'NtQueryMultipleValueKey', # 0xa8 'NtQueryMutant', # 0xa9 'NtQueryObject', # 0xaa 'NtQueryOpenSubKeys', # 0xab 'NtQueryOpenSubKeysEx', # 0xac 'NtQueryPerformanceCounter', # 0xad 'NtQueryQuotaInformationFile', # 0xae 'NtQuerySection', # 0xaf 'NtQuerySecurityObject', # 0xb0 'NtQuerySemaphore', # 0xb1 'NtQuerySymbolicLinkObject', # 0xb2 'NtQuerySystemEnvironmentValue', # 0xb3 'NtQuerySystemEnvironmentValueEx', # 0xb4 'NtQuerySystemInformation', # 0xb5 'NtQuerySystemTime', # 0xb6 'NtQueryTimer', # 0xb7 'NtQueryTimerResolution', # 0xb8 'NtQueryValueKey', # 0xb9 'NtQueryVirtualMemory', # 0xba 'NtQueryVolumeInformationFile', # 0xbb 'NtQueueApcThread', # 0xbc 'NtRaiseException', # 0xbd 'NtRaiseHardError', # 0xbe 'NtReadFile', # 0xbf 'NtReadFileScatter', # 0xc0 'NtReadRequestData', # 0xc1 'NtReadVirtualMemory', # 0xc2 'NtRegisterThreadTerminatePort', # 0xc3 'NtReleaseMutant', # 0xc4 'NtReleaseSemaphore', # 0xc5 'NtRemoveIoCompletion', # 0xc6 'NtRemoveProcessDebug', # 0xc7 'NtRenameKey', # 0xc8 'NtReplaceKey', # 0xc9 'NtReplyPort', # 0xca 'NtReplyWaitReceivePort', # 0xcb 'NtReplyWaitReceivePortEx', # 0xcc 'NtReplyWaitReplyPort', # 0xcd 'NtRequestDeviceWakeup', # 0xce 'NtRequestPort', # 0xcf 'NtRequestWaitReplyPort', # 0xd0 'NtRequestWakeupLatency', # 0xd1 'NtResetEvent', # 0xd2 'NtResetWriteWatch', # 0xd3 'NtRestoreKey', # 0xd4 'NtResumeProcess', # 0xd5 'NtResumeThread', # 0xd6 'NtSaveKey', # 0xd7 'NtSaveKeyEx', # 0xd8 'NtSaveMergedKeys', # 0xd9 'NtSecureConnectPort', # 0xda 'NtSetBootEntryOrder', # 0xdb 'NtSetBootOptions', # 0xdc 'NtSetContextThread', # 0xdd 'NtSetDebugFilterState', # 0xde 'NtSetDefaultHardErrorPort', # 0xdf 'NtSetDefaultLocale', # 0xe0 'NtSetDefaultUILanguage', # 0xe1 'NtSetDriverEntryOrder', # 0xe2 'NtSetEaFile', # 0xe3 'NtSetEvent', # 0xe4 'NtSetEventBoostPriority', # 0xe5 'NtSetHighEventPair', # 0xe6 'NtSetHighWaitLowEventPair', # 0xe7 'NtSetInformationDebugObject', # 0xe8 'NtSetInformationFile', # 0xe9 'NtSetInformationJobObject', # 0xea 'NtSetInformationKey', # 0xeb 'NtSetInformationObject', # 0xec 'NtSetInformationProcess', # 0xed 'NtSetInformationThread', # 0xee 'NtSetInformationToken', # 0xef 'NtSetIntervalProfile', # 0xf0 'NtSetIoCompletion', # 0xf1 'NtSetLdtEntries', # 0xf2 'NtSetLowEventPair', # 0xf3 'NtSetLowWaitHighEventPair', # 0xf4 'NtSetQuotaInformationFile', # 0xf5 'NtSetSecurityObject', # 0xf6 'NtSetSystemEnvironmentValue', # 0xf7 'NtSetSystemEnvironmentValueEx', # 0xf8 'NtSetSystemInformation', # 0xf9 'NtSetSystemPowerState', # 0xfa 'NtSetSystemTime', # 0xfb 'NtSetThreadExecutionState', # 0xfc 'NtSetTimer', # 0xfd 'NtSetTimerResolution', # 0xfe 'NtSetUuidSeed', # 0xff 'NtSetValueKey', # 0x100 'NtSetVolumeInformationFile', # 0x101 'NtShutdownSystem', # 0x102 'NtSignalAndWaitForSingleObject', # 0x103 'NtStartProfile', # 0x104 'NtStopProfile', # 0x105 'NtSuspendProcess', # 0x106 'NtSuspendThread', # 0x107 'NtSystemDebugControl', # 0x108 'NtTerminateJobObject', # 0x109 'NtTerminateProcess', # 0x10a 'NtTerminateThread', # 0x10b 'NtTestAlert', # 0x10c 'NtTraceEvent', # 0x10d 'NtTranslateFilePath', # 0x10e 'NtUnloadDriver', # 0x10f 'NtUnloadKey', # 0x110 'NtUnloadKey2', # 0x111 'NtUnloadKeyEx', # 0x112 'NtUnlockFile', # 0x113 'NtUnlockVirtualMemory', # 0x114 'NtUnmapViewOfSection', # 0x115 'NtVdmControl', # 0x116 'NtWaitForDebugEvent', # 0x117 'NtWaitForMultipleObjects', # 0x118 'NtWaitForSingleObject', # 0x119 'NtWaitHighEventPair', # 0x11a 'NtWaitLowEventPair', # 0x11b 'NtWriteFile', # 0x11c 'NtWriteFileGather', # 0x11d 'NtWriteRequestData', # 0x11e 'NtWriteVirtualMemory', # 0x11f 'NtYieldExecution', # 0x120 'NtCreateKeyedEvent', # 0x121 'NtOpenKeyedEvent', # 0x122 'NtReleaseKeyedEvent', # 0x123 'NtWaitForKeyedEvent', # 0x124 'NtQueryPortInformationProcess', # 0x125 'NtGetCurrentProcessorNumber', # 0x126 'NtWaitForMultipleObjects32', # 0x127 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlush', # 0x96 'NtGdiForceUFIMapping', # 0x97 'NtGdiFrameRgn', # 0x98 'NtGdiFullscreenControl', # 0x99 'NtGdiGetAndSetDCDword', # 0x9a 'NtGdiGetAppClipBox', # 0x9b 'NtGdiGetBitmapBits', # 0x9c 'NtGdiGetBitmapDimension', # 0x9d 'NtGdiGetBoundsRect', # 0x9e 'NtGdiGetCharABCWidthsW', # 0x9f 'NtGdiGetCharacterPlacementW', # 0xa0 'NtGdiGetCharSet', # 0xa1 'NtGdiGetCharWidthW', # 0xa2 'NtGdiGetCharWidthInfo', # 0xa3 'NtGdiGetColorAdjustment', # 0xa4 'NtGdiGetColorSpaceforBitmap', # 0xa5 'NtGdiGetDCDword', # 0xa6 'NtGdiGetDCforBitmap', # 0xa7 'NtGdiGetDCObject', # 0xa8 'NtGdiGetDCPoint', # 0xa9 'NtGdiGetDeviceCaps', # 0xaa 'NtGdiGetDeviceGammaRamp', # 0xab 'NtGdiGetDeviceCapsAll', # 0xac 'NtGdiGetDIBitsInternal', # 0xad 'NtGdiGetETM', # 0xae 'NtGdiGetEudcTimeStampEx', # 0xaf 'NtGdiGetFontData', # 0xb0 'NtGdiGetFontResourceInfoInternalW', # 0xb1 'NtGdiGetGlyphIndicesW', # 0xb2 'NtGdiGetGlyphIndicesWInternal', # 0xb3 'NtGdiGetGlyphOutline', # 0xb4 'NtGdiGetKerningPairs', # 0xb5 'NtGdiGetLinkedUFIs', # 0xb6 'NtGdiGetMiterLimit', # 0xb7 'NtGdiGetMonitorID', # 0xb8 'NtGdiGetNearestColor', # 0xb9 'NtGdiGetNearestPaletteIndex', # 0xba 'NtGdiGetObjectBitmapHandle', # 0xbb 'NtGdiGetOutlineTextMetricsInternalW', # 0xbc 'NtGdiGetPath', # 0xbd 'NtGdiGetPixel', # 0xbe 'NtGdiGetRandomRgn', # 0xbf 'NtGdiGetRasterizerCaps', # 0xc0 'NtGdiGetRealizationInfo', # 0xc1 'NtGdiGetRegionData', # 0xc2 'NtGdiGetRgnBox', # 0xc3 'NtGdiGetServerMetaFileBits', # 0xc4 'NtGdiGetSpoolMessage', # 0xc5 'NtGdiGetStats', # 0xc6 'NtGdiGetStockObject', # 0xc7 'NtGdiGetStringBitmapW', # 0xc8 'NtGdiGetSystemPaletteUse', # 0xc9 'NtGdiGetTextCharsetInfo', # 0xca 'NtGdiGetTextExtent', # 0xcb 'NtGdiGetTextExtentExW', # 0xcc 'NtGdiGetTextFaceW', # 0xcd 'NtGdiGetTextMetricsW', # 0xce 'NtGdiGetTransform', # 0xcf 'NtGdiGetUFI', # 0xd0 'NtGdiGetEmbUFI', # 0xd1 'NtGdiGetUFIPathname', # 0xd2 'NtGdiGetEmbedFonts', # 0xd3 'NtGdiChangeGhostFont', # 0xd4 'NtGdiAddEmbFontToDC', # 0xd5 'NtGdiGetFontUnicodeRanges', # 0xd6 'NtGdiGetWidthTable', # 0xd7 'NtGdiGradientFill', # 0xd8 'NtGdiHfontCreate', # 0xd9 'NtGdiIcmBrushInfo', # 0xda 'NtGdiInit', # 0xdb 'NtGdiInitSpool', # 0xdc 'NtGdiIntersectClipRect', # 0xdd 'NtGdiInvertRgn', # 0xde 'NtGdiLineTo', # 0xdf 'NtGdiMakeFontDir', # 0xe0 'NtGdiMakeInfoDC', # 0xe1 'NtGdiMaskBlt', # 0xe2 'NtGdiModifyWorldTransform', # 0xe3 'NtGdiMonoBitmap', # 0xe4 'NtGdiMoveTo', # 0xe5 'NtGdiOffsetClipRgn', # 0xe6 'NtGdiOffsetRgn', # 0xe7 'NtGdiOpenDCW', # 0xe8 'NtGdiPatBlt', # 0xe9 'NtGdiPolyPatBlt', # 0xea 'NtGdiPathToRegion', # 0xeb 'NtGdiPlgBlt', # 0xec 'NtGdiPolyDraw', # 0xed 'NtGdiPolyPolyDraw', # 0xee 'NtGdiPolyTextOutW', # 0xef 'NtGdiPtInRegion', # 0xf0 'NtGdiPtVisible', # 0xf1 'NtGdiQueryFonts', # 0xf2 'NtGdiQueryFontAssocInfo', # 0xf3 'NtGdiRectangle', # 0xf4 'NtGdiRectInRegion', # 0xf5 'NtGdiRectVisible', # 0xf6 'NtGdiRemoveFontResourceW', # 0xf7 'NtGdiRemoveFontMemResourceEx', # 0xf8 'NtGdiResetDC', # 0xf9 'NtGdiResizePalette', # 0xfa 'NtGdiRestoreDC', # 0xfb 'NtGdiRoundRect', # 0xfc 'NtGdiSaveDC', # 0xfd 'NtGdiScaleViewportExtEx', # 0xfe 'NtGdiScaleWindowExtEx', # 0xff 'NtGdiSelectBitmap', # 0x100 'NtGdiSelectBrush', # 0x101 'NtGdiSelectClipPath', # 0x102 'NtGdiSelectFont', # 0x103 'NtGdiSelectPen', # 0x104 'NtGdiSetBitmapAttributes', # 0x105 'NtGdiSetBitmapBits', # 0x106 'NtGdiSetBitmapDimension', # 0x107 'NtGdiSetBoundsRect', # 0x108 'NtGdiSetBrushAttributes', # 0x109 'NtGdiSetBrushOrg', # 0x10a 'NtGdiSetColorAdjustment', # 0x10b 'NtGdiSetColorSpace', # 0x10c 'NtGdiSetDeviceGammaRamp', # 0x10d 'NtGdiSetDIBitsToDeviceInternal', # 0x10e 'NtGdiSetFontEnumeration', # 0x10f 'NtGdiSetFontXform', # 0x110 'NtGdiSetIcmMode', # 0x111 'NtGdiSetLinkedUFIs', # 0x112 'NtGdiSetMagicColors', # 0x113 'NtGdiSetMetaRgn', # 0x114 'NtGdiSetMiterLimit', # 0x115 'NtGdiGetDeviceWidth', # 0x116 'NtGdiMirrorWindowOrg', # 0x117 'NtGdiSetLayout', # 0x118 'NtGdiSetPixel', # 0x119 'NtGdiSetPixelFormat', # 0x11a 'NtGdiSetRectRgn', # 0x11b 'NtGdiSetSystemPaletteUse', # 0x11c 'NtGdiSetTextJustification', # 0x11d 'NtGdiSetupPublicCFONT', # 0x11e 'NtGdiSetVirtualResolution', # 0x11f 'NtGdiSetSizeDevice', # 0x120 'NtGdiStartDoc', # 0x121 'NtGdiStartPage', # 0x122 'NtGdiStretchBlt', # 0x123 'NtGdiStretchDIBitsInternal', # 0x124 'NtGdiStrokeAndFillPath', # 0x125 'NtGdiStrokePath', # 0x126 'NtGdiSwapBuffers', # 0x127 'NtGdiTransformPoints', # 0x128 'NtGdiTransparentBlt', # 0x129 'NtGdiUnloadPrinterDriver', # 0x12a 'NtGdiUnmapMemFont', # 0x12b 'NtGdiUnrealizeObject', # 0x12c 'NtGdiUpdateColors', # 0x12d 'NtGdiWidenPath', # 0x12e 'NtUserActivateKeyboardLayout', # 0x12f 'NtUserAlterWindowStyle', # 0x130 'NtUserAssociateInputContext', # 0x131 'NtUserAttachThreadInput', # 0x132 'NtUserBeginPaint', # 0x133 'NtUserBitBltSysBmp', # 0x134 'NtUserBlockInput', # 0x135 'NtUserBuildHimcList', # 0x136 'NtUserBuildHwndList', # 0x137 'NtUserBuildNameList', # 0x138 'NtUserBuildPropList', # 0x139 'NtUserCallHwnd', # 0x13a 'NtUserCallHwndLock', # 0x13b 'NtUserCallHwndOpt', # 0x13c 'NtUserCallHwndParam', # 0x13d 'NtUserCallHwndParamLock', # 0x13e 'NtUserCallMsgFilter', # 0x13f 'NtUserCallNextHookEx', # 0x140 'NtUserCallNoParam', # 0x141 'NtUserCallOneParam', # 0x142 'NtUserCallTwoParam', # 0x143 'NtUserChangeClipboardChain', # 0x144 'NtUserChangeDisplaySettings', # 0x145 'NtUserCheckImeHotKey', # 0x146 'NtUserCheckMenuItem', # 0x147 'NtUserChildWindowFromPointEx', # 0x148 'NtUserClipCursor', # 0x149 'NtUserCloseClipboard', # 0x14a 'NtUserCloseDesktop', # 0x14b 'NtUserCloseWindowStation', # 0x14c 'NtUserConsoleControl', # 0x14d 'NtUserConvertMemHandle', # 0x14e 'NtUserCopyAcceleratorTable', # 0x14f 'NtUserCountClipboardFormats', # 0x150 'NtUserCreateAcceleratorTable', # 0x151 'NtUserCreateCaret', # 0x152 'NtUserCreateDesktop', # 0x153 'NtUserCreateInputContext', # 0x154 'NtUserCreateLocalMemHandle', # 0x155 'NtUserCreateWindowEx', # 0x156 'NtUserCreateWindowStation', # 0x157 'NtUserDdeGetQualityOfService', # 0x158 'NtUserDdeInitialize', # 0x159 'NtUserDdeSetQualityOfService', # 0x15a 'NtUserDeferWindowPos', # 0x15b 'NtUserDefSetText', # 0x15c 'NtUserDeleteMenu', # 0x15d 'NtUserDestroyAcceleratorTable', # 0x15e 'NtUserDestroyCursor', # 0x15f 'NtUserDestroyInputContext', # 0x160 'NtUserDestroyMenu', # 0x161 'NtUserDestroyWindow', # 0x162 'NtUserDisableThreadIme', # 0x163 'NtUserDispatchMessage', # 0x164 'NtUserDragDetect', # 0x165 'NtUserDragObject', # 0x166 'NtUserDrawAnimatedRects', # 0x167 'NtUserDrawCaption', # 0x168 'NtUserDrawCaptionTemp', # 0x169 'NtUserDrawIconEx', # 0x16a 'NtUserDrawMenuBarTemp', # 0x16b 'NtUserEmptyClipboard', # 0x16c 'NtUserEnableMenuItem', # 0x16d 'NtUserEnableScrollBar', # 0x16e 'NtUserEndDeferWindowPosEx', # 0x16f 'NtUserEndMenu', # 0x170 'NtUserEndPaint', # 0x171 'NtUserEnumDisplayDevices', # 0x172 'NtUserEnumDisplayMonitors', # 0x173 'NtUserEnumDisplaySettings', # 0x174 'NtUserEvent', # 0x175 'NtUserExcludeUpdateRgn', # 0x176 'NtUserFillWindow', # 0x177 'NtUserFindExistingCursorIcon', # 0x178 'NtUserFindWindowEx', # 0x179 'NtUserFlashWindowEx', # 0x17a 'NtUserGetAltTabInfo', # 0x17b 'NtUserGetAncestor', # 0x17c 'NtUserGetAppImeLevel', # 0x17d 'NtUserGetAsyncKeyState', # 0x17e 'NtUserGetAtomName', # 0x17f 'NtUserGetCaretBlinkTime', # 0x180 'NtUserGetCaretPos', # 0x181 'NtUserGetClassInfoEx', # 0x182 'NtUserGetClassName', # 0x183 'NtUserGetClipboardData', # 0x184 'NtUserGetClipboardFormatName', # 0x185 'NtUserGetClipboardOwner', # 0x186 'NtUserGetClipboardSequenceNumber', # 0x187 'NtUserGetClipboardViewer', # 0x188 'NtUserGetClipCursor', # 0x189 'NtUserGetComboBoxInfo', # 0x18a 'NtUserGetControlBrush', # 0x18b 'NtUserGetControlColor', # 0x18c 'NtUserGetCPD', # 0x18d 'NtUserGetCursorFrameInfo', # 0x18e 'NtUserGetCursorInfo', # 0x18f 'NtUserGetDC', # 0x190 'NtUserGetDCEx', # 0x191 'NtUserGetDoubleClickTime', # 0x192 'NtUserGetForegroundWindow', # 0x193 'NtUserGetGuiResources', # 0x194 'NtUserGetGUIThreadInfo', # 0x195 'NtUserGetIconInfo', # 0x196 'NtUserGetIconSize', # 0x197 'NtUserGetImeHotKey', # 0x198 'NtUserGetImeInfoEx', # 0x199 'NtUserGetInternalWindowPos', # 0x19a 'NtUserGetKeyboardLayoutList', # 0x19b 'NtUserGetKeyboardLayoutName', # 0x19c 'NtUserGetKeyboardState', # 0x19d 'NtUserGetKeyNameText', # 0x19e 'NtUserGetKeyState', # 0x19f 'NtUserGetListBoxInfo', # 0x1a0 'NtUserGetMenuBarInfo', # 0x1a1 'NtUserGetMenuIndex', # 0x1a2 'NtUserGetMenuItemRect', # 0x1a3 'NtUserGetMessage', # 0x1a4 'NtUserGetMouseMovePointsEx', # 0x1a5 'NtUserGetObjectInformation', # 0x1a6 'NtUserGetOpenClipboardWindow', # 0x1a7 'NtUserGetPriorityClipboardFormat', # 0x1a8 'NtUserGetProcessWindowStation', # 0x1a9 'NtUserGetRawInputBuffer', # 0x1aa 'NtUserGetRawInputData', # 0x1ab 'NtUserGetRawInputDeviceInfo', # 0x1ac 'NtUserGetRawInputDeviceList', # 0x1ad 'NtUserGetRegisteredRawInputDevices', # 0x1ae 'NtUserGetScrollBarInfo', # 0x1af 'NtUserGetSystemMenu', # 0x1b0 'NtUserGetThreadDesktop', # 0x1b1 'NtUserGetThreadState', # 0x1b2 'NtUserGetTitleBarInfo', # 0x1b3 'NtUserGetUpdateRect', # 0x1b4 'NtUserGetUpdateRgn', # 0x1b5 'NtUserGetWindowDC', # 0x1b6 'NtUserGetWindowPlacement', # 0x1b7 'NtUserGetWOWClass', # 0x1b8 'NtUserHardErrorControl', # 0x1b9 'NtUserHideCaret', # 0x1ba 'NtUserHiliteMenuItem', # 0x1bb 'NtUserImpersonateDdeClientWindow', # 0x1bc 'NtUserInitialize', # 0x1bd 'NtUserInitializeClientPfnArrays', # 0x1be 'NtUserInitTask', # 0x1bf 'NtUserInternalGetWindowText', # 0x1c0 'NtUserInvalidateRect', # 0x1c1 'NtUserInvalidateRgn', # 0x1c2 'NtUserIsClipboardFormatAvailable', # 0x1c3 'NtUserKillTimer', # 0x1c4 'NtUserLoadKeyboardLayoutEx', # 0x1c5 'NtUserLockWindowStation', # 0x1c6 'NtUserLockWindowUpdate', # 0x1c7 'NtUserLockWorkStation', # 0x1c8 'NtUserMapVirtualKeyEx', # 0x1c9 'NtUserMenuItemFromPoint', # 0x1ca 'NtUserMessageCall', # 0x1cb 'NtUserMinMaximize', # 0x1cc 'NtUserMNDragLeave', # 0x1cd 'NtUserMNDragOver', # 0x1ce 'NtUserModifyUserStartupInfoFlags', # 0x1cf 'NtUserMoveWindow', # 0x1d0 'NtUserNotifyIMEStatus', # 0x1d1 'NtUserNotifyProcessCreate', # 0x1d2 'NtUserNotifyWinEvent', # 0x1d3 'NtUserOpenClipboard', # 0x1d4 'NtUserOpenDesktop', # 0x1d5 'NtUserOpenInputDesktop', # 0x1d6 'NtUserOpenWindowStation', # 0x1d7 'NtUserPaintDesktop', # 0x1d8 'NtUserPeekMessage', # 0x1d9 'NtUserPostMessage', # 0x1da 'NtUserPostThreadMessage', # 0x1db 'NtUserPrintWindow', # 0x1dc 'NtUserProcessConnect', # 0x1dd 'NtUserQueryInformationThread', # 0x1de 'NtUserQueryInputContext', # 0x1df 'NtUserQuerySendMessage', # 0x1e0 'NtUserQueryWindow', # 0x1e1 'NtUserRealChildWindowFromPoint', # 0x1e2 'NtUserRealInternalGetMessage', # 0x1e3 'NtUserRealWaitMessageEx', # 0x1e4 'NtUserRedrawWindow', # 0x1e5 'NtUserRegisterClassExWOW', # 0x1e6 'NtUserRegisterUserApiHook', # 0x1e7 'NtUserRegisterHotKey', # 0x1e8 'NtUserRegisterRawInputDevices', # 0x1e9 'NtUserRegisterTasklist', # 0x1ea 'NtUserRegisterWindowMessage', # 0x1eb 'NtUserRemoveMenu', # 0x1ec 'NtUserRemoveProp', # 0x1ed 'NtUserResolveDesktop', # 0x1ee 'NtUserResolveDesktopForWOW', # 0x1ef 'NtUserSBGetParms', # 0x1f0 'NtUserScrollDC', # 0x1f1 'NtUserScrollWindowEx', # 0x1f2 'NtUserSelectPalette', # 0x1f3 'NtUserSendInput', # 0x1f4 'NtUserSetActiveWindow', # 0x1f5 'NtUserSetAppImeLevel', # 0x1f6 'NtUserSetCapture', # 0x1f7 'NtUserSetClassLong', # 0x1f8 'NtUserSetClassWord', # 0x1f9 'NtUserSetClipboardData', # 0x1fa 'NtUserSetClipboardViewer', # 0x1fb 'NtUserSetConsoleReserveKeys', # 0x1fc 'NtUserSetCursor', # 0x1fd 'NtUserSetCursorContents', # 0x1fe 'NtUserSetCursorIconData', # 0x1ff 'NtUserSetFocus', # 0x200 'NtUserSetImeHotKey', # 0x201 'NtUserSetImeInfoEx', # 0x202 'NtUserSetImeOwnerWindow', # 0x203 'NtUserSetInformationProcess', # 0x204 'NtUserSetInformationThread', # 0x205 'NtUserSetInternalWindowPos', # 0x206 'NtUserSetKeyboardState', # 0x207 'NtUserSetLogonNotifyWindow', # 0x208 'NtUserSetMenu', # 0x209 'NtUserSetMenuContextHelpId', # 0x20a 'NtUserSetMenuDefaultItem', # 0x20b 'NtUserSetMenuFlagRtoL', # 0x20c 'NtUserSetObjectInformation', # 0x20d 'NtUserSetParent', # 0x20e 'NtUserSetProcessWindowStation', # 0x20f 'NtUserSetProp', # 0x210 'NtUserSetScrollInfo', # 0x211 'NtUserSetShellWindowEx', # 0x212 'NtUserSetSysColors', # 0x213 'NtUserSetSystemCursor', # 0x214 'NtUserSetSystemMenu', # 0x215 'NtUserSetSystemTimer', # 0x216 'NtUserSetThreadDesktop', # 0x217 'NtUserSetThreadLayoutHandles', # 0x218 'NtUserSetThreadState', # 0x219 'NtUserSetTimer', # 0x21a 'NtUserSetWindowFNID', # 0x21b 'NtUserSetWindowLong', # 0x21c 'NtUserSetWindowPlacement', # 0x21d 'NtUserSetWindowPos', # 0x21e 'NtUserSetWindowRgn', # 0x21f 'NtUserSetWindowsHookAW', # 0x220 'NtUserSetWindowsHookEx', # 0x221 'NtUserSetWindowStationUser', # 0x222 'NtUserSetWindowWord', # 0x223 'NtUserSetWinEventHook', # 0x224 'NtUserShowCaret', # 0x225 'NtUserShowScrollBar', # 0x226 'NtUserShowWindow', # 0x227 'NtUserShowWindowAsync', # 0x228 'NtUserSoundSentry', # 0x229 'NtUserSwitchDesktop', # 0x22a 'NtUserSystemParametersInfo', # 0x22b 'NtUserTestForInteractiveUser', # 0x22c 'NtUserThunkedMenuInfo', # 0x22d 'NtUserThunkedMenuItemInfo', # 0x22e 'NtUserToUnicodeEx', # 0x22f 'NtUserTrackMouseEvent', # 0x230 'NtUserTrackPopupMenuEx', # 0x231 'NtUserCalcMenuBar', # 0x232 'NtUserPaintMenuBar', # 0x233 'NtUserTranslateAccelerator', # 0x234 'NtUserTranslateMessage', # 0x235 'NtUserUnhookWindowsHookEx', # 0x236 'NtUserUnhookWinEvent', # 0x237 'NtUserUnloadKeyboardLayout', # 0x238 'NtUserUnlockWindowStation', # 0x239 'NtUserUnregisterClass', # 0x23a 'NtUserUnregisterUserApiHook', # 0x23b 'NtUserUnregisterHotKey', # 0x23c 'NtUserUpdateInputContext', # 0x23d 'NtUserUpdateInstance', # 0x23e 'NtUserUpdateLayeredWindow', # 0x23f 'NtUserGetLayeredWindowAttributes', # 0x240 'NtUserSetLayeredWindowAttributes', # 0x241 'NtUserUpdatePerUserSystemParameters', # 0x242 'NtUserUserHandleGrantAccess', # 0x243 'NtUserValidateHandleSecure', # 0x244 'NtUserValidateRect', # 0x245 'NtUserValidateTimerCallback', # 0x246 'NtUserVkKeyScanEx', # 0x247 'NtUserWaitForInputIdle', # 0x248 'NtUserWaitForMsgAndEvent', # 0x249 'NtUserWaitMessage', # 0x24a 'NtUserWin32PoolAllocationStats', # 0x24b 'NtUserWindowFromPoint', # 0x24c 'NtUserYieldTask', # 0x24d 'NtUserRemoteConnect', # 0x24e 'NtUserRemoteRedrawRectangle', # 0x24f 'NtUserRemoteRedrawScreen', # 0x250 'NtUserRemoteStopScreenUpdates', # 0x251 'NtUserCtxDisplayIOCtl', # 0x252 'NtGdiEngAssociateSurface', # 0x253 'NtGdiEngCreateBitmap', # 0x254 'NtGdiEngCreateDeviceSurface', # 0x255 'NtGdiEngCreateDeviceBitmap', # 0x256 'NtGdiEngCreatePalette', # 0x257 'NtGdiEngComputeGlyphSet', # 0x258 'NtGdiEngCopyBits', # 0x259 'NtGdiEngDeletePalette', # 0x25a 'NtGdiEngDeleteSurface', # 0x25b 'NtGdiEngEraseSurface', # 0x25c 'NtGdiEngUnlockSurface', # 0x25d 'NtGdiEngLockSurface', # 0x25e 'NtGdiEngBitBlt', # 0x25f 'NtGdiEngStretchBlt', # 0x260 'NtGdiEngPlgBlt', # 0x261 'NtGdiEngMarkBandingSurface', # 0x262 'NtGdiEngStrokePath', # 0x263 'NtGdiEngFillPath', # 0x264 'NtGdiEngStrokeAndFillPath', # 0x265 'NtGdiEngPaint', # 0x266 'NtGdiEngLineTo', # 0x267 'NtGdiEngAlphaBlend', # 0x268 'NtGdiEngGradientFill', # 0x269 'NtGdiEngTransparentBlt', # 0x26a 'NtGdiEngTextOut', # 0x26b 'NtGdiEngStretchBltROP', # 0x26c 'NtGdiXLATEOBJ_cGetPalette', # 0x26d 'NtGdiXLATEOBJ_iXlate', # 0x26e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x26f 'NtGdiCLIPOBJ_bEnum', # 0x270 'NtGdiCLIPOBJ_cEnumStart', # 0x271 'NtGdiCLIPOBJ_ppoGetPath', # 0x272 'NtGdiEngDeletePath', # 0x273 'NtGdiEngCreateClip', # 0x274 'NtGdiEngDeleteClip', # 0x275 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x276 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x277 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x278 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x279 'NtGdiXFORMOBJ_bApplyXform', # 0x27a 'NtGdiXFORMOBJ_iGetXform', # 0x27b 'NtGdiFONTOBJ_vGetInfo', # 0x27c 'NtGdiFONTOBJ_pxoGetXform', # 0x27d 'NtGdiFONTOBJ_cGetGlyphs', # 0x27e 'NtGdiFONTOBJ_pifi', # 0x27f 'NtGdiFONTOBJ_pfdg', # 0x280 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x281 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x282 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x283 'NtGdiSTROBJ_bEnum', # 0x284 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x285 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x286 'NtGdiSTROBJ_vEnumStart', # 0x287 'NtGdiSTROBJ_dwGetCodePage', # 0x288 'NtGdiPATHOBJ_vGetBounds', # 0x289 'NtGdiPATHOBJ_bEnum', # 0x28a 'NtGdiPATHOBJ_vEnumStart', # 0x28b 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x28c 'NtGdiPATHOBJ_bEnumClipLines', # 0x28d 'NtGdiGetDhpdev', # 0x28e 'NtGdiEngCheckAbort', # 0x28f 'NtGdiHT_Get8BPPFormatPalette', # 0x290 'NtGdiHT_Get8BPPMaskPalette', # 0x291 'NtGdiUpdateTransform', # 0x292 'NtGdiSetPUMPDOBJ', # 0x293 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x294 'NtGdiUMPDEngFreeUserMem', # 0x295 'NtGdiDrawStream', # 0x296 'NtGdiMakeObjectXferable', # 0x297 'DxEngGetRedirectionBitmap', # 0x298 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/xp_sp2_x86_syscalls.py0000644000175000017500000010340012227253532027240 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAdjustGroupsToken', # 0xa 'NtAdjustPrivilegesToken', # 0xb 'NtAlertResumeThread', # 0xc 'NtAlertThread', # 0xd 'NtAllocateLocallyUniqueId', # 0xe 'NtAllocateUserPhysicalPages', # 0xf 'NtAllocateUuids', # 0x10 'NtAllocateVirtualMemory', # 0x11 'NtAreMappedFilesTheSame', # 0x12 'NtAssignProcessToJobObject', # 0x13 'NtCallbackReturn', # 0x14 'NtCancelDeviceWakeupRequest', # 0x15 'NtCancelIoFile', # 0x16 'NtCancelTimer', # 0x17 'NtClearEvent', # 0x18 'NtClose', # 0x19 'NtCloseObjectAuditAlarm', # 0x1a 'NtCompactKeys', # 0x1b 'NtCompareTokens', # 0x1c 'NtCompleteConnectPort', # 0x1d 'NtCompressKey', # 0x1e 'NtConnectPort', # 0x1f 'NtContinue', # 0x20 'NtCreateDebugObject', # 0x21 'NtCreateDirectoryObject', # 0x22 'NtCreateEvent', # 0x23 'NtCreateEventPair', # 0x24 'NtCreateFile', # 0x25 'NtCreateIoCompletion', # 0x26 'NtCreateJobObject', # 0x27 'NtCreateJobSet', # 0x28 'NtCreateKey', # 0x29 'NtCreateMailslotFile', # 0x2a 'NtCreateMutant', # 0x2b 'NtCreateNamedPipeFile', # 0x2c 'NtCreatePagingFile', # 0x2d 'NtCreatePort', # 0x2e 'NtCreateProcess', # 0x2f 'NtCreateProcessEx', # 0x30 'NtCreateProfile', # 0x31 'NtCreateSection', # 0x32 'NtCreateSemaphore', # 0x33 'NtCreateSymbolicLinkObject', # 0x34 'NtCreateThread', # 0x35 'NtCreateTimer', # 0x36 'NtCreateToken', # 0x37 'NtCreateWaitablePort', # 0x38 'NtDebugActiveProcess', # 0x39 'NtDebugContinue', # 0x3a 'NtDelayExecution', # 0x3b 'NtDeleteAtom', # 0x3c 'NtDeleteBootEntry', # 0x3d 'NtDeleteFile', # 0x3e 'NtDeleteKey', # 0x3f 'NtDeleteObjectAuditAlarm', # 0x40 'NtDeleteValueKey', # 0x41 'NtDeviceIoControlFile', # 0x42 'NtDisplayString', # 0x43 'NtDuplicateObject', # 0x44 'NtDuplicateToken', # 0x45 'NtEnumerateBootEntries', # 0x46 'NtEnumerateKey', # 0x47 'NtEnumerateSystemEnvironmentValuesEx', # 0x48 'NtEnumerateValueKey', # 0x49 'NtExtendSection', # 0x4a 'NtFilterToken', # 0x4b 'NtFindAtom', # 0x4c 'NtFlushBuffersFile', # 0x4d 'NtFlushInstructionCache', # 0x4e 'NtFlushKey', # 0x4f 'NtFlushVirtualMemory', # 0x50 'NtFlushWriteBuffer', # 0x51 'NtFreeUserPhysicalPages', # 0x52 'NtFreeVirtualMemory', # 0x53 'NtFsControlFile', # 0x54 'NtGetContextThread', # 0x55 'NtGetDevicePowerState', # 0x56 'NtGetPlugPlayEvent', # 0x57 'NtGetWriteWatch', # 0x58 'NtImpersonateAnonymousToken', # 0x59 'NtImpersonateClientOfPort', # 0x5a 'NtImpersonateThread', # 0x5b 'NtInitializeRegistry', # 0x5c 'NtInitiatePowerAction', # 0x5d 'NtIsProcessInJob', # 0x5e 'NtIsSystemResumeAutomatic', # 0x5f 'NtListenPort', # 0x60 'NtLoadDriver', # 0x61 'NtLoadKey', # 0x62 'NtLoadKey2', # 0x63 'NtLockFile', # 0x64 'NtLockProductActivationKeys', # 0x65 'NtLockRegistryKey', # 0x66 'NtLockVirtualMemory', # 0x67 'NtMakePermanentObject', # 0x68 'NtMakeTemporaryObject', # 0x69 'NtMapUserPhysicalPages', # 0x6a 'NtMapUserPhysicalPagesScatter', # 0x6b 'NtMapViewOfSection', # 0x6c 'NtModifyBootEntry', # 0x6d 'NtNotifyChangeDirectoryFile', # 0x6e 'NtNotifyChangeKey', # 0x6f 'NtNotifyChangeMultipleKeys', # 0x70 'NtOpenDirectoryObject', # 0x71 'NtOpenEvent', # 0x72 'NtOpenEventPair', # 0x73 'NtOpenFile', # 0x74 'NtOpenIoCompletion', # 0x75 'NtOpenJobObject', # 0x76 'NtOpenKey', # 0x77 'NtOpenMutant', # 0x78 'NtOpenObjectAuditAlarm', # 0x79 'NtOpenProcess', # 0x7a 'NtOpenProcessToken', # 0x7b 'NtOpenProcessTokenEx', # 0x7c 'NtOpenSection', # 0x7d 'NtOpenSemaphore', # 0x7e 'NtOpenSymbolicLinkObject', # 0x7f 'NtOpenThread', # 0x80 'NtOpenThreadToken', # 0x81 'NtOpenThreadTokenEx', # 0x82 'NtOpenTimer', # 0x83 'NtPlugPlayControl', # 0x84 'NtPowerInformation', # 0x85 'NtPrivilegeCheck', # 0x86 'NtPrivilegeObjectAuditAlarm', # 0x87 'NtPrivilegedServiceAuditAlarm', # 0x88 'NtProtectVirtualMemory', # 0x89 'NtPulseEvent', # 0x8a 'NtQueryAttributesFile', # 0x8b 'NtQueryBootEntryOrder', # 0x8c 'NtQueryBootOptions', # 0x8d 'NtQueryDebugFilterState', # 0x8e 'NtQueryDefaultLocale', # 0x8f 'NtQueryDefaultUILanguage', # 0x90 'NtQueryDirectoryFile', # 0x91 'NtQueryDirectoryObject', # 0x92 'NtQueryEaFile', # 0x93 'NtQueryEvent', # 0x94 'NtQueryFullAttributesFile', # 0x95 'NtQueryInformationAtom', # 0x96 'NtQueryInformationFile', # 0x97 'NtQueryInformationJobObject', # 0x98 'NtQueryInformationPort', # 0x99 'NtQueryInformationProcess', # 0x9a 'NtQueryInformationThread', # 0x9b 'NtQueryInformationToken', # 0x9c 'NtQueryInstallUILanguage', # 0x9d 'NtQueryIntervalProfile', # 0x9e 'NtQueryIoCompletion', # 0x9f 'NtQueryKey', # 0xa0 'NtQueryMultipleValueKey', # 0xa1 'NtQueryMutant', # 0xa2 'NtQueryObject', # 0xa3 'NtQueryOpenSubKeys', # 0xa4 'NtQueryPerformanceCounter', # 0xa5 'NtQueryQuotaInformationFile', # 0xa6 'NtQuerySection', # 0xa7 'NtQuerySecurityObject', # 0xa8 'NtQuerySemaphore', # 0xa9 'NtQuerySymbolicLinkObject', # 0xaa 'NtQuerySystemEnvironmentValue', # 0xab 'NtQuerySystemEnvironmentValueEx', # 0xac 'NtQuerySystemInformation', # 0xad 'NtQuerySystemTime', # 0xae 'NtQueryTimer', # 0xaf 'NtQueryTimerResolution', # 0xb0 'NtQueryValueKey', # 0xb1 'NtQueryVirtualMemory', # 0xb2 'NtQueryVolumeInformationFile', # 0xb3 'NtQueueApcThread', # 0xb4 'NtRaiseException', # 0xb5 'NtRaiseHardError', # 0xb6 'NtReadFile', # 0xb7 'NtReadFileScatter', # 0xb8 'NtReadRequestData', # 0xb9 'NtReadVirtualMemory', # 0xba 'NtRegisterThreadTerminatePort', # 0xbb 'NtReleaseMutant', # 0xbc 'NtReleaseSemaphore', # 0xbd 'NtRemoveIoCompletion', # 0xbe 'NtRemoveProcessDebug', # 0xbf 'NtRenameKey', # 0xc0 'NtReplaceKey', # 0xc1 'NtReplyPort', # 0xc2 'NtReplyWaitReceivePort', # 0xc3 'NtReplyWaitReceivePortEx', # 0xc4 'NtReplyWaitReplyPort', # 0xc5 'NtRequestDeviceWakeup', # 0xc6 'NtRequestPort', # 0xc7 'NtRequestWaitReplyPort', # 0xc8 'NtRequestWakeupLatency', # 0xc9 'NtResetEvent', # 0xca 'NtResetWriteWatch', # 0xcb 'NtRestoreKey', # 0xcc 'NtResumeProcess', # 0xcd 'NtResumeThread', # 0xce 'NtSaveKey', # 0xcf 'NtSaveKeyEx', # 0xd0 'NtSaveMergedKeys', # 0xd1 'NtSecureConnectPort', # 0xd2 'NtSetBootEntryOrder', # 0xd3 'NtSetBootOptions', # 0xd4 'NtSetContextThread', # 0xd5 'NtSetDebugFilterState', # 0xd6 'NtSetDefaultHardErrorPort', # 0xd7 'NtSetDefaultLocale', # 0xd8 'NtSetDefaultUILanguage', # 0xd9 'NtSetEaFile', # 0xda 'NtSetEvent', # 0xdb 'NtSetEventBoostPriority', # 0xdc 'NtSetHighEventPair', # 0xdd 'NtSetHighWaitLowEventPair', # 0xde 'NtSetInformationDebugObject', # 0xdf 'NtSetInformationFile', # 0xe0 'NtSetInformationJobObject', # 0xe1 'NtSetInformationKey', # 0xe2 'NtSetInformationObject', # 0xe3 'NtSetInformationProcess', # 0xe4 'NtSetInformationThread', # 0xe5 'NtSetInformationToken', # 0xe6 'NtSetIntervalProfile', # 0xe7 'NtSetIoCompletion', # 0xe8 'NtSetLdtEntries', # 0xe9 'NtSetLowEventPair', # 0xea 'NtSetLowWaitHighEventPair', # 0xeb 'NtSetQuotaInformationFile', # 0xec 'NtSetSecurityObject', # 0xed 'NtSetSystemEnvironmentValue', # 0xee 'NtSetSystemEnvironmentValueEx', # 0xef 'NtSetSystemInformation', # 0xf0 'NtSetSystemPowerState', # 0xf1 'NtSetSystemTime', # 0xf2 'NtSetThreadExecutionState', # 0xf3 'NtSetTimer', # 0xf4 'NtSetTimerResolution', # 0xf5 'NtSetUuidSeed', # 0xf6 'NtSetValueKey', # 0xf7 'NtSetVolumeInformationFile', # 0xf8 'NtShutdownSystem', # 0xf9 'NtSignalAndWaitForSingleObject', # 0xfa 'NtStartProfile', # 0xfb 'NtStopProfile', # 0xfc 'NtSuspendProcess', # 0xfd 'NtSuspendThread', # 0xfe 'NtSystemDebugControl', # 0xff 'NtTerminateJobObject', # 0x100 'NtTerminateProcess', # 0x101 'NtTerminateThread', # 0x102 'NtTestAlert', # 0x103 'NtTraceEvent', # 0x104 'NtTranslateFilePath', # 0x105 'NtUnloadDriver', # 0x106 'NtUnloadKey', # 0x107 'NtUnloadKeyEx', # 0x108 'NtUnlockFile', # 0x109 'NtUnlockVirtualMemory', # 0x10a 'NtUnmapViewOfSection', # 0x10b 'NtVdmControl', # 0x10c 'NtWaitForDebugEvent', # 0x10d 'NtWaitForMultipleObjects', # 0x10e 'NtWaitForSingleObject', # 0x10f 'NtWaitHighEventPair', # 0x110 'NtWaitLowEventPair', # 0x111 'NtWriteFile', # 0x112 'NtWriteFileGather', # 0x113 'NtWriteRequestData', # 0x114 'NtWriteVirtualMemory', # 0x115 'NtYieldExecution', # 0x116 'NtCreateKeyedEvent', # 0x117 'NtOpenKeyedEvent', # 0x118 'NtReleaseKeyedEvent', # 0x119 'NtWaitForKeyedEvent', # 0x11a 'NtQueryPortInformationProcess', # 0x11b ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlushUserBatch', # 0x96 'NtGdiFlush', # 0x97 'NtGdiForceUFIMapping', # 0x98 'NtGdiFrameRgn', # 0x99 'NtGdiFullscreenControl', # 0x9a 'NtGdiGetAndSetDCDword', # 0x9b 'NtGdiGetAppClipBox', # 0x9c 'NtGdiGetBitmapBits', # 0x9d 'NtGdiGetBitmapDimension', # 0x9e 'NtGdiGetBoundsRect', # 0x9f 'NtGdiGetCharABCWidthsW', # 0xa0 'NtGdiGetCharacterPlacementW', # 0xa1 'NtGdiGetCharSet', # 0xa2 'NtGdiGetCharWidthW', # 0xa3 'NtGdiGetCharWidthInfo', # 0xa4 'NtGdiGetColorAdjustment', # 0xa5 'NtGdiGetColorSpaceforBitmap', # 0xa6 'NtGdiGetDCDword', # 0xa7 'NtGdiGetDCforBitmap', # 0xa8 'NtGdiGetDCObject', # 0xa9 'NtGdiGetDCPoint', # 0xaa 'NtGdiGetDeviceCaps', # 0xab 'NtGdiGetDeviceGammaRamp', # 0xac 'NtGdiGetDeviceCapsAll', # 0xad 'NtGdiGetDIBitsInternal', # 0xae 'NtGdiGetETM', # 0xaf 'NtGdiGetEudcTimeStampEx', # 0xb0 'NtGdiGetFontData', # 0xb1 'NtGdiGetFontResourceInfoInternalW', # 0xb2 'NtGdiGetGlyphIndicesW', # 0xb3 'NtGdiGetGlyphIndicesWInternal', # 0xb4 'NtGdiGetGlyphOutline', # 0xb5 'NtGdiGetKerningPairs', # 0xb6 'NtGdiGetLinkedUFIs', # 0xb7 'NtGdiGetMiterLimit', # 0xb8 'NtGdiGetMonitorID', # 0xb9 'NtGdiGetNearestColor', # 0xba 'NtGdiGetNearestPaletteIndex', # 0xbb 'NtGdiGetObjectBitmapHandle', # 0xbc 'NtGdiGetOutlineTextMetricsInternalW', # 0xbd 'NtGdiGetPath', # 0xbe 'NtGdiGetPixel', # 0xbf 'NtGdiGetRandomRgn', # 0xc0 'NtGdiGetRasterizerCaps', # 0xc1 'NtGdiGetRealizationInfo', # 0xc2 'NtGdiGetRegionData', # 0xc3 'NtGdiGetRgnBox', # 0xc4 'NtGdiGetServerMetaFileBits', # 0xc5 'NtGdiGetSpoolMessage', # 0xc6 'NtGdiGetStats', # 0xc7 'NtGdiGetStockObject', # 0xc8 'NtGdiGetStringBitmapW', # 0xc9 'NtGdiGetSystemPaletteUse', # 0xca 'NtGdiGetTextCharsetInfo', # 0xcb 'NtGdiGetTextExtent', # 0xcc 'NtGdiGetTextExtentExW', # 0xcd 'NtGdiGetTextFaceW', # 0xce 'NtGdiGetTextMetricsW', # 0xcf 'NtGdiGetTransform', # 0xd0 'NtGdiGetUFI', # 0xd1 'NtGdiGetEmbUFI', # 0xd2 'NtGdiGetUFIPathname', # 0xd3 'NtGdiGetEmbedFonts', # 0xd4 'NtGdiChangeGhostFont', # 0xd5 'NtGdiAddEmbFontToDC', # 0xd6 'NtGdiGetFontUnicodeRanges', # 0xd7 'NtGdiGetWidthTable', # 0xd8 'NtGdiGradientFill', # 0xd9 'NtGdiHfontCreate', # 0xda 'NtGdiIcmBrushInfo', # 0xdb 'NtGdiInit', # 0xdc 'NtGdiInitSpool', # 0xdd 'NtGdiIntersectClipRect', # 0xde 'NtGdiInvertRgn', # 0xdf 'NtGdiLineTo', # 0xe0 'NtGdiMakeFontDir', # 0xe1 'NtGdiMakeInfoDC', # 0xe2 'NtGdiMaskBlt', # 0xe3 'NtGdiModifyWorldTransform', # 0xe4 'NtGdiMonoBitmap', # 0xe5 'NtGdiMoveTo', # 0xe6 'NtGdiOffsetClipRgn', # 0xe7 'NtGdiOffsetRgn', # 0xe8 'NtGdiOpenDCW', # 0xe9 'NtGdiPatBlt', # 0xea 'NtGdiPolyPatBlt', # 0xeb 'NtGdiPathToRegion', # 0xec 'NtGdiPlgBlt', # 0xed 'NtGdiPolyDraw', # 0xee 'NtGdiPolyPolyDraw', # 0xef 'NtGdiPolyTextOutW', # 0xf0 'NtGdiPtInRegion', # 0xf1 'NtGdiPtVisible', # 0xf2 'NtGdiQueryFonts', # 0xf3 'NtGdiQueryFontAssocInfo', # 0xf4 'NtGdiRectangle', # 0xf5 'NtGdiRectInRegion', # 0xf6 'NtGdiRectVisible', # 0xf7 'NtGdiRemoveFontResourceW', # 0xf8 'NtGdiRemoveFontMemResourceEx', # 0xf9 'NtGdiResetDC', # 0xfa 'NtGdiResizePalette', # 0xfb 'NtGdiRestoreDC', # 0xfc 'NtGdiRoundRect', # 0xfd 'NtGdiSaveDC', # 0xfe 'NtGdiScaleViewportExtEx', # 0xff 'NtGdiScaleWindowExtEx', # 0x100 'NtGdiSelectBitmap', # 0x101 'NtGdiSelectBrush', # 0x102 'NtGdiSelectClipPath', # 0x103 'NtGdiSelectFont', # 0x104 'NtGdiSelectPen', # 0x105 'NtGdiSetBitmapAttributes', # 0x106 'NtGdiSetBitmapBits', # 0x107 'NtGdiSetBitmapDimension', # 0x108 'NtGdiSetBoundsRect', # 0x109 'NtGdiSetBrushAttributes', # 0x10a 'NtGdiSetBrushOrg', # 0x10b 'NtGdiSetColorAdjustment', # 0x10c 'NtGdiSetColorSpace', # 0x10d 'NtGdiSetDeviceGammaRamp', # 0x10e 'NtGdiSetDIBitsToDeviceInternal', # 0x10f 'NtGdiSetFontEnumeration', # 0x110 'NtGdiSetFontXform', # 0x111 'NtGdiSetIcmMode', # 0x112 'NtGdiSetLinkedUFIs', # 0x113 'NtGdiSetMagicColors', # 0x114 'NtGdiSetMetaRgn', # 0x115 'NtGdiSetMiterLimit', # 0x116 'NtGdiGetDeviceWidth', # 0x117 'NtGdiMirrorWindowOrg', # 0x118 'NtGdiSetLayout', # 0x119 'NtGdiSetPixel', # 0x11a 'NtGdiSetPixelFormat', # 0x11b 'NtGdiSetRectRgn', # 0x11c 'NtGdiSetSystemPaletteUse', # 0x11d 'NtGdiSetTextJustification', # 0x11e 'NtGdiSetupPublicCFONT', # 0x11f 'NtGdiSetVirtualResolution', # 0x120 'NtGdiSetSizeDevice', # 0x121 'NtGdiStartDoc', # 0x122 'NtGdiStartPage', # 0x123 'NtGdiStretchBlt', # 0x124 'NtGdiStretchDIBitsInternal', # 0x125 'NtGdiStrokeAndFillPath', # 0x126 'NtGdiStrokePath', # 0x127 'NtGdiSwapBuffers', # 0x128 'NtGdiTransformPoints', # 0x129 'NtGdiTransparentBlt', # 0x12a 'NtGdiUnloadPrinterDriver', # 0x12b 'NtGdiUnmapMemFont', # 0x12c 'NtGdiUnrealizeObject', # 0x12d 'NtGdiUpdateColors', # 0x12e 'NtGdiWidenPath', # 0x12f 'NtUserActivateKeyboardLayout', # 0x130 'NtUserAlterWindowStyle', # 0x131 'NtUserAssociateInputContext', # 0x132 'NtUserAttachThreadInput', # 0x133 'NtUserBeginPaint', # 0x134 'NtUserBitBltSysBmp', # 0x135 'NtUserBlockInput', # 0x136 'NtUserBuildHimcList', # 0x137 'NtUserBuildHwndList', # 0x138 'NtUserBuildNameList', # 0x139 'NtUserBuildPropList', # 0x13a 'NtUserCallHwnd', # 0x13b 'NtUserCallHwndLock', # 0x13c 'NtUserCallHwndOpt', # 0x13d 'NtUserCallHwndParam', # 0x13e 'NtUserCallHwndParamLock', # 0x13f 'NtUserCallMsgFilter', # 0x140 'NtUserCallNextHookEx', # 0x141 'NtUserCallNoParam', # 0x142 'NtUserCallOneParam', # 0x143 'NtUserCallTwoParam', # 0x144 'NtUserChangeClipboardChain', # 0x145 'NtUserChangeDisplaySettings', # 0x146 'NtUserCheckImeHotKey', # 0x147 'NtUserCheckMenuItem', # 0x148 'NtUserChildWindowFromPointEx', # 0x149 'NtUserClipCursor', # 0x14a 'NtUserCloseClipboard', # 0x14b 'NtUserCloseDesktop', # 0x14c 'NtUserCloseWindowStation', # 0x14d 'NtUserConsoleControl', # 0x14e 'NtUserConvertMemHandle', # 0x14f 'NtUserCopyAcceleratorTable', # 0x150 'NtUserCountClipboardFormats', # 0x151 'NtUserCreateAcceleratorTable', # 0x152 'NtUserCreateCaret', # 0x153 'NtUserCreateDesktop', # 0x154 'NtUserCreateInputContext', # 0x155 'NtUserCreateLocalMemHandle', # 0x156 'NtUserCreateWindowEx', # 0x157 'NtUserCreateWindowStation', # 0x158 'NtUserDdeGetQualityOfService', # 0x159 'NtUserDdeInitialize', # 0x15a 'NtUserDdeSetQualityOfService', # 0x15b 'NtUserDeferWindowPos', # 0x15c 'NtUserDefSetText', # 0x15d 'NtUserDeleteMenu', # 0x15e 'NtUserDestroyAcceleratorTable', # 0x15f 'NtUserDestroyCursor', # 0x160 'NtUserDestroyInputContext', # 0x161 'NtUserDestroyMenu', # 0x162 'NtUserDestroyWindow', # 0x163 'NtUserDisableThreadIme', # 0x164 'NtUserDispatchMessage', # 0x165 'NtUserDragDetect', # 0x166 'NtUserDragObject', # 0x167 'NtUserDrawAnimatedRects', # 0x168 'NtUserDrawCaption', # 0x169 'NtUserDrawCaptionTemp', # 0x16a 'NtUserDrawIconEx', # 0x16b 'NtUserDrawMenuBarTemp', # 0x16c 'NtUserEmptyClipboard', # 0x16d 'NtUserEnableMenuItem', # 0x16e 'NtUserEnableScrollBar', # 0x16f 'NtUserEndDeferWindowPosEx', # 0x170 'NtUserEndMenu', # 0x171 'NtUserEndPaint', # 0x172 'NtUserEnumDisplayDevices', # 0x173 'NtUserEnumDisplayMonitors', # 0x174 'NtUserEnumDisplaySettings', # 0x175 'NtUserEvent', # 0x176 'NtUserExcludeUpdateRgn', # 0x177 'NtUserFillWindow', # 0x178 'NtUserFindExistingCursorIcon', # 0x179 'NtUserFindWindowEx', # 0x17a 'NtUserFlashWindowEx', # 0x17b 'NtUserGetAltTabInfo', # 0x17c 'NtUserGetAncestor', # 0x17d 'NtUserGetAppImeLevel', # 0x17e 'NtUserGetAsyncKeyState', # 0x17f 'NtUserGetAtomName', # 0x180 'NtUserGetCaretBlinkTime', # 0x181 'NtUserGetCaretPos', # 0x182 'NtUserGetClassInfo', # 0x183 'NtUserGetClassName', # 0x184 'NtUserGetClipboardData', # 0x185 'NtUserGetClipboardFormatName', # 0x186 'NtUserGetClipboardOwner', # 0x187 'NtUserGetClipboardSequenceNumber', # 0x188 'NtUserGetClipboardViewer', # 0x189 'NtUserGetClipCursor', # 0x18a 'NtUserGetComboBoxInfo', # 0x18b 'NtUserGetControlBrush', # 0x18c 'NtUserGetControlColor', # 0x18d 'NtUserGetCPD', # 0x18e 'NtUserGetCursorFrameInfo', # 0x18f 'NtUserGetCursorInfo', # 0x190 'NtUserGetDC', # 0x191 'NtUserGetDCEx', # 0x192 'NtUserGetDoubleClickTime', # 0x193 'NtUserGetForegroundWindow', # 0x194 'NtUserGetGuiResources', # 0x195 'NtUserGetGUIThreadInfo', # 0x196 'NtUserGetIconInfo', # 0x197 'NtUserGetIconSize', # 0x198 'NtUserGetImeHotKey', # 0x199 'NtUserGetImeInfoEx', # 0x19a 'NtUserGetInternalWindowPos', # 0x19b 'NtUserGetKeyboardLayoutList', # 0x19c 'NtUserGetKeyboardLayoutName', # 0x19d 'NtUserGetKeyboardState', # 0x19e 'NtUserGetKeyNameText', # 0x19f 'NtUserGetKeyState', # 0x1a0 'NtUserGetListBoxInfo', # 0x1a1 'NtUserGetMenuBarInfo', # 0x1a2 'NtUserGetMenuIndex', # 0x1a3 'NtUserGetMenuItemRect', # 0x1a4 'NtUserGetMessage', # 0x1a5 'NtUserGetMouseMovePointsEx', # 0x1a6 'NtUserGetObjectInformation', # 0x1a7 'NtUserGetOpenClipboardWindow', # 0x1a8 'NtUserGetPriorityClipboardFormat', # 0x1a9 'NtUserGetProcessWindowStation', # 0x1aa 'NtUserGetRawInputBuffer', # 0x1ab 'NtUserGetRawInputData', # 0x1ac 'NtUserGetRawInputDeviceInfo', # 0x1ad 'NtUserGetRawInputDeviceList', # 0x1ae 'NtUserGetRegisteredRawInputDevices', # 0x1af 'NtUserGetScrollBarInfo', # 0x1b0 'NtUserGetSystemMenu', # 0x1b1 'NtUserGetThreadDesktop', # 0x1b2 'NtUserGetThreadState', # 0x1b3 'NtUserGetTitleBarInfo', # 0x1b4 'NtUserGetUpdateRect', # 0x1b5 'NtUserGetUpdateRgn', # 0x1b6 'NtUserGetWindowDC', # 0x1b7 'NtUserGetWindowPlacement', # 0x1b8 'NtUserGetWOWClass', # 0x1b9 'NtUserHardErrorControl', # 0x1ba 'NtUserHideCaret', # 0x1bb 'NtUserHiliteMenuItem', # 0x1bc 'NtUserImpersonateDdeClientWindow', # 0x1bd 'NtUserInitialize', # 0x1be 'NtUserInitializeClientPfnArrays', # 0x1bf 'NtUserInitTask', # 0x1c0 'NtUserInternalGetWindowText', # 0x1c1 'NtUserInvalidateRect', # 0x1c2 'NtUserInvalidateRgn', # 0x1c3 'NtUserIsClipboardFormatAvailable', # 0x1c4 'NtUserKillTimer', # 0x1c5 'NtUserLoadKeyboardLayoutEx', # 0x1c6 'NtUserLockWindowStation', # 0x1c7 'NtUserLockWindowUpdate', # 0x1c8 'NtUserLockWorkStation', # 0x1c9 'NtUserMapVirtualKeyEx', # 0x1ca 'NtUserMenuItemFromPoint', # 0x1cb 'NtUserMessageCall', # 0x1cc 'NtUserMinMaximize', # 0x1cd 'NtUserMNDragLeave', # 0x1ce 'NtUserMNDragOver', # 0x1cf 'NtUserModifyUserStartupInfoFlags', # 0x1d0 'NtUserMoveWindow', # 0x1d1 'NtUserNotifyIMEStatus', # 0x1d2 'NtUserNotifyProcessCreate', # 0x1d3 'NtUserNotifyWinEvent', # 0x1d4 'NtUserOpenClipboard', # 0x1d5 'NtUserOpenDesktop', # 0x1d6 'NtUserOpenInputDesktop', # 0x1d7 'NtUserOpenWindowStation', # 0x1d8 'NtUserPaintDesktop', # 0x1d9 'NtUserPeekMessage', # 0x1da 'NtUserPostMessage', # 0x1db 'NtUserPostThreadMessage', # 0x1dc 'NtUserPrintWindow', # 0x1dd 'NtUserProcessConnect', # 0x1de 'NtUserQueryInformationThread', # 0x1df 'NtUserQueryInputContext', # 0x1e0 'NtUserQuerySendMessage', # 0x1e1 'NtUserQueryUserCounters', # 0x1e2 'NtUserQueryWindow', # 0x1e3 'NtUserRealChildWindowFromPoint', # 0x1e4 'NtUserRealInternalGetMessage', # 0x1e5 'NtUserRealWaitMessageEx', # 0x1e6 'NtUserRedrawWindow', # 0x1e7 'NtUserRegisterClassExWOW', # 0x1e8 'NtUserRegisterUserApiHook', # 0x1e9 'NtUserRegisterHotKey', # 0x1ea 'NtUserRegisterRawInputDevices', # 0x1eb 'NtUserRegisterTasklist', # 0x1ec 'NtUserRegisterWindowMessage', # 0x1ed 'NtUserRemoveMenu', # 0x1ee 'NtUserRemoveProp', # 0x1ef 'NtUserResolveDesktop', # 0x1f0 'NtUserResolveDesktopForWOW', # 0x1f1 'NtUserSBGetParms', # 0x1f2 'NtUserScrollDC', # 0x1f3 'NtUserScrollWindowEx', # 0x1f4 'NtUserSelectPalette', # 0x1f5 'NtUserSendInput', # 0x1f6 'NtUserSetActiveWindow', # 0x1f7 'NtUserSetAppImeLevel', # 0x1f8 'NtUserSetCapture', # 0x1f9 'NtUserSetClassLong', # 0x1fa 'NtUserSetClassWord', # 0x1fb 'NtUserSetClipboardData', # 0x1fc 'NtUserSetClipboardViewer', # 0x1fd 'NtUserSetConsoleReserveKeys', # 0x1fe 'NtUserSetCursor', # 0x1ff 'NtUserSetCursorContents', # 0x200 'NtUserSetCursorIconData', # 0x201 'NtUserSetDbgTag', # 0x202 'NtUserSetFocus', # 0x203 'NtUserSetImeHotKey', # 0x204 'NtUserSetImeInfoEx', # 0x205 'NtUserSetImeOwnerWindow', # 0x206 'NtUserSetInformationProcess', # 0x207 'NtUserSetInformationThread', # 0x208 'NtUserSetInternalWindowPos', # 0x209 'NtUserSetKeyboardState', # 0x20a 'NtUserSetLogonNotifyWindow', # 0x20b 'NtUserSetMenu', # 0x20c 'NtUserSetMenuContextHelpId', # 0x20d 'NtUserSetMenuDefaultItem', # 0x20e 'NtUserSetMenuFlagRtoL', # 0x20f 'NtUserSetObjectInformation', # 0x210 'NtUserSetParent', # 0x211 'NtUserSetProcessWindowStation', # 0x212 'NtUserSetProp', # 0x213 'NtUserSetRipFlags', # 0x214 'NtUserSetScrollInfo', # 0x215 'NtUserSetShellWindowEx', # 0x216 'NtUserSetSysColors', # 0x217 'NtUserSetSystemCursor', # 0x218 'NtUserSetSystemMenu', # 0x219 'NtUserSetSystemTimer', # 0x21a 'NtUserSetThreadDesktop', # 0x21b 'NtUserSetThreadLayoutHandles', # 0x21c 'NtUserSetThreadState', # 0x21d 'NtUserSetTimer', # 0x21e 'NtUserSetWindowFNID', # 0x21f 'NtUserSetWindowLong', # 0x220 'NtUserSetWindowPlacement', # 0x221 'NtUserSetWindowPos', # 0x222 'NtUserSetWindowRgn', # 0x223 'NtUserSetWindowsHookAW', # 0x224 'NtUserSetWindowsHookEx', # 0x225 'NtUserSetWindowStationUser', # 0x226 'NtUserSetWindowWord', # 0x227 'NtUserSetWinEventHook', # 0x228 'NtUserShowCaret', # 0x229 'NtUserShowScrollBar', # 0x22a 'NtUserShowWindow', # 0x22b 'NtUserShowWindowAsync', # 0x22c 'NtUserSoundSentry', # 0x22d 'NtUserSwitchDesktop', # 0x22e 'NtUserSystemParametersInfo', # 0x22f 'NtUserTestForInteractiveUser', # 0x230 'NtUserThunkedMenuInfo', # 0x231 'NtUserThunkedMenuItemInfo', # 0x232 'NtUserToUnicodeEx', # 0x233 'NtUserTrackMouseEvent', # 0x234 'NtUserTrackPopupMenuEx', # 0x235 'NtUserCalcMenuBar', # 0x236 'NtUserPaintMenuBar', # 0x237 'NtUserTranslateAccelerator', # 0x238 'NtUserTranslateMessage', # 0x239 'NtUserUnhookWindowsHookEx', # 0x23a 'NtUserUnhookWinEvent', # 0x23b 'NtUserUnloadKeyboardLayout', # 0x23c 'NtUserUnlockWindowStation', # 0x23d 'NtUserUnregisterClass', # 0x23e 'NtUserUnregisterUserApiHook', # 0x23f 'NtUserUnregisterHotKey', # 0x240 'NtUserUpdateInputContext', # 0x241 'NtUserUpdateInstance', # 0x242 'NtUserUpdateLayeredWindow', # 0x243 'NtUserGetLayeredWindowAttributes', # 0x244 'NtUserSetLayeredWindowAttributes', # 0x245 'NtUserUpdatePerUserSystemParameters', # 0x246 'NtUserUserHandleGrantAccess', # 0x247 'NtUserValidateHandleSecure', # 0x248 'NtUserValidateRect', # 0x249 'NtUserValidateTimerCallback', # 0x24a 'NtUserVkKeyScanEx', # 0x24b 'NtUserWaitForInputIdle', # 0x24c 'NtUserWaitForMsgAndEvent', # 0x24d 'NtUserWaitMessage', # 0x24e 'NtUserWin32PoolAllocationStats', # 0x24f 'NtUserWindowFromPoint', # 0x250 'NtUserYieldTask', # 0x251 'NtUserRemoteConnect', # 0x252 'NtUserRemoteRedrawRectangle', # 0x253 'NtUserRemoteRedrawScreen', # 0x254 'NtUserRemoteStopScreenUpdates', # 0x255 'NtUserCtxDisplayIOCtl', # 0x256 'NtGdiEngAssociateSurface', # 0x257 'NtGdiEngCreateBitmap', # 0x258 'NtGdiEngCreateDeviceSurface', # 0x259 'NtGdiEngCreateDeviceBitmap', # 0x25a 'NtGdiEngCreatePalette', # 0x25b 'NtGdiEngComputeGlyphSet', # 0x25c 'NtGdiEngCopyBits', # 0x25d 'NtGdiEngDeletePalette', # 0x25e 'NtGdiEngDeleteSurface', # 0x25f 'NtGdiEngEraseSurface', # 0x260 'NtGdiEngUnlockSurface', # 0x261 'NtGdiEngLockSurface', # 0x262 'NtGdiEngBitBlt', # 0x263 'NtGdiEngStretchBlt', # 0x264 'NtGdiEngPlgBlt', # 0x265 'NtGdiEngMarkBandingSurface', # 0x266 'NtGdiEngStrokePath', # 0x267 'NtGdiEngFillPath', # 0x268 'NtGdiEngStrokeAndFillPath', # 0x269 'NtGdiEngPaint', # 0x26a 'NtGdiEngLineTo', # 0x26b 'NtGdiEngAlphaBlend', # 0x26c 'NtGdiEngGradientFill', # 0x26d 'NtGdiEngTransparentBlt', # 0x26e 'NtGdiEngTextOut', # 0x26f 'NtGdiEngStretchBltROP', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_iXlate', # 0x272 'NtGdiXLATEOBJ_hGetColorTransform', # 0x273 'NtGdiCLIPOBJ_bEnum', # 0x274 'NtGdiCLIPOBJ_cEnumStart', # 0x275 'NtGdiCLIPOBJ_ppoGetPath', # 0x276 'NtGdiEngDeletePath', # 0x277 'NtGdiEngCreateClip', # 0x278 'NtGdiEngDeleteClip', # 0x279 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x27a 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x27b 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x27c 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x27d 'NtGdiXFORMOBJ_bApplyXform', # 0x27e 'NtGdiXFORMOBJ_iGetXform', # 0x27f 'NtGdiFONTOBJ_vGetInfo', # 0x280 'NtGdiFONTOBJ_pxoGetXform', # 0x281 'NtGdiFONTOBJ_cGetGlyphs', # 0x282 'NtGdiFONTOBJ_pifi', # 0x283 'NtGdiFONTOBJ_pfdg', # 0x284 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x285 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x286 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x287 'NtGdiSTROBJ_bEnum', # 0x288 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x289 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x28a 'NtGdiSTROBJ_vEnumStart', # 0x28b 'NtGdiSTROBJ_dwGetCodePage', # 0x28c 'NtGdiPATHOBJ_vGetBounds', # 0x28d 'NtGdiPATHOBJ_bEnum', # 0x28e 'NtGdiPATHOBJ_vEnumStart', # 0x28f 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x290 'NtGdiPATHOBJ_bEnumClipLines', # 0x291 'NtGdiGetDhpdev', # 0x292 'NtGdiEngCheckAbort', # 0x293 'NtGdiHT_Get8BPPFormatPalette', # 0x294 'NtGdiHT_Get8BPPMaskPalette', # 0x295 'NtGdiUpdateTransform', # 0x296 'NtGdiSetPUMPDOBJ', # 0x297 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x298 'NtGdiUMPDEngFreeUserMem', # 0x299 'NtGdiDrawStream', # 0x29a ], ] volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp0_x86_syscalls.py0000644000175000017500000007642712227253532027733 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP0. """ syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtApphelpCacheControl', # 0x13 'NtAreMappedFilesTheSame', # 0x14 'NtAssignProcessToJobObject', # 0x15 'NtCallbackReturn', # 0x16 'NtCancelDeviceWakeupRequest', # 0x17 'NtCancelIoFile', # 0x18 'NtCancelTimer', # 0x19 'NtClearEvent', # 0x1a 'NtClose', # 0x1b 'NtCloseObjectAuditAlarm', # 0x1c 'NtCompactKeys', # 0x1d 'NtCompareTokens', # 0x1e 'NtCompleteConnectPort', # 0x1f 'NtCompressKey', # 0x20 'NtConnectPort', # 0x21 'NtContinue', # 0x22 'NtCreateDebugObject', # 0x23 'NtCreateDirectoryObject', # 0x24 'NtCreateEvent', # 0x25 'NtCreateEventPair', # 0x26 'NtCreateFile', # 0x27 'NtCreateIoCompletion', # 0x28 'NtCreateJobObject', # 0x29 'NtCreateJobSet', # 0x2a 'NtCreateKey', # 0x2b 'NtCreateMailslotFile', # 0x2c 'NtCreateMutant', # 0x2d 'NtCreateNamedPipeFile', # 0x2e 'NtCreatePagingFile', # 0x2f 'NtCreatePort', # 0x30 'NtCreateProcess', # 0x31 'NtCreateProcessEx', # 0x32 'NtCreateProfile', # 0x33 'NtCreateSection', # 0x34 'NtCreateSemaphore', # 0x35 'NtCreateSymbolicLinkObject', # 0x36 'NtCreateThread', # 0x37 'NtCreateTimer', # 0x38 'NtCreateToken', # 0x39 'NtCreateWaitablePort', # 0x3a 'NtDebugActiveProcess', # 0x3b 'NtDebugContinue', # 0x3c 'NtDelayExecution', # 0x3d 'NtDeleteAtom', # 0x3e 'NtDeleteBootEntry', # 0x3f 'NtDeleteDriverEntry', # 0x40 'NtDeleteFile', # 0x41 'NtDeleteKey', # 0x42 'NtDeleteObjectAuditAlarm', # 0x43 'NtDeleteValueKey', # 0x44 'NtDeviceIoControlFile', # 0x45 'NtDisplayString', # 0x46 'NtDuplicateObject', # 0x47 'NtDuplicateToken', # 0x48 'NtEnumerateBootEntries', # 0x49 'NtEnumerateDriverEntries', # 0x4a 'NtEnumerateKey', # 0x4b 'NtEnumerateSystemEnvironmentValuesEx', # 0x4c 'NtEnumerateValueKey', # 0x4d 'NtExtendSection', # 0x4e 'NtFilterToken', # 0x4f 'NtFindAtom', # 0x50 'NtFlushBuffersFile', # 0x51 'NtFlushInstructionCache', # 0x52 'NtFlushKey', # 0x53 'NtFlushVirtualMemory', # 0x54 'NtFlushWriteBuffer', # 0x55 'NtFreeUserPhysicalPages', # 0x56 'NtFreeVirtualMemory', # 0x57 'NtFsControlFile', # 0x58 'NtGetContextThread', # 0x59 'NtGetDevicePowerState', # 0x5a 'NtGetPlugPlayEvent', # 0x5b 'NtGetWriteWatch', # 0x5c 'NtImpersonateAnonymousToken', # 0x5d 'NtImpersonateClientOfPort', # 0x5e 'NtImpersonateThread', # 0x5f 'NtInitializeRegistry', # 0x60 'NtInitiatePowerAction', # 0x61 'NtIsProcessInJob', # 0x62 'NtIsSystemResumeAutomatic', # 0x63 'NtListenPort', # 0x64 'NtLoadDriver', # 0x65 'NtLoadKey', # 0x66 'NtLoadKey2', # 0x67 'NtLoadKeyEx', # 0x68 'NtLockFile', # 0x69 'NtLockProductActivationKeys', # 0x6a 'NtLockRegistryKey', # 0x6b 'NtLockVirtualMemory', # 0x6c 'NtMakePermanentObject', # 0x6d 'NtMakeTemporaryObject', # 0x6e 'NtMapUserPhysicalPages', # 0x6f 'NtMapUserPhysicalPagesScatter', # 0x70 'NtMapViewOfSection', # 0x71 'NtModifyBootEntry', # 0x72 'NtModifyDriverEntry', # 0x73 'NtNotifyChangeDirectoryFile', # 0x74 'NtNotifyChangeKey', # 0x75 'NtNotifyChangeMultipleKeys', # 0x76 'NtOpenDirectoryObject', # 0x77 'NtOpenEvent', # 0x78 'NtOpenEventPair', # 0x79 'NtOpenFile', # 0x7a 'NtOpenIoCompletion', # 0x7b 'NtOpenJobObject', # 0x7c 'NtOpenKey', # 0x7d 'NtOpenMutant', # 0x7e 'NtOpenObjectAuditAlarm', # 0x7f 'NtOpenProcess', # 0x80 'NtOpenProcessToken', # 0x81 'NtOpenProcessTokenEx', # 0x82 'NtOpenSection', # 0x83 'NtOpenSemaphore', # 0x84 'NtOpenSymbolicLinkObject', # 0x85 'NtOpenThread', # 0x86 'NtOpenThreadToken', # 0x87 'NtOpenThreadTokenEx', # 0x88 'NtOpenTimer', # 0x89 'NtPlugPlayControl', # 0x8a 'NtPowerInformation', # 0x8b 'NtPrivilegeCheck', # 0x8c 'NtPrivilegeObjectAuditAlarm', # 0x8d 'NtPrivilegedServiceAuditAlarm', # 0x8e 'NtProtectVirtualMemory', # 0x8f 'NtPulseEvent', # 0x90 'NtQueryAttributesFile', # 0x91 'NtQueryBootEntryOrder', # 0x92 'NtQueryBootOptions', # 0x93 'NtQueryDebugFilterState', # 0x94 'NtQueryDefaultLocale', # 0x95 'NtQueryDefaultUILanguage', # 0x96 'NtQueryDirectoryFile', # 0x97 'NtQueryDirectoryObject', # 0x98 'NtQueryDriverEntryOrder', # 0x99 'NtQueryEaFile', # 0x9a 'NtQueryEvent', # 0x9b 'NtQueryFullAttributesFile', # 0x9c 'NtQueryInformationAtom', # 0x9d 'NtQueryInformationFile', # 0x9e 'NtQueryInformationJobObject', # 0x9f 'NtQueryInformationPort', # 0xa0 'NtQueryInformationProcess', # 0xa1 'NtQueryInformationThread', # 0xa2 'NtQueryInformationToken', # 0xa3 'NtQueryInstallUILanguage', # 0xa4 'NtQueryIntervalProfile', # 0xa5 'NtQueryIoCompletion', # 0xa6 'NtQueryKey', # 0xa7 'NtQueryMultipleValueKey', # 0xa8 'NtQueryMutant', # 0xa9 'NtQueryObject', # 0xaa 'NtQueryOpenSubKeys', # 0xab 'NtQueryOpenSubKeysEx', # 0xac 'NtQueryPerformanceCounter', # 0xad 'NtQueryQuotaInformationFile', # 0xae 'NtQuerySection', # 0xaf 'NtQuerySecurityObject', # 0xb0 'NtQuerySemaphore', # 0xb1 'NtQuerySymbolicLinkObject', # 0xb2 'NtQuerySystemEnvironmentValue', # 0xb3 'NtQuerySystemEnvironmentValueEx', # 0xb4 'NtQuerySystemInformation', # 0xb5 'NtQuerySystemTime', # 0xb6 'NtQueryTimer', # 0xb7 'NtQueryTimerResolution', # 0xb8 'NtQueryValueKey', # 0xb9 'NtQueryVirtualMemory', # 0xba 'NtQueryVolumeInformationFile', # 0xbb 'NtQueueApcThread', # 0xbc 'NtRaiseException', # 0xbd 'NtRaiseHardError', # 0xbe 'NtReadFile', # 0xbf 'NtReadFileScatter', # 0xc0 'NtReadRequestData', # 0xc1 'NtReadVirtualMemory', # 0xc2 'NtRegisterThreadTerminatePort', # 0xc3 'NtReleaseMutant', # 0xc4 'NtReleaseSemaphore', # 0xc5 'NtRemoveIoCompletion', # 0xc6 'NtRemoveProcessDebug', # 0xc7 'NtRenameKey', # 0xc8 'NtReplaceKey', # 0xc9 'NtReplyPort', # 0xca 'NtReplyWaitReceivePort', # 0xcb 'NtReplyWaitReceivePortEx', # 0xcc 'NtReplyWaitReplyPort', # 0xcd 'NtRequestDeviceWakeup', # 0xce 'NtRequestPort', # 0xcf 'NtRequestWaitReplyPort', # 0xd0 'NtRequestWakeupLatency', # 0xd1 'NtResetEvent', # 0xd2 'NtResetWriteWatch', # 0xd3 'NtRestoreKey', # 0xd4 'NtResumeProcess', # 0xd5 'NtResumeThread', # 0xd6 'NtSaveKey', # 0xd7 'NtSaveKeyEx', # 0xd8 'NtSaveMergedKeys', # 0xd9 'NtSecureConnectPort', # 0xda 'NtSetBootEntryOrder', # 0xdb 'NtSetBootOptions', # 0xdc 'NtSetContextThread', # 0xdd 'NtSetDebugFilterState', # 0xde 'NtSetDefaultHardErrorPort', # 0xdf 'NtSetDefaultLocale', # 0xe0 'NtSetDefaultUILanguage', # 0xe1 'NtSetDriverEntryOrder', # 0xe2 'NtSetEaFile', # 0xe3 'NtSetEvent', # 0xe4 'NtSetEventBoostPriority', # 0xe5 'NtSetHighEventPair', # 0xe6 'NtSetHighWaitLowEventPair', # 0xe7 'NtSetInformationDebugObject', # 0xe8 'NtSetInformationFile', # 0xe9 'NtSetInformationJobObject', # 0xea 'NtSetInformationKey', # 0xeb 'NtSetInformationObject', # 0xec 'NtSetInformationProcess', # 0xed 'NtSetInformationThread', # 0xee 'NtSetInformationToken', # 0xef 'NtSetIntervalProfile', # 0xf0 'NtSetIoCompletion', # 0xf1 'NtSetLdtEntries', # 0xf2 'NtSetLowEventPair', # 0xf3 'NtSetLowWaitHighEventPair', # 0xf4 'NtSetQuotaInformationFile', # 0xf5 'NtSetSecurityObject', # 0xf6 'NtSetSystemEnvironmentValue', # 0xf7 'NtSetSystemEnvironmentValueEx', # 0xf8 'NtSetSystemInformation', # 0xf9 'NtSetSystemPowerState', # 0xfa 'NtSetSystemTime', # 0xfb 'NtSetThreadExecutionState', # 0xfc 'NtSetTimer', # 0xfd 'NtSetTimerResolution', # 0xfe 'NtSetUuidSeed', # 0xff 'NtSetValueKey', # 0x100 'NtSetVolumeInformationFile', # 0x101 'NtShutdownSystem', # 0x102 'NtSignalAndWaitForSingleObject', # 0x103 'NtStartProfile', # 0x104 'NtStopProfile', # 0x105 'NtSuspendProcess', # 0x106 'NtSuspendThread', # 0x107 'NtSystemDebugControl', # 0x108 'NtTerminateJobObject', # 0x109 'NtTerminateProcess', # 0x10a 'NtTerminateThread', # 0x10b 'NtTestAlert', # 0x10c 'NtTraceEvent', # 0x10d 'NtTranslateFilePath', # 0x10e 'NtUnloadDriver', # 0x10f 'NtUnloadKey', # 0x110 'NtUnloadKey2', # 0x111 'NtUnloadKeyEx', # 0x112 'NtUnlockFile', # 0x113 'NtUnlockVirtualMemory', # 0x114 'NtUnmapViewOfSection', # 0x115 'NtVdmControl', # 0x116 'NtWaitForDebugEvent', # 0x117 'NtWaitForMultipleObjects', # 0x118 'NtWaitForSingleObject', # 0x119 'NtWaitHighEventPair', # 0x11a 'NtWaitLowEventPair', # 0x11b 'NtWriteFile', # 0x11c 'NtWriteFileGather', # 0x11d 'NtWriteRequestData', # 0x11e 'NtWriteVirtualMemory', # 0x11f 'NtYieldExecution', # 0x120 'NtCreateKeyedEvent', # 0x121 'NtOpenKeyedEvent', # 0x122 'NtReleaseKeyedEvent', # 0x123 'NtWaitForKeyedEvent', # 0x124 'NtQueryPortInformationProcess', # 0x125 'NtGetCurrentProcessorNumber', # 0x126 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConsoleTextOut', # 0x17 'NtGdiConvertMetafileRect', # 0x18 'NtGdiCreateBitmap', # 0x19 'NtGdiCreateClientObj', # 0x1a 'NtGdiCreateColorSpace', # 0x1b 'NtGdiCreateColorTransform', # 0x1c 'NtGdiCreateCompatibleBitmap', # 0x1d 'NtGdiCreateCompatibleDC', # 0x1e 'NtGdiCreateDIBBrush', # 0x1f 'NtGdiCreateDIBitmapInternal', # 0x20 'NtGdiCreateDIBSection', # 0x21 'NtGdiCreateEllipticRgn', # 0x22 'NtGdiCreateHalftonePalette', # 0x23 'NtGdiCreateHatchBrushInternal', # 0x24 'NtGdiCreateMetafileDC', # 0x25 'NtGdiCreatePaletteInternal', # 0x26 'NtGdiCreatePatternBrushInternal', # 0x27 'NtGdiCreatePen', # 0x28 'NtGdiCreateRectRgn', # 0x29 'NtGdiCreateRoundRectRgn', # 0x2a 'NtGdiCreateServerMetaFile', # 0x2b 'NtGdiCreateSolidBrush', # 0x2c 'NtGdiD3dContextCreate', # 0x2d 'NtGdiD3dContextDestroy', # 0x2e 'NtGdiD3dContextDestroyAll', # 0x2f 'NtGdiD3dValidateTextureStageState', # 0x30 'NtGdiD3dDrawPrimitives2', # 0x31 'NtGdiDdGetDriverState', # 0x32 'NtGdiDdAddAttachedSurface', # 0x33 'NtGdiDdAlphaBlt', # 0x34 'NtGdiDdAttachSurface', # 0x35 'NtGdiDdBeginMoCompFrame', # 0x36 'NtGdiDdBlt', # 0x37 'NtGdiDdCanCreateSurface', # 0x38 'NtGdiDdCanCreateD3DBuffer', # 0x39 'NtGdiDdColorControl', # 0x3a 'NtGdiDdCreateDirectDrawObject', # 0x3b 'NtGdiDdCreateSurface', # 0x3c 'NtGdiDdCreateD3DBuffer', # 0x3d 'NtGdiDdCreateMoComp', # 0x3e 'NtGdiDdCreateSurfaceObject', # 0x3f 'NtGdiDdDeleteDirectDrawObject', # 0x40 'NtGdiDdDeleteSurfaceObject', # 0x41 'NtGdiDdDestroyMoComp', # 0x42 'NtGdiDdDestroySurface', # 0x43 'NtGdiDdDestroyD3DBuffer', # 0x44 'NtGdiDdEndMoCompFrame', # 0x45 'NtGdiDdFlip', # 0x46 'NtGdiDdFlipToGDISurface', # 0x47 'NtGdiDdGetAvailDriverMemory', # 0x48 'NtGdiDdGetBltStatus', # 0x49 'NtGdiDdGetDC', # 0x4a 'NtGdiDdGetDriverInfo', # 0x4b 'NtGdiDdGetDxHandle', # 0x4c 'NtGdiDdGetFlipStatus', # 0x4d 'NtGdiDdGetInternalMoCompInfo', # 0x4e 'NtGdiDdGetMoCompBuffInfo', # 0x4f 'NtGdiDdGetMoCompGuids', # 0x50 'NtGdiDdGetMoCompFormats', # 0x51 'NtGdiDdGetScanLine', # 0x52 'NtGdiDdLock', # 0x53 'NtGdiDdLockD3D', # 0x54 'NtGdiDdQueryDirectDrawObject', # 0x55 'NtGdiDdQueryMoCompStatus', # 0x56 'NtGdiDdReenableDirectDrawObject', # 0x57 'NtGdiDdReleaseDC', # 0x58 'NtGdiDdRenderMoComp', # 0x59 'NtGdiDdResetVisrgn', # 0x5a 'NtGdiDdSetColorKey', # 0x5b 'NtGdiDdSetExclusiveMode', # 0x5c 'NtGdiDdSetGammaRamp', # 0x5d 'NtGdiDdCreateSurfaceEx', # 0x5e 'NtGdiDdSetOverlayPosition', # 0x5f 'NtGdiDdUnattachSurface', # 0x60 'NtGdiDdUnlock', # 0x61 'NtGdiDdUnlockD3D', # 0x62 'NtGdiDdUpdateOverlay', # 0x63 'NtGdiDdWaitForVerticalBlank', # 0x64 'NtGdiDvpCanCreateVideoPort', # 0x65 'NtGdiDvpColorControl', # 0x66 'NtGdiDvpCreateVideoPort', # 0x67 'NtGdiDvpDestroyVideoPort', # 0x68 'NtGdiDvpFlipVideoPort', # 0x69 'NtGdiDvpGetVideoPortBandwidth', # 0x6a 'NtGdiDvpGetVideoPortField', # 0x6b 'NtGdiDvpGetVideoPortFlipStatus', # 0x6c 'NtGdiDvpGetVideoPortInputFormats', # 0x6d 'NtGdiDvpGetVideoPortLine', # 0x6e 'NtGdiDvpGetVideoPortOutputFormats', # 0x6f 'NtGdiDvpGetVideoPortConnectInfo', # 0x70 'NtGdiDvpGetVideoSignalStatus', # 0x71 'NtGdiDvpUpdateVideoPort', # 0x72 'NtGdiDvpWaitForVideoPortSync', # 0x73 'NtGdiDvpAcquireNotification', # 0x74 'NtGdiDvpReleaseNotification', # 0x75 'NtGdiDxgGenericThunk', # 0x76 'NtGdiDeleteClientObj', # 0x77 'NtGdiDeleteColorSpace', # 0x78 'NtGdiDeleteColorTransform', # 0x79 'NtGdiDeleteObjectApp', # 0x7a 'NtGdiDescribePixelFormat', # 0x7b 'NtGdiGetPerBandInfo', # 0x7c 'NtGdiDoBanding', # 0x7d 'NtGdiDoPalette', # 0x7e 'NtGdiDrawEscape', # 0x7f 'NtGdiEllipse', # 0x80 'NtGdiEnableEudc', # 0x81 'NtGdiEndDoc', # 0x82 'NtGdiEndPage', # 0x83 'NtGdiEndPath', # 0x84 'NtGdiEnumFontChunk', # 0x85 'NtGdiEnumFontClose', # 0x86 'NtGdiEnumFontOpen', # 0x87 'NtGdiEnumObjects', # 0x88 'NtGdiEqualRgn', # 0x89 'NtGdiEudcLoadUnloadLink', # 0x8a 'NtGdiExcludeClipRect', # 0x8b 'NtGdiExtCreatePen', # 0x8c 'NtGdiExtCreateRegion', # 0x8d 'NtGdiExtEscape', # 0x8e 'NtGdiExtFloodFill', # 0x8f 'NtGdiExtGetObjectW', # 0x90 'NtGdiExtSelectClipRgn', # 0x91 'NtGdiExtTextOutW', # 0x92 'NtGdiFillPath', # 0x93 'NtGdiFillRgn', # 0x94 'NtGdiFlattenPath', # 0x95 'NtGdiFlush', # 0x96 'NtGdiForceUFIMapping', # 0x97 'NtGdiFrameRgn', # 0x98 'NtGdiFullscreenControl', # 0x99 'NtGdiGetAndSetDCDword', # 0x9a 'NtGdiGetAppClipBox', # 0x9b 'NtGdiGetBitmapBits', # 0x9c 'NtGdiGetBitmapDimension', # 0x9d 'NtGdiGetBoundsRect', # 0x9e 'NtGdiGetCharABCWidthsW', # 0x9f 'NtGdiGetCharacterPlacementW', # 0xa0 'NtGdiGetCharSet', # 0xa1 'NtGdiGetCharWidthW', # 0xa2 'NtGdiGetCharWidthInfo', # 0xa3 'NtGdiGetColorAdjustment', # 0xa4 'NtGdiGetColorSpaceforBitmap', # 0xa5 'NtGdiGetDCDword', # 0xa6 'NtGdiGetDCforBitmap', # 0xa7 'NtGdiGetDCObject', # 0xa8 'NtGdiGetDCPoint', # 0xa9 'NtGdiGetDeviceCaps', # 0xaa 'NtGdiGetDeviceGammaRamp', # 0xab 'NtGdiGetDeviceCapsAll', # 0xac 'NtGdiGetDIBitsInternal', # 0xad 'NtGdiGetETM', # 0xae 'NtGdiGetEudcTimeStampEx', # 0xaf 'NtGdiGetFontData', # 0xb0 'NtGdiGetFontResourceInfoInternalW', # 0xb1 'NtGdiGetGlyphIndicesW', # 0xb2 'NtGdiGetGlyphIndicesWInternal', # 0xb3 'NtGdiGetGlyphOutline', # 0xb4 'NtGdiGetKerningPairs', # 0xb5 'NtGdiGetLinkedUFIs', # 0xb6 'NtGdiGetMiterLimit', # 0xb7 'NtGdiGetMonitorID', # 0xb8 'NtGdiGetNearestColor', # 0xb9 'NtGdiGetNearestPaletteIndex', # 0xba 'NtGdiGetObjectBitmapHandle', # 0xbb 'NtGdiGetOutlineTextMetricsInternalW', # 0xbc 'NtGdiGetPath', # 0xbd 'NtGdiGetPixel', # 0xbe 'NtGdiGetRandomRgn', # 0xbf 'NtGdiGetRasterizerCaps', # 0xc0 'NtGdiGetRealizationInfo', # 0xc1 'NtGdiGetRegionData', # 0xc2 'NtGdiGetRgnBox', # 0xc3 'NtGdiGetServerMetaFileBits', # 0xc4 'NtGdiGetSpoolMessage', # 0xc5 'NtGdiGetStats', # 0xc6 'NtGdiGetStockObject', # 0xc7 'NtGdiGetStringBitmapW', # 0xc8 'NtGdiGetSystemPaletteUse', # 0xc9 'NtGdiGetTextCharsetInfo', # 0xca 'NtGdiGetTextExtent', # 0xcb 'NtGdiGetTextExtentExW', # 0xcc 'NtGdiGetTextFaceW', # 0xcd 'NtGdiGetTextMetricsW', # 0xce 'NtGdiGetTransform', # 0xcf 'NtGdiGetUFI', # 0xd0 'NtGdiGetEmbUFI', # 0xd1 'NtGdiGetUFIPathname', # 0xd2 'NtGdiGetEmbedFonts', # 0xd3 'NtGdiChangeGhostFont', # 0xd4 'NtGdiAddEmbFontToDC', # 0xd5 'NtGdiGetFontUnicodeRanges', # 0xd6 'NtGdiGetWidthTable', # 0xd7 'NtGdiGradientFill', # 0xd8 'NtGdiHfontCreate', # 0xd9 'NtGdiIcmBrushInfo', # 0xda 'NtGdiInit', # 0xdb 'NtGdiInitSpool', # 0xdc 'NtGdiIntersectClipRect', # 0xdd 'NtGdiInvertRgn', # 0xde 'NtGdiLineTo', # 0xdf 'NtGdiMakeFontDir', # 0xe0 'NtGdiMakeInfoDC', # 0xe1 'NtGdiMaskBlt', # 0xe2 'NtGdiModifyWorldTransform', # 0xe3 'NtGdiMonoBitmap', # 0xe4 'NtGdiMoveTo', # 0xe5 'NtGdiOffsetClipRgn', # 0xe6 'NtGdiOffsetRgn', # 0xe7 'NtGdiOpenDCW', # 0xe8 'NtGdiPatBlt', # 0xe9 'NtGdiPolyPatBlt', # 0xea 'NtGdiPathToRegion', # 0xeb 'NtGdiPlgBlt', # 0xec 'NtGdiPolyDraw', # 0xed 'NtGdiPolyPolyDraw', # 0xee 'NtGdiPolyTextOutW', # 0xef 'NtGdiPtInRegion', # 0xf0 'NtGdiPtVisible', # 0xf1 'NtGdiQueryFonts', # 0xf2 'NtGdiQueryFontAssocInfo', # 0xf3 'NtGdiRectangle', # 0xf4 'NtGdiRectInRegion', # 0xf5 'NtGdiRectVisible', # 0xf6 'NtGdiRemoveFontResourceW', # 0xf7 'NtGdiRemoveFontMemResourceEx', # 0xf8 'NtGdiResetDC', # 0xf9 'NtGdiResizePalette', # 0xfa 'NtGdiRestoreDC', # 0xfb 'NtGdiRoundRect', # 0xfc 'NtGdiSaveDC', # 0xfd 'NtGdiScaleViewportExtEx', # 0xfe 'NtGdiScaleWindowExtEx', # 0xff 'NtGdiSelectBitmap', # 0x100 'NtGdiSelectBrush', # 0x101 'NtGdiSelectClipPath', # 0x102 'NtGdiSelectFont', # 0x103 'NtGdiSelectPen', # 0x104 'NtGdiSetBitmapAttributes', # 0x105 'NtGdiSetBitmapBits', # 0x106 'NtGdiSetBitmapDimension', # 0x107 'NtGdiSetBoundsRect', # 0x108 'NtGdiSetBrushAttributes', # 0x109 'NtGdiSetBrushOrg', # 0x10a 'NtGdiSetColorAdjustment', # 0x10b 'NtGdiSetColorSpace', # 0x10c 'NtGdiSetDeviceGammaRamp', # 0x10d 'NtGdiSetDIBitsToDeviceInternal', # 0x10e 'NtGdiSetFontEnumeration', # 0x10f 'NtGdiSetFontXform', # 0x110 'NtGdiSetIcmMode', # 0x111 'NtGdiSetLinkedUFIs', # 0x112 'NtGdiSetMagicColors', # 0x113 'NtGdiSetMetaRgn', # 0x114 'NtGdiSetMiterLimit', # 0x115 'NtGdiGetDeviceWidth', # 0x116 'NtGdiMirrorWindowOrg', # 0x117 'NtGdiSetLayout', # 0x118 'NtGdiSetPixel', # 0x119 'NtGdiSetPixelFormat', # 0x11a 'NtGdiSetRectRgn', # 0x11b 'NtGdiSetSystemPaletteUse', # 0x11c 'NtGdiSetTextJustification', # 0x11d 'NtGdiSetupPublicCFONT', # 0x11e 'NtGdiSetVirtualResolution', # 0x11f 'NtGdiSetSizeDevice', # 0x120 'NtGdiStartDoc', # 0x121 'NtGdiStartPage', # 0x122 'NtGdiStretchBlt', # 0x123 'NtGdiStretchDIBitsInternal', # 0x124 'NtGdiStrokeAndFillPath', # 0x125 'NtGdiStrokePath', # 0x126 'NtGdiSwapBuffers', # 0x127 'NtGdiTransformPoints', # 0x128 'NtGdiTransparentBlt', # 0x129 'NtGdiUnloadPrinterDriver', # 0x12a 'NtGdiUnmapMemFont', # 0x12b 'NtGdiUnrealizeObject', # 0x12c 'NtGdiUpdateColors', # 0x12d 'NtGdiWidenPath', # 0x12e 'NtUserActivateKeyboardLayout', # 0x12f 'NtUserAlterWindowStyle', # 0x130 'NtUserAssociateInputContext', # 0x131 'NtUserAttachThreadInput', # 0x132 'NtUserBeginPaint', # 0x133 'NtUserBitBltSysBmp', # 0x134 'NtUserBlockInput', # 0x135 'NtUserBuildHimcList', # 0x136 'NtUserBuildHwndList', # 0x137 'NtUserBuildNameList', # 0x138 'NtUserBuildPropList', # 0x139 'NtUserCallHwnd', # 0x13a 'NtUserCallHwndLock', # 0x13b 'NtUserCallHwndOpt', # 0x13c 'NtUserCallHwndParam', # 0x13d 'NtUserCallHwndParamLock', # 0x13e 'NtUserCallMsgFilter', # 0x13f 'NtUserCallNextHookEx', # 0x140 'NtUserCallNoParam', # 0x141 'NtUserCallOneParam', # 0x142 'NtUserCallTwoParam', # 0x143 'NtUserChangeClipboardChain', # 0x144 'NtUserChangeDisplaySettings', # 0x145 'NtUserCheckImeHotKey', # 0x146 'NtUserCheckMenuItem', # 0x147 'NtUserChildWindowFromPointEx', # 0x148 'NtUserClipCursor', # 0x149 'NtUserCloseClipboard', # 0x14a 'NtUserCloseDesktop', # 0x14b 'NtUserCloseWindowStation', # 0x14c 'NtUserConsoleControl', # 0x14d 'NtUserConvertMemHandle', # 0x14e 'NtUserCopyAcceleratorTable', # 0x14f 'NtUserCountClipboardFormats', # 0x150 'NtUserCreateAcceleratorTable', # 0x151 'NtUserCreateCaret', # 0x152 'NtUserCreateDesktop', # 0x153 'NtUserCreateInputContext', # 0x154 'NtUserCreateLocalMemHandle', # 0x155 'NtUserCreateWindowEx', # 0x156 'NtUserCreateWindowStation', # 0x157 'NtUserDdeGetQualityOfService', # 0x158 'NtUserDdeInitialize', # 0x159 'NtUserDdeSetQualityOfService', # 0x15a 'NtUserDeferWindowPos', # 0x15b 'NtUserDefSetText', # 0x15c 'NtUserDeleteMenu', # 0x15d 'NtUserDestroyAcceleratorTable', # 0x15e 'NtUserDestroyCursor', # 0x15f 'NtUserDestroyInputContext', # 0x160 'NtUserDestroyMenu', # 0x161 'NtUserDestroyWindow', # 0x162 'NtUserDisableThreadIme', # 0x163 'NtUserDispatchMessage', # 0x164 'NtUserDragDetect', # 0x165 'NtUserDragObject', # 0x166 'NtUserDrawAnimatedRects', # 0x167 'NtUserDrawCaption', # 0x168 'NtUserDrawCaptionTemp', # 0x169 'NtUserDrawIconEx', # 0x16a 'NtUserDrawMenuBarTemp', # 0x16b 'NtUserEmptyClipboard', # 0x16c 'NtUserEnableMenuItem', # 0x16d 'NtUserEnableScrollBar', # 0x16e 'NtUserEndDeferWindowPosEx', # 0x16f 'NtUserEndMenu', # 0x170 'NtUserEndPaint', # 0x171 'NtUserEnumDisplayDevices', # 0x172 'NtUserEnumDisplayMonitors', # 0x173 'NtUserEnumDisplaySettings', # 0x174 'NtUserEvent', # 0x175 'NtUserExcludeUpdateRgn', # 0x176 'NtUserFillWindow', # 0x177 'NtUserFindExistingCursorIcon', # 0x178 'NtUserFindWindowEx', # 0x179 'NtUserFlashWindowEx', # 0x17a 'NtUserGetAltTabInfo', # 0x17b 'NtUserGetAncestor', # 0x17c 'NtUserGetAppImeLevel', # 0x17d 'NtUserGetAsyncKeyState', # 0x17e 'NtUserGetAtomName', # 0x17f 'NtUserGetCaretBlinkTime', # 0x180 'NtUserGetCaretPos', # 0x181 'NtUserGetClassInfoEx', # 0x182 'NtUserGetClassName', # 0x183 'NtUserGetClipboardData', # 0x184 'NtUserGetClipboardFormatName', # 0x185 'NtUserGetClipboardOwner', # 0x186 'NtUserGetClipboardSequenceNumber', # 0x187 'NtUserGetClipboardViewer', # 0x188 'NtUserGetClipCursor', # 0x189 'NtUserGetComboBoxInfo', # 0x18a 'NtUserGetControlBrush', # 0x18b 'NtUserGetControlColor', # 0x18c 'NtUserGetCPD', # 0x18d 'NtUserGetCursorFrameInfo', # 0x18e 'NtUserGetCursorInfo', # 0x18f 'NtUserGetDC', # 0x190 'NtUserGetDCEx', # 0x191 'NtUserGetDoubleClickTime', # 0x192 'NtUserGetForegroundWindow', # 0x193 'NtUserGetGuiResources', # 0x194 'NtUserGetGUIThreadInfo', # 0x195 'NtUserGetIconInfo', # 0x196 'NtUserGetIconSize', # 0x197 'NtUserGetImeHotKey', # 0x198 'NtUserGetImeInfoEx', # 0x199 'NtUserGetInternalWindowPos', # 0x19a 'NtUserGetKeyboardLayoutList', # 0x19b 'NtUserGetKeyboardLayoutName', # 0x19c 'NtUserGetKeyboardState', # 0x19d 'NtUserGetKeyNameText', # 0x19e 'NtUserGetKeyState', # 0x19f 'NtUserGetListBoxInfo', # 0x1a0 'NtUserGetMenuBarInfo', # 0x1a1 'NtUserGetMenuIndex', # 0x1a2 'NtUserGetMenuItemRect', # 0x1a3 'NtUserGetMessage', # 0x1a4 'NtUserGetMouseMovePointsEx', # 0x1a5 'NtUserGetObjectInformation', # 0x1a6 'NtUserGetOpenClipboardWindow', # 0x1a7 'NtUserGetPriorityClipboardFormat', # 0x1a8 'NtUserGetProcessWindowStation', # 0x1a9 'NtUserGetRawInputBuffer', # 0x1aa 'NtUserGetRawInputData', # 0x1ab 'NtUserGetRawInputDeviceInfo', # 0x1ac 'NtUserGetRawInputDeviceList', # 0x1ad 'NtUserGetRegisteredRawInputDevices', # 0x1ae 'NtUserGetScrollBarInfo', # 0x1af 'NtUserGetSystemMenu', # 0x1b0 'NtUserGetThreadDesktop', # 0x1b1 'NtUserGetThreadState', # 0x1b2 'NtUserGetTitleBarInfo', # 0x1b3 'NtUserGetUpdateRect', # 0x1b4 'NtUserGetUpdateRgn', # 0x1b5 'NtUserGetWindowDC', # 0x1b6 'NtUserGetWindowPlacement', # 0x1b7 'NtUserGetWOWClass', # 0x1b8 'NtUserHardErrorControl', # 0x1b9 'NtUserHideCaret', # 0x1ba 'NtUserHiliteMenuItem', # 0x1bb 'NtUserImpersonateDdeClientWindow', # 0x1bc 'NtUserInitialize', # 0x1bd 'NtUserInitializeClientPfnArrays', # 0x1be 'NtUserInitTask', # 0x1bf 'NtUserInternalGetWindowText', # 0x1c0 'NtUserInvalidateRect', # 0x1c1 'NtUserInvalidateRgn', # 0x1c2 'NtUserIsClipboardFormatAvailable', # 0x1c3 'NtUserKillTimer', # 0x1c4 'NtUserLoadKeyboardLayoutEx', # 0x1c5 'NtUserLockWindowStation', # 0x1c6 'NtUserLockWindowUpdate', # 0x1c7 'NtUserLockWorkStation', # 0x1c8 'NtUserMapVirtualKeyEx', # 0x1c9 'NtUserMenuItemFromPoint', # 0x1ca 'NtUserMessageCall', # 0x1cb 'NtUserMinMaximize', # 0x1cc 'NtUserMNDragLeave', # 0x1cd 'NtUserMNDragOver', # 0x1ce 'NtUserModifyUserStartupInfoFlags', # 0x1cf 'NtUserMoveWindow', # 0x1d0 'NtUserNotifyIMEStatus', # 0x1d1 'NtUserNotifyProcessCreate', # 0x1d2 'NtUserNotifyWinEvent', # 0x1d3 'NtUserOpenClipboard', # 0x1d4 'NtUserOpenDesktop', # 0x1d5 'NtUserOpenInputDesktop', # 0x1d6 'NtUserOpenWindowStation', # 0x1d7 'NtUserPaintDesktop', # 0x1d8 'NtUserPeekMessage', # 0x1d9 'NtUserPostMessage', # 0x1da 'NtUserPostThreadMessage', # 0x1db 'NtUserPrintWindow', # 0x1dc 'NtUserProcessConnect', # 0x1dd 'NtUserQueryInformationThread', # 0x1de 'NtUserQueryInputContext', # 0x1df 'NtUserQuerySendMessage', # 0x1e0 'NtUserQueryWindow', # 0x1e1 'NtUserRealChildWindowFromPoint', # 0x1e2 'NtUserRealInternalGetMessage', # 0x1e3 'NtUserRealWaitMessageEx', # 0x1e4 'NtUserRedrawWindow', # 0x1e5 'NtUserRegisterClassExWOW', # 0x1e6 'NtUserRegisterUserApiHook', # 0x1e7 'NtUserRegisterHotKey', # 0x1e8 'NtUserRegisterRawInputDevices', # 0x1e9 'NtUserRegisterTasklist', # 0x1ea 'NtUserRegisterWindowMessage', # 0x1eb 'NtUserRemoveMenu', # 0x1ec 'NtUserRemoveProp', # 0x1ed 'NtUserResolveDesktop', # 0x1ee 'NtUserResolveDesktopForWOW', # 0x1ef 'NtUserSBGetParms', # 0x1f0 'NtUserScrollDC', # 0x1f1 'NtUserScrollWindowEx', # 0x1f2 'NtUserSelectPalette', # 0x1f3 'NtUserSendInput', # 0x1f4 'NtUserSetActiveWindow', # 0x1f5 'NtUserSetAppImeLevel', # 0x1f6 'NtUserSetCapture', # 0x1f7 'NtUserSetClassLong', # 0x1f8 'NtUserSetClassWord', # 0x1f9 'NtUserSetClipboardData', # 0x1fa 'NtUserSetClipboardViewer', # 0x1fb 'NtUserSetConsoleReserveKeys', # 0x1fc 'NtUserSetCursor', # 0x1fd 'NtUserSetCursorContents', # 0x1fe 'NtUserSetCursorIconData', # 0x1ff 'NtUserSetFocus', # 0x200 'NtUserSetImeHotKey', # 0x201 'NtUserSetImeInfoEx', # 0x202 'NtUserSetImeOwnerWindow', # 0x203 'NtUserSetInformationProcess', # 0x204 'NtUserSetInformationThread', # 0x205 'NtUserSetInternalWindowPos', # 0x206 'NtUserSetKeyboardState', # 0x207 'NtUserSetLogonNotifyWindow', # 0x208 'NtUserSetMenu', # 0x209 'NtUserSetMenuContextHelpId', # 0x20a 'NtUserSetMenuDefaultItem', # 0x20b 'NtUserSetMenuFlagRtoL', # 0x20c 'NtUserSetObjectInformation', # 0x20d 'NtUserSetParent', # 0x20e 'NtUserSetProcessWindowStation', # 0x20f 'NtUserSetProp', # 0x210 'NtUserSetScrollInfo', # 0x211 'NtUserSetShellWindowEx', # 0x212 'NtUserSetSysColors', # 0x213 'NtUserSetSystemCursor', # 0x214 'NtUserSetSystemMenu', # 0x215 'NtUserSetSystemTimer', # 0x216 'NtUserSetThreadDesktop', # 0x217 'NtUserSetThreadLayoutHandles', # 0x218 'NtUserSetThreadState', # 0x219 'NtUserSetTimer', # 0x21a 'NtUserSetWindowFNID', # 0x21b 'NtUserSetWindowLong', # 0x21c 'NtUserSetWindowPlacement', # 0x21d 'NtUserSetWindowPos', # 0x21e 'NtUserSetWindowRgn', # 0x21f 'NtUserSetWindowsHookAW', # 0x220 'NtUserSetWindowsHookEx', # 0x221 'NtUserSetWindowStationUser', # 0x222 'NtUserSetWindowWord', # 0x223 'NtUserSetWinEventHook', # 0x224 'NtUserShowCaret', # 0x225 'NtUserShowScrollBar', # 0x226 'NtUserShowWindow', # 0x227 'NtUserShowWindowAsync', # 0x228 'NtUserSoundSentry', # 0x229 'NtUserSwitchDesktop', # 0x22a 'NtUserSystemParametersInfo', # 0x22b 'NtUserTestForInteractiveUser', # 0x22c 'NtUserThunkedMenuInfo', # 0x22d 'NtUserThunkedMenuItemInfo', # 0x22e 'NtUserToUnicodeEx', # 0x22f 'NtUserTrackMouseEvent', # 0x230 'NtUserTrackPopupMenuEx', # 0x231 'NtUserCalcMenuBar', # 0x232 'NtUserPaintMenuBar', # 0x233 'NtUserTranslateAccelerator', # 0x234 'NtUserTranslateMessage', # 0x235 'NtUserUnhookWindowsHookEx', # 0x236 'NtUserUnhookWinEvent', # 0x237 'NtUserUnloadKeyboardLayout', # 0x238 'NtUserUnlockWindowStation', # 0x239 'NtUserUnregisterClass', # 0x23a 'NtUserUnregisterUserApiHook', # 0x23b 'NtUserUnregisterHotKey', # 0x23c 'NtUserUpdateInputContext', # 0x23d 'NtUserUpdateInstance', # 0x23e 'NtUserUpdateLayeredWindow', # 0x23f 'NtUserGetLayeredWindowAttributes', # 0x240 'NtUserSetLayeredWindowAttributes', # 0x241 'NtUserUpdatePerUserSystemParameters', # 0x242 'NtUserUserHandleGrantAccess', # 0x243 'NtUserValidateHandleSecure', # 0x244 'NtUserValidateRect', # 0x245 'NtUserValidateTimerCallback', # 0x246 'NtUserVkKeyScanEx', # 0x247 'NtUserWaitForInputIdle', # 0x248 'NtUserWaitForMsgAndEvent', # 0x249 'NtUserWaitMessage', # 0x24a 'NtUserWin32PoolAllocationStats', # 0x24b 'NtUserWindowFromPoint', # 0x24c 'NtUserYieldTask', # 0x24d 'NtUserRemoteConnect', # 0x24e 'NtUserRemoteRedrawRectangle', # 0x24f 'NtUserRemoteRedrawScreen', # 0x250 'NtUserRemoteStopScreenUpdates', # 0x251 'NtUserCtxDisplayIOCtl', # 0x252 'NtGdiEngAssociateSurface', # 0x253 'NtGdiEngCreateBitmap', # 0x254 'NtGdiEngCreateDeviceSurface', # 0x255 'NtGdiEngCreateDeviceBitmap', # 0x256 'NtGdiEngCreatePalette', # 0x257 'NtGdiEngComputeGlyphSet', # 0x258 'NtGdiEngCopyBits', # 0x259 'NtGdiEngDeletePalette', # 0x25a 'NtGdiEngDeleteSurface', # 0x25b 'NtGdiEngEraseSurface', # 0x25c 'NtGdiEngUnlockSurface', # 0x25d 'NtGdiEngLockSurface', # 0x25e 'NtGdiEngBitBlt', # 0x25f 'NtGdiEngStretchBlt', # 0x260 'NtGdiEngPlgBlt', # 0x261 'NtGdiEngMarkBandingSurface', # 0x262 'NtGdiEngStrokePath', # 0x263 'NtGdiEngFillPath', # 0x264 'NtGdiEngStrokeAndFillPath', # 0x265 'NtGdiEngPaint', # 0x266 'NtGdiEngLineTo', # 0x267 'NtGdiEngAlphaBlend', # 0x268 'NtGdiEngGradientFill', # 0x269 'NtGdiEngTransparentBlt', # 0x26a 'NtGdiEngTextOut', # 0x26b 'NtGdiEngStretchBltROP', # 0x26c 'NtGdiXLATEOBJ_cGetPalette', # 0x26d 'NtGdiXLATEOBJ_iXlate', # 0x26e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x26f 'NtGdiCLIPOBJ_bEnum', # 0x270 'NtGdiCLIPOBJ_cEnumStart', # 0x271 'NtGdiCLIPOBJ_ppoGetPath', # 0x272 'NtGdiEngDeletePath', # 0x273 'NtGdiEngCreateClip', # 0x274 'NtGdiEngDeleteClip', # 0x275 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x276 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x277 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x278 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x279 'NtGdiXFORMOBJ_bApplyXform', # 0x27a 'NtGdiXFORMOBJ_iGetXform', # 0x27b 'NtGdiFONTOBJ_vGetInfo', # 0x27c 'NtGdiFONTOBJ_pxoGetXform', # 0x27d 'NtGdiFONTOBJ_cGetGlyphs', # 0x27e 'NtGdiFONTOBJ_pifi', # 0x27f 'NtGdiFONTOBJ_pfdg', # 0x280 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x281 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x282 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x283 'NtGdiSTROBJ_bEnum', # 0x284 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x285 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x286 'NtGdiSTROBJ_vEnumStart', # 0x287 'NtGdiSTROBJ_dwGetCodePage', # 0x288 'NtGdiPATHOBJ_vGetBounds', # 0x289 'NtGdiPATHOBJ_bEnum', # 0x28a 'NtGdiPATHOBJ_vEnumStart', # 0x28b 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x28c 'NtGdiPATHOBJ_bEnumClipLines', # 0x28d 'NtGdiGetDhpdev', # 0x28e 'NtGdiEngCheckAbort', # 0x28f 'NtGdiHT_Get8BPPFormatPalette', # 0x290 'NtGdiHT_Get8BPPMaskPalette', # 0x291 'NtGdiUpdateTransform', # 0x292 'NtGdiSetPUMPDOBJ', # 0x293 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x294 'NtGdiUMPDEngFreeUserMem', # 0x295 'NtGdiDrawStream', # 0x296 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/hibernate_vtypes.py0000644000175000017500000001677212232063457026776 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj hibernate_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], '_IMAGE_XPRESS_HEADER' : [ 0x20 , { 'u09' : [ 0x9, ['unsigned char']], 'u0A' : [ 0xA, ['unsigned char']], 'u0B' : [ 0xB, ['unsigned char']], } ] } hibernate_vistasp01_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP01x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x <= 6001, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistasp01_vtypes) hibernate_vistasp2_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0xc, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP2x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistasp2_vtypes) hibernate_win7_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x0, ['unsigned long']], 'EntryCount' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x8, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin7SP01x86(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x: x <= 7601, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.vtypes.update(hibernate_win7_vtypes) hibernate_win7_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'NextTable' : [ 0x0, ['unsigned long long']], 'EntryCount' : [ 0x8, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x10, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin7SP01x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 1, 'build': lambda x: x <= 7601, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_win7_x64_vtypes) hibernate_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x20, { 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x40, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x20, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberWin2003x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x <= 3791, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_x64_vtypes) class HiberVistaSP01x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x <= 6001, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_x64_vtypes) hibernate_vistaSP2_x64_vtypes = { '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x10, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x28, { 'MemArrayLink' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], 'RangeTable': [ 0x18, ['array', lambda x: x.MemArrayLink.EntryCount, ['_PO_MEMORY_RANGE_ARRAY_RANGE']]], } ], } class HiberVistaSP2x64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x == 6, 'minor': lambda x: x == 0, 'build': lambda x: x == 6002, 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(hibernate_vistaSP2_x64_vtypes) volatility-2.3.1/volatility/plugins/overlays/windows/tcpip_vtypes.py0000644000175000017500000003315412227253532026144 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.obj as obj # Structures used by connections, connscan, sockets, sockscan. # Used by x86 XP (all service packs) and x86 2003 SP0. tcpip_vtypes = { '_ADDRESS_OBJECT' : [ 0x68, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x2c, ['IpAddress']], 'LocalPort' : [ 0x30, ['unsigned be short']], 'Protocol' : [ 0x32, ['unsigned short']], 'Pid' : [ 0x148, ['unsigned long']], 'CreateTime' : [ 0x158, ['WinTimeStamp', dict(is_utc = True)]], }], '_TCPT_OBJECT' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], 'RemoteIpAddress' : [ 0xc, ['IpAddress']], 'LocalIpAddress' : [ 0x10, ['IpAddress']], 'RemotePort' : [ 0x14, ['unsigned be short']], 'LocalPort' : [ 0x16, ['unsigned be short']], 'Pid' : [ 0x18, ['unsigned long']], }], } # Structures used by connections, connscan, sockets, sockscan. # Used by x64 XP and x64 2003 (all service packs). tcpip_vtypes_2003_x64 = { '_ADDRESS_OBJECT' : [ None, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x58, ['IpAddress']], 'LocalPort' : [ 0x5c, ['unsigned be short']], 'Protocol' : [ 0x5e, ['unsigned short']], 'Pid' : [ 0x238, ['unsigned long']], 'CreateTime' : [ 0x248, ['WinTimeStamp', dict(is_utc = True)]], }], '_TCPT_OBJECT' : [ None, { 'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], 'RemoteIpAddress' : [ 0x14, ['IpAddress']], 'LocalIpAddress' : [ 0x18, ['IpAddress']], 'RemotePort' : [ 0x1c, ['unsigned be short']], 'LocalPort' : [ 0x1e, ['unsigned be short']], 'Pid' : [ 0x20, ['unsigned long']], }], } # Structures used by sockets and sockscan. # Used by x86 2003 SP1 and SP2 only. tcpip_vtypes_2003_sp1_sp2 = { '_ADDRESS_OBJECT' : [ 0x68, { 'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], 'LocalIpAddress' : [ 0x30, ['IpAddress']], 'LocalPort' : [ 0x34, ['unsigned be short']], 'Protocol' : [ 0x36, ['unsigned short']], 'Pid' : [ 0x14C, ['unsigned long']], 'CreateTime' : [ 0x158, ['WinTimeStamp', dict(is_utc = True)]], }], } TCP_STATE_ENUM = { 0: 'CLOSED', 1: 'LISTENING', 2: 'SYN_SENT', 3: 'SYN_RCVD', 4: 'ESTABLISHED', 5: 'FIN_WAIT1', 6: 'FIN_WAIT2', 7: 'CLOSE_WAIT', 8: 'CLOSING', 9: 'LAST_ACK', 12: 'TIME_WAIT', 13: 'DELETE_TCB' } # Structures used by netscan for x86 Vista and 2008 (all service packs). tcpip_vtypes_vista = { '_IN_ADDR' : [ None, { 'addr4' : [ 0x0, ['IpAddress']], 'addr6' : [ 0x0, ['Ipv6Address']], }], '_LOCAL_ADDRESS' : [ None, { 'pData' : [ 0xC, ['pointer', ['pointer', ['_IN_ADDR']]]], }], '_TCP_LISTENER': [ None, { # TcpL 'Owner' : [ 0x18, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x20, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x34, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x38, ['pointer', ['_INETAF']]], 'Port' : [ 0x3E, ['unsigned be short']], }], '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0xC, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x10, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'State' : [ 0x28, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x2C, ['unsigned be short']], 'RemotePort' : [ 0x2E, ['unsigned be short']], 'Owner' : [ 0x160, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 8, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x3c, ['unsigned be short']], 'RemotePort' : [ 0x3e, ['unsigned be short']], 'LocalAddr' : [ 0x1c, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x28, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x20, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_SYN_OWNER': [ None, { 'Process': [ 0x18, ['pointer', ['_EPROCESS']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'InetAF' : [ 0xc, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x1c, ['unsigned be short']], 'RemotePort' : [ 0x1e, ['unsigned be short']], 'LocalAddr' : [ 0x20, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x24, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_INETAF' : [ None, { 'AddressFamily' : [ 0xC, ['unsigned short']], }], '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0x8, ['pointer', ['_IN_ADDR']]], }], '_UDP_ENDPOINT': [ None, { # UdpA 'Owner' : [ 0x18, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x30, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x14, ['pointer', ['_INETAF']]], 'Port' : [ 0x48, ['unsigned be short']], }], } # Structures for netscan on x86 Windows 7 (all service packs). tcpip_vtypes_7 = { '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0xC, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x10, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x14, ['_LIST_ENTRY']], 'State' : [ 0x34, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x38, ['unsigned be short']], 'RemotePort' : [ 0x3A, ['unsigned be short']], 'Owner' : [ 0x174, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 8, ['_LIST_ENTRY']], 'InetAF' : [ 0x24, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x48, ['unsigned be short']], 'RemotePort' : [ 0x4a, ['unsigned be short']], 'LocalAddr' : [ 0x28, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x34, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x2c, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x28, ['unsigned be short']], 'RemotePort' : [ 0x2a, ['unsigned be short']], 'LocalAddr' : [ 0x2c, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x30, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], } # Structures for netscan on x64 Vista SP0 and 2008 SP0 tcpip_vtypes_vista_64 = { '_IN_ADDR' : [ None, { 'addr4' : [ 0x0, ['IpAddress']], 'addr6' : [ 0x0, ['Ipv6Address']], }], '_TCP_LISTENER': [ None, { # TcpL 'Owner' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x20, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x58, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x60, ['pointer', ['_INETAF']]], 'Port' : [ 0x6a, ['unsigned be short']], }], '_INETAF' : [ None, { 'AddressFamily' : [ 0x14, ['unsigned short']], }], '_LOCAL_ADDRESS' : [ None, { 'pData' : [ 0x10, ['pointer', ['pointer', ['_IN_ADDR']]]], }], '_ADDRINFO' : [ None, { 'Local' : [ 0x0, ['pointer', ['_LOCAL_ADDRESS']]], 'Remote' : [ 0x10, ['pointer', ['_IN_ADDR']]], }], '_TCP_ENDPOINT': [ None, { # TcpE 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'AddrInfo' : [ 0x20, ['pointer', ['_ADDRINFO']]], 'ListEntry': [ 0x28, ['_LIST_ENTRY']], 'State' : [ 0x50, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x54, ['unsigned be short']], 'RemotePort' : [ 0x56, ['unsigned be short']], 'Owner' : [ 0x208, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_TCP_SYN_ENDPOINT': [ None, { 'ListEntry': [ 0x10, ['_LIST_ENTRY']], 'InetAF' : [ 0x30, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x64, ['unsigned be short']], 'RemotePort' : [ 0x66, ['unsigned be short']], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x50, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x40, ['pointer', ['_SYN_OWNER']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_SYN_OWNER': [ None, { 'Process': [ 0x28, ['pointer', ['_EPROCESS']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'ListEntry': [ 0, ['_LIST_ENTRY']], 'InetAF' : [ 0x18, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x30, ['unsigned be short']], 'RemotePort' : [ 0x32, ['unsigned be short']], 'LocalAddr' : [ 0x38, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x40, ['pointer', ['_IN_ADDR']]], 'CreateTime' : [ 0, ['WinTimeStamp', dict(value = 0, is_utc = True)]], }], '_UDP_ENDPOINT': [ None, { # UdpA 'Owner' : [ 0x28, ['pointer', ['_EPROCESS']]], 'CreateTime' : [ 0x58, ['WinTimeStamp', dict(is_utc = True)]], 'LocalAddr' : [ 0x60, ['pointer', ['_LOCAL_ADDRESS']]], 'InetAF' : [ 0x20, ['pointer', ['_INETAF']]], 'Port' : [ 0x80, ['unsigned be short']], }], } class WinXP2003Tcpipx64(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_2003_x64) class Win2003SP12Tcpip(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2, 'build': lambda x : x != 3789} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_2003_sp1_sp2) class Vista2008Tcpip(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_vista) class Win7Tcpip(obj.ProfileModification): before = ['Vista2008Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_7) class Win7Vista2008x64Tcpip(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.vtypes.update(tcpip_vtypes_vista_64) class VistaSP12x64Tcpip(obj.ProfileModification): before = ['Win7Vista2008x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'Owner' : [ 0x210, ['pointer', ['_EPROCESS']]], }], }) class Win7x64Tcpip(obj.ProfileModification): before = ['Win7Vista2008x64Tcpip'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} def modification(self, profile): profile.merge_overlay({ '_TCP_ENDPOINT': [ None, { 'State' : [ 0x68, ['Enumeration', dict(target = 'long', choices = TCP_STATE_ENUM)]], 'LocalPort' : [ 0x6c, ['unsigned be short']], 'RemotePort' : [ 0x6e, ['unsigned be short']], 'Owner' : [ 0x238, ['pointer', ['_EPROCESS']]], }], '_TCP_SYN_ENDPOINT': [ None, { 'InetAF' : [ 0x48, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x7c, ['unsigned be short']], 'RemotePort' : [ 0x7e, ['unsigned be short']], 'LocalAddr' : [ 0x50, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x68, ['pointer', ['_IN_ADDR']]], 'Owner' : [ 0x58, ['pointer', ['_SYN_OWNER']]], }], '_TCP_TIMEWAIT_ENDPOINT': [ None, { 'InetAF' : [ 0x30, ['pointer', ['_INETAF']]], 'LocalPort' : [ 0x48, ['unsigned be short']], 'RemotePort' : [ 0x4a, ['unsigned be short']], 'LocalAddr' : [ 0x50, ['pointer', ['_LOCAL_ADDRESS']]], 'RemoteAddress' : [ 0x58, ['pointer', ['_IN_ADDR']]], }], }) volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp1_x64_vtypes.py0000644000175000017500000160255611732225561027451 0ustar mikemike00000000000000ntkrnlmp_types = { '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_202d' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_202f' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_202d']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_202f']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2041' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2041']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x50, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_2098' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_209a' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_209e' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_20a2' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_20a4' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2098']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_209a']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_209e']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_20a2']], 'Others' : [ 0x0, ['__unnamed_20a4']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x178, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x80, ['unsigned long']], 'CurrentMcb' : [ 0x88, ['pointer64', ['void']]], 'DumpStack' : [ 0x90, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x98, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0xa0, ['unsigned long long']], 'HiberPte' : [ 0xa8, ['_LARGE_INTEGER']], 'Status' : [ 0xb0, ['long']], 'MemoryImage' : [ 0xb8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xc0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xc8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xd0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xe0, ['pointer64', ['void']]], 'DmaIO' : [ 0xe8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xf0, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf8, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x158, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x160, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x168, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x170, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x10, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x8, ['pointer64', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_20ce' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_20ce']], } ], '__unnamed_20d2' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_20d2']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x140, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xd8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xe0, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xe8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xf0, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x130, ['unsigned long']], 'ResumeContextCheck' : [ 0x134, ['unsigned long']], 'ResumeContextPages' : [ 0x138, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_20f1' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20f3' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f5' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f7' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20f9' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20fb' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20fd' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20ff' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2101' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2103' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_2105' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20f1']], 'TargetDevice' : [ 0x0, ['__unnamed_20f3']], 'InstallDevice' : [ 0x0, ['__unnamed_20f5']], 'CustomNotification' : [ 0x0, ['__unnamed_20f7']], 'ProfileNotification' : [ 0x0, ['__unnamed_20f9']], 'PowerNotification' : [ 0x0, ['__unnamed_20fb']], 'VetoNotification' : [ 0x0, ['__unnamed_20fd']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20ff']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2101']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2103']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2105']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_211c' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_211e' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_2120' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_211c']], 'Gpt' : [ 0x0, ['__unnamed_211e']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_2120']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_2150' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_2154' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_2150']], 'Bits' : [ 0x4, ['__unnamed_2154']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3b20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x980, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0xa80, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1680, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2280, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2288, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2290, ['long']], 'MmCopyOnWriteCount' : [ 0x2294, ['long']], 'MmTransitionCount' : [ 0x2298, ['long']], 'MmDemandZeroCount' : [ 0x229c, ['long']], 'MmPageReadCount' : [ 0x22a0, ['long']], 'MmPageReadIoCount' : [ 0x22a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x22a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x22ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x22b0, ['long']], 'MmMappedWriteIoCount' : [ 0x22b4, ['long']], 'KeSystemCalls' : [ 0x22b8, ['unsigned long']], 'KeContextSwitches' : [ 0x22bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x22c0, ['unsigned long']], 'CcFastReadWait' : [ 0x22c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x22c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x22cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x22d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x22d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x22d8, ['long']], 'IoReadOperationCount' : [ 0x22dc, ['long']], 'IoWriteOperationCount' : [ 0x22e0, ['long']], 'IoOtherOperationCount' : [ 0x22e4, ['long']], 'IoReadTransferCount' : [ 0x22e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x22f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x22f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2300, ['unsigned long long']], 'IpiFrozen' : [ 0x2308, ['unsigned long']], 'PrcbPad3' : [ 0x230c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2380, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3380, ['unsigned long long']], 'PrcbPad4' : [ 0x3388, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3400, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3440, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3448, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3450, ['long']], 'DpcRequestRate' : [ 0x3454, ['unsigned long']], 'MinimumDpcRate' : [ 0x3458, ['unsigned long']], 'DpcInterruptRequested' : [ 0x345c, ['unsigned char']], 'DpcThreadRequested' : [ 0x345d, ['unsigned char']], 'DpcRoutineActive' : [ 0x345e, ['unsigned char']], 'DpcThreadActive' : [ 0x345f, ['unsigned char']], 'TimerHand' : [ 0x3460, ['unsigned long long']], 'TimerRequest' : [ 0x3460, ['unsigned long long']], 'TickOffset' : [ 0x3468, ['long']], 'MasterOffset' : [ 0x346c, ['long']], 'DpcLastCount' : [ 0x3470, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3474, ['unsigned char']], 'QuantumEnd' : [ 0x3475, ['unsigned char']], 'PrcbPad50' : [ 0x3476, ['unsigned char']], 'IdleSchedule' : [ 0x3477, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3478, ['long']], 'KeExceptionDispatchCount' : [ 0x347c, ['unsigned long']], 'DpcEvent' : [ 0x3480, ['_KEVENT']], 'PrcbPad51' : [ 0x3498, ['pointer64', ['void']]], 'CallDpc' : [ 0x34a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x34e0, ['long']], 'ClockCheckSlot' : [ 0x34e4, ['unsigned char']], 'ClockPollCycle' : [ 0x34e5, ['unsigned char']], 'PrcbPad6' : [ 0x34e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x34e8, ['long']], 'DpcWatchdogCount' : [ 0x34ec, ['long']], 'PrcbPad70' : [ 0x34f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3500, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3510, ['unsigned long long']], 'ReadySummary' : [ 0x3518, ['unsigned long']], 'QueueIndex' : [ 0x351c, ['unsigned long']], 'PrcbPad71' : [ 0x3520, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3580, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3780, ['unsigned long']], 'KernelTime' : [ 0x3784, ['unsigned long']], 'UserTime' : [ 0x3788, ['unsigned long']], 'DpcTime' : [ 0x378c, ['unsigned long']], 'InterruptTime' : [ 0x3790, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3794, ['unsigned long']], 'SkipTick' : [ 0x3798, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3799, ['unsigned char']], 'PollSlot' : [ 0x379a, ['unsigned char']], 'PrcbPad80' : [ 0x379b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x37a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x37a4, ['unsigned long']], 'PeriodicCount' : [ 0x37a8, ['unsigned long']], 'PeriodicBias' : [ 0x37ac, ['unsigned long']], 'PrcbPad81' : [ 0x37b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x37c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x37c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x37d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x37d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x37e0, ['long']], 'PageColor' : [ 0x37e4, ['unsigned long']], 'NodeColor' : [ 0x37e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x37ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x37f0, ['unsigned long']], 'Sleeping' : [ 0x37f4, ['long']], 'CycleTime' : [ 0x37f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3800, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3804, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3808, ['unsigned long']], 'CcMapDataNoWait' : [ 0x380c, ['unsigned long']], 'CcMapDataWait' : [ 0x3810, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3814, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3818, ['unsigned long']], 'CcPinReadWait' : [ 0x381c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3820, ['unsigned long']], 'CcMdlReadWait' : [ 0x3824, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3828, ['unsigned long']], 'CcLazyWriteIos' : [ 0x382c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3830, ['unsigned long']], 'CcDataFlushes' : [ 0x3834, ['unsigned long']], 'CcDataPages' : [ 0x3838, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x383c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3840, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3844, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3848, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x384c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3850, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3854, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3858, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x385c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3860, ['unsigned long']], 'CcReadAheadIos' : [ 0x3864, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3868, ['long']], 'MmCacheReadCount' : [ 0x386c, ['long']], 'MmCacheIoCount' : [ 0x3870, ['long']], 'PrcbPad91' : [ 0x3874, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3880, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x3998, ['unsigned long']], 'VendorString' : [ 0x399c, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x39a9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x39ac, ['unsigned long']], 'UpdateSignature' : [ 0x39b0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x39b8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x39f8, ['_KTIMER']], 'Cache' : [ 0x3a38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3a74, ['unsigned long']], 'CachedCommit' : [ 0x3a78, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3a7c, ['unsigned long']], 'HyperPte' : [ 0x3a80, ['pointer64', ['void']]], 'WheaInfo' : [ 0x3a88, ['pointer64', ['void']]], 'EtwSupport' : [ 0x3a90, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x3aa0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x3ab0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ac0, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x3ac8, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x3ad0, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x3ad8, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x3ae0, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3b08, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3b10, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'FreezeCount' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'Spare02' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1119' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111e' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1119']], 'Header16' : [ 0x0, ['__unnamed_111e']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x423, ['unsigned char']], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'Spare' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x36c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x36c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x36c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x370, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11ea' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_11ea']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '__unnamed_11f8' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_11fd' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_11ff' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11fd']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_120a' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_120c' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_120a']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_11f8']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_11ff']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_120c']], } ], '__unnamed_1212' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1216' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_121a' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_121c' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1220' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1222' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1224' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1226' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1228' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122a' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1230' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1232' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1234' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1236' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1238' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_123c' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1240' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1244' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1248' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_124f' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1253' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1257' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1259' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_125b' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_125f' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1263' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1267' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_126b' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_126f' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1277' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_127b' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127d' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_127f' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1281' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1212']], 'CreatePipe' : [ 0x0, ['__unnamed_1216']], 'CreateMailslot' : [ 0x0, ['__unnamed_121a']], 'Read' : [ 0x0, ['__unnamed_121c']], 'Write' : [ 0x0, ['__unnamed_121c']], 'QueryDirectory' : [ 0x0, ['__unnamed_1220']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1222']], 'QueryFile' : [ 0x0, ['__unnamed_1224']], 'SetFile' : [ 0x0, ['__unnamed_1226']], 'QueryEa' : [ 0x0, ['__unnamed_1228']], 'SetEa' : [ 0x0, ['__unnamed_122a']], 'QueryVolume' : [ 0x0, ['__unnamed_122e']], 'SetVolume' : [ 0x0, ['__unnamed_122e']], 'FileSystemControl' : [ 0x0, ['__unnamed_1230']], 'LockControl' : [ 0x0, ['__unnamed_1232']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1234']], 'QuerySecurity' : [ 0x0, ['__unnamed_1236']], 'SetSecurity' : [ 0x0, ['__unnamed_1238']], 'MountVolume' : [ 0x0, ['__unnamed_123c']], 'VerifyVolume' : [ 0x0, ['__unnamed_123c']], 'Scsi' : [ 0x0, ['__unnamed_1240']], 'QueryQuota' : [ 0x0, ['__unnamed_1244']], 'SetQuota' : [ 0x0, ['__unnamed_122a']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1248']], 'QueryInterface' : [ 0x0, ['__unnamed_124f']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1253']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1257']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1259']], 'SetLock' : [ 0x0, ['__unnamed_125b']], 'QueryId' : [ 0x0, ['__unnamed_125f']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1263']], 'UsageNotification' : [ 0x0, ['__unnamed_1267']], 'WaitWake' : [ 0x0, ['__unnamed_126b']], 'PowerSequence' : [ 0x0, ['__unnamed_126f']], 'Power' : [ 0x0, ['__unnamed_1277']], 'StartDevice' : [ 0x0, ['__unnamed_127b']], 'WMI' : [ 0x0, ['__unnamed_127d']], 'Others' : [ 0x0, ['__unnamed_127f']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1281']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_132b' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_132b']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13eb' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_13eb']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1408' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1408']], } ], '__unnamed_1417' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1419' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_141d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_141f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1421' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_141d']], 'e3' : [ 0x0, ['__unnamed_141f']], } ], '__unnamed_1429' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1417']], 'u2' : [ 0x8, ['__unnamed_1419']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1421']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_1429']], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'ChargedWslePages' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'ActualWslePages' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitGate' : [ 0x50, ['pointer64', ['_KGATE']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_144d' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_144d']], } ], '_MMWSL' : [ 0x498, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'LastVadBit' : [ 0x40, ['unsigned long']], 'MaximumLastVadBit' : [ 0x44, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x48, ['unsigned long']], 'LastAllocationSize' : [ 0x4c, ['unsigned long']], 'NonDirectHash' : [ 0x50, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x68, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x70, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x74, ['unsigned long']], 'CommittedPageTables' : [ 0x78, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x80, ['unsigned long']], 'CommittedPageDirectories' : [ 0x88, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x488, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x490, ['array', 1, ['unsigned long long']]], } ], '__unnamed_1467' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1469' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146b' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1469']], } ], '__unnamed_1475' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1477' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1475']], } ], '_CONTROL_AREA' : [ 0x70, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1467']], 'u1' : [ 0x3c, ['__unnamed_146b']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1477']], 'LockedPages' : [ 0x68, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14aa' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14ad' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b0' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14ba' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], 'u2' : [ 0x40, ['__unnamed_14ba']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '__unnamed_14ca' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_14ca']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_14cf' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14cf']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14d5' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14d7' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14d5']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14d7']], } ], '__unnamed_14e0' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14e2' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14e0']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14e2']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14ea' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14ea']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15bb' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15bd' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15c4' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x118, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15bb']], 'Hv' : [ 0x18, ['__unnamed_15bd']], 'IdleAccounting' : [ 0x20, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x28, ['pointer64', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x30, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x34, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x38, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x40, ['unsigned long long']], 'ThermalConstraint' : [ 0x48, ['unsigned char']], 'LastBusyPercentage' : [ 0x49, ['unsigned char']], 'Flags' : [ 0x4a, ['__unnamed_15c4']], 'PerfTimer' : [ 0x50, ['_KTIMER']], 'PerfDpc' : [ 0x90, ['_KDPC']], 'LastSysTime' : [ 0xd0, ['unsigned long']], 'PStateMaster' : [ 0xd8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0xe0, ['unsigned long long']], 'CurrentPState' : [ 0xe8, ['unsigned long']], 'DesiredPState' : [ 0xec, ['unsigned long']], 'PStateIdleStartTime' : [ 0xf0, ['unsigned long']], 'PStateIdleTime' : [ 0xf4, ['unsigned long']], 'LastPStateIdleTime' : [ 0xf8, ['unsigned long']], 'PStateStartTime' : [ 0xfc, ['unsigned long']], 'DiaIndex' : [ 0x100, ['unsigned long']], 'Reserved0' : [ 0x104, ['unsigned long']], 'WmiDispatchPtr' : [ 0x108, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x110, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f5' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f5']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_1607' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1609' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_160d' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_1607']], 'OverUsed2' : [ 0x1a0, ['__unnamed_1609']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_160d']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16ad' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16ad']], } ], '__unnamed_16b4' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b4']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1d0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1c0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c8, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1cc, ['unsigned long']], } ], '__unnamed_16f6' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f6']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1704' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1706' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1708' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_170a' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_170c' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1704']], 'Write' : [ 0x0, ['__unnamed_1706']], 'Event' : [ 0x0, ['__unnamed_1708']], 'Notification' : [ 0x0, ['__unnamed_170a']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_170c']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x370, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x50, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x58, ['_UNICODE_STRING']], 'LogFileName' : [ 0x68, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x78, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x88, ['_UNICODE_STRING']], 'ClockType' : [ 0x98, ['unsigned long']], 'CollectionOn' : [ 0x9c, ['long']], 'MaximumFileSize' : [ 0xa0, ['unsigned long']], 'LoggerMode' : [ 0xa4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa8, ['unsigned long']], 'FlushTimer' : [ 0xac, ['unsigned long']], 'FlushThreshold' : [ 0xb0, ['unsigned long']], 'ByteOffset' : [ 0xb8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xc0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xc8, ['unsigned long']], 'BuffersAvailable' : [ 0xcc, ['long']], 'NumberOfBuffers' : [ 0xd0, ['long']], 'MaximumBuffers' : [ 0xd4, ['unsigned long']], 'EventsLost' : [ 0xd8, ['unsigned long']], 'BuffersWritten' : [ 0xdc, ['unsigned long']], 'LogBuffersLost' : [ 0xe0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xe4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xe8, ['unsigned long']], 'BufferSize' : [ 0xec, ['unsigned long']], 'MaximumEventSize' : [ 0xf0, ['unsigned long']], 'SequencePtr' : [ 0xf8, ['pointer64', ['long']]], 'LocalSequence' : [ 0x100, ['unsigned long']], 'InstanceGuid' : [ 0x104, ['_GUID']], 'GetCpuClock' : [ 0x118, ['pointer64', ['void']]], 'FileCounter' : [ 0x120, ['long']], 'BufferCallback' : [ 0x128, ['pointer64', ['void']]], 'PoolType' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x148, ['unsigned char']], 'Consumers' : [ 0x150, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x160, ['unsigned long']], 'Connecting' : [ 0x168, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x178, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x180, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x188, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a8, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1b0, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b8, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1c0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c8, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1d8, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1dc, ['unsigned long']], 'NewRTEventsLost' : [ 0x1e0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1e8, ['_KEVENT']], 'FlushEvent' : [ 0x200, ['_KEVENT']], 'FlushDpc' : [ 0x218, ['_KDPC']], 'LoggerMutex' : [ 0x258, ['_KMUTANT']], 'LoggerLock' : [ 0x290, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x298, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2e0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2e8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'AcceptNewEvents' : [ 0x338, ['long']], 'Flags' : [ 0x33c, ['unsigned long']], 'Persistent' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x340, ['unsigned long']], 'RequestNewFie' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x344, ['unsigned short']], 'StackTraceFilter' : [ 0x346, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17fa' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17fc' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17fa']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17fe' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1800' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17fe']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_17fc']], 'u2' : [ 0x4, ['__unnamed_1800']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1817' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1819' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1817']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1819']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1824' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1826' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1824']], } ], '_KALPC_SECTION' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1826']], 'SectionObject' : [ 0x8, ['pointer64', ['void']]], 'Size' : [ 0x10, ['unsigned long long']], 'HandleTable' : [ 0x18, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x20, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x38, ['unsigned long']], 'RegionListHead' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1833' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1835' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1833']], } ], '_KALPC_REGION' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_1835']], 'RegionListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Section' : [ 0x18, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x20, ['unsigned long long']], 'Size' : [ 0x28, ['unsigned long long']], 'ViewSize' : [ 0x30, ['unsigned long long']], 'ReadOnlyView' : [ 0x38, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x40, ['pointer64', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x48, ['unsigned long']], 'ViewListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '__unnamed_183b' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_183d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_183b']], } ], '_KALPC_VIEW' : [ 0x68, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_183d']], 'Region' : [ 0x18, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x30, ['pointer64', ['void']]], 'Size' : [ 0x38, ['unsigned long long']], 'SecureViewHandle' : [ 0x40, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x48, ['pointer64', ['void']]], 'NumberOfOwnerMessages' : [ 0x50, ['unsigned long']], 'ProcessViewListEntry' : [ 0x58, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1855' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1857' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1855']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x198, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'SequenceNo' : [ 0x20, ['unsigned long']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x38, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x40, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x48, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'PendingQueue' : [ 0xa0, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xb0, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xc0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xd0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xd0, ['pointer64', ['_KEVENT']]], 'Lock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0xe0, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x128, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x130, ['_LIST_ENTRY']], 'CompletionList' : [ 0x140, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x148, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0x150, ['_LIST_ENTRY']], 'u1' : [ 0x160, ['__unnamed_1857']], 'TargetQueuePort' : [ 0x168, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x178, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x180, ['unsigned long']], 'PendingQueueLength' : [ 0x184, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x188, ['unsigned long']], 'CanceledQueueLength' : [ 0x18c, ['unsigned long']], 'WaitQueueLength' : [ 0x190, ['unsigned long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17fc']], 'u2' : [ 0x4, ['__unnamed_1800']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1873' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1875' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1873']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1875']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x78, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x80, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb8, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xc0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xd0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd8, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18b4' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18b6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18b4']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_18b6']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0x18, ['unsigned long']], 'TargetThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'TotalLength' : [ 0x30, ['unsigned short']], 'Type' : [ 0x32, ['unsigned short']], 'DataInfoOffset' : [ 0x34, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x238, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0xb0, ['_ERESOURCE']], 'TypeLock' : [ 0x118, ['_EX_PUSH_LOCK']], 'Key' : [ 0x120, ['unsigned long']], 'ObjectLocks' : [ 0x128, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x228, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_19bc' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_19be' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_19bc']], 'Private' : [ 0x0, ['__unnamed_19be']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0xb48, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x5f0, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x5f8, ['unsigned long']], 'ViewUnLockLast' : [ 0x5fc, ['unsigned long']], 'WriterLock' : [ 0x600, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x608, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x610, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x618, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x628, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x638, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x648, ['unsigned short']], 'PinnedViewCount' : [ 0x64a, ['unsigned short']], 'UseCount' : [ 0x64c, ['unsigned long']], 'ViewsPerHive' : [ 0x650, ['unsigned long']], 'FileObject' : [ 0x658, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x660, ['unsigned long']], 'ActualFileSize' : [ 0x668, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x670, ['_UNICODE_STRING']], 'FileUserName' : [ 0x680, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x690, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x6a0, ['unsigned long']], 'SecurityCacheSize' : [ 0x6a4, ['unsigned long']], 'SecurityHitHint' : [ 0x6a8, ['long']], 'SecurityCache' : [ 0x6b0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6b8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xab8, ['unsigned long']], 'UnloadEventArray' : [ 0xac0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xac8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xad0, ['unsigned char']], 'UnloadWorkItem' : [ 0xad8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xae0, ['unsigned char']], 'GrowOffset' : [ 0xae4, ['unsigned long']], 'KcbConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xaf8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb08, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb10, ['unsigned long']], 'TrustClassEntry' : [ 0xb18, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb28, ['unsigned long']], 'CmRm' : [ 0xb30, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb38, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb3c, ['long']], 'CreatorOwner' : [ 0xb40, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19ed' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19f3' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14aa']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ad']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b0']], 'u2' : [ 0x40, ['__unnamed_14ba']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_19ed']], 'u4' : [ 0x70, ['__unnamed_19f3']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_1a06' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_1a06']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1a1f' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1a1f']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x98, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x10, ['_KDPC']], 'ScanTimer' : [ 0x50, ['_KTIMER']], 'ScanActive' : [ 0x90, ['unsigned char']], 'OtherWork' : [ 0x91, ['unsigned char']], 'PendingTeardown' : [ 0x92, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1aa7' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1aa7']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x38, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x30, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b88' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1b88']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bf2' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bf8' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1bfa' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bfc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bfe' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1c00' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1c02' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c04' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c06' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c08' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bf2']], 'Memory' : [ 0x0, ['__unnamed_1bf2']], 'Interrupt' : [ 0x0, ['__unnamed_1bf8']], 'Dma' : [ 0x0, ['__unnamed_1bfa']], 'Generic' : [ 0x0, ['__unnamed_1bf2']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bfc']], 'BusNumber' : [ 0x0, ['__unnamed_1bfe']], 'ConfigData' : [ 0x0, ['__unnamed_1c00']], 'Memory40' : [ 0x0, ['__unnamed_1c02']], 'Memory48' : [ 0x0, ['__unnamed_1c04']], 'Memory64' : [ 0x0, ['__unnamed_1c06']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1c08']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1c4b' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c4b']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x30, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'ObjectType' : [ 0x18, ['pointer64', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x20, ['unsigned long']], 'ObjectInfo' : [ 0x24, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x28, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1cec' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cee' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1cf0' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1cf2' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1cf0']], 'Translated' : [ 0x0, ['__unnamed_1cee']], } ], '__unnamed_1cf4' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf6' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf8' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfa' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfc' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfe' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1d00' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1cec']], 'Port' : [ 0x0, ['__unnamed_1cec']], 'Interrupt' : [ 0x0, ['__unnamed_1cee']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cf2']], 'Memory' : [ 0x0, ['__unnamed_1cec']], 'Dma' : [ 0x0, ['__unnamed_1cf4']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bfc']], 'BusNumber' : [ 0x0, ['__unnamed_1cf6']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cf8']], 'Memory40' : [ 0x0, ['__unnamed_1cfa']], 'Memory48' : [ 0x0, ['__unnamed_1cfc']], 'Memory64' : [ 0x0, ['__unnamed_1cfe']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1d00']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1d07' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1d07']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 48, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1d24' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1d24']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1d2e' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14cf']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1d2e']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d34' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d36' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d34']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x98, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'DeviceType' : [ 0x30, ['unsigned char']], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x40, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x50, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x60, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x80, ['_LIST_ENTRY']], 'Specific' : [ 0x90, ['__unnamed_1d36']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1da8' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x98, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1da8']], 'TargetProcessors' : [ 0x30, ['unsigned long long']], 'PStateHandler' : [ 0x38, ['pointer64', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long long']], 'TStateHandler' : [ 0x48, ['pointer64', ['void']]], 'TStateContext' : [ 0x50, ['unsigned long long']], 'FeedbackHandler' : [ 0x58, ['pointer64', ['void']]], 'DiaStats' : [ 0x60, ['pointer64', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x68, ['unsigned long']], 'State' : [ 0x70, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1e04' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e06' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1e04']], 'Button' : [ 0x10, ['__unnamed_1e06']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xc8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], 'ResumePages' : [ 0xb8, ['unsigned long']], 'DumpHeader' : [ 0xc0, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1eac' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1eac']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1d90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1dd8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1de0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1de8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1df0, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1f26' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1f28' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1f26']], 'Merged' : [ 0x10, ['__unnamed_1f28']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['void']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1f31' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1f31']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14cf']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1d2e']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f51' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1f55' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_1f51']], 'u2' : [ 0x38, ['__unnamed_1f55']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x90, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ca0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x3a0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win7.py0000644000175000017500000002047112227253532024275 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: The Volatility Foundation @license: GNU General Public License 2.0 @contact: awalters@4tphi.net This file provides support for Windows 7. """ #pylint: disable-msg=C0111 import windows import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 class Win7Pointer64(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x: x >= 6, 'memory_model': lambda x: x == '32bit'} def modification(self, profile): profile.native_types.update({'pointer64': [8, '= 1} def modification(self, profile): profile.object_classes.update({'_OBJECT_HEADER': _OBJECT_HEADER}) class Win7x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x1ff)]], }]} profile.merge_overlay(overlay) class Win7x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 6, 'minor': lambda x: x == 1} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x1)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class Win7SP0x86(obj.Profile): """ A Profile for Windows 7 SP0 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7600 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp0_x86_vtypes' class Win7SP1x86(obj.Profile): """ A Profile for Windows 7 SP1 x86 """ _md_memory_model = '32bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x86_vtypes' class Win7SP0x64(obj.Profile): """ A Profile for Windows 7 SP0 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7600 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp0_x64_vtypes' class Win7SP1x64(obj.Profile): """ A Profile for Windows 7 SP1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 6 _md_minor = 1 _md_build = 7601 _md_vtype_module = 'volatility.plugins.overlays.windows.win7_sp1_x64_vtypes' class Win2008R2SP0x64(Win7SP0x64): """ A Profile for Windows 2008 R2 SP0 x64 """ class Win2008R2SP1x64(Win7SP1x64): """ A Profile for Windows 2008 R2 SP1 x64 """ volatility-2.3.1/volatility/plugins/overlays/windows/crash_vtypes.py0000644000175000017500000001035712232063457026126 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # crash_vtypes = { ## These types are for crash dumps '_DMP_HEADER' : [ 0x1000, { 'Signature' : [ 0x0, ['array', 4, ['unsigned char']]], 'ValidDump' : [ 0x4, ['array', 4, ['unsigned char']]], 'MajorVersion' : [ 0x8, ['unsigned long']], 'MinorVersion' : [ 0xc, ['unsigned long']], 'DirectoryTableBase' : [ 0x10, ['unsigned long']], 'PfnDataBase' : [ 0x14, ['unsigned long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long']], 'PsActiveProcessHead' : [ 0x1c, ['unsigned long']], 'MachineImageType' : [ 0x20, ['unsigned long']], 'NumberProcessors' : [ 0x24, ['unsigned long']], 'BugCheckCode' : [ 0x28, ['unsigned long']], 'BugCheckCodeParameter' : [ 0x2c, ['array', 4, ['unsigned long']]], 'VersionUser' : [ 0x3c, ['array', 32, ['unsigned char']]], 'PaeEnabled' : [ 0x5c, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5d, ['unsigned char']], 'VersionUser2' : [ 0x5e, ['array', 2, ['unsigned char']]], 'KdDebuggerDataBlock' : [ 0x60, ['unsigned long']], 'PhysicalMemoryBlockBuffer' : [ 0x64, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 'ContextRecord' : [ 0x320, ['array', 1200, ['unsigned char']]], 'Exception' : [ 0x7d0, ['_EXCEPTION_RECORD32']], 'Comment' : [ 0x820, ['array', 128, ['unsigned char']]], 'DumpType' : [ 0xf88, ['unsigned long']], 'MiniDumpFields' : [ 0xf8c, ['unsigned long']], 'SecondaryDataState' : [ 0xf90, ['unsigned long']], 'ProductType' : [ 0xf94, ['unsigned long']], 'SuiteMask' : [ 0xf98, ['unsigned long']], 'WriterStatus' : [ 0xf9c, ['unsigned long']], 'RequiredDumpSpace' : [ 0xfa0, ['unsigned long long']], 'SystemUpTime' : [ 0xfb8, ['unsigned long long']], 'SystemTime' : [ 0xfc0, ['unsigned long long']], 'reserved3' : [ 0xfc8, ['array', 56, ['unsigned char']]], } ], '_DMP_HEADER64' : [ 0x2000, { 'Signature' : [ 0x0, ['array', 4, ['unsigned char']]], 'ValidDump' : [ 0x4, ['array', 4, ['unsigned char']]], 'MajorVersion' : [ 0x8, ['unsigned long']], 'MinorVersion' : [ 0xc, ['unsigned long']], 'DirectoryTableBase' : [ 0x10, ['unsigned long long']], 'PfnDataBase' : [ 0x18, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x20, ['unsigned long long']], 'PsActiveProcessHead' : [ 0x28, ['unsigned long long']], 'MachineImageType' : [ 0x30, ['unsigned long']], 'NumberProcessors' : [ 0x34, ['unsigned long']], 'BugCheckCode' : [ 0x38, ['unsigned long']], 'BugCheckCodeParameter' : [ 0x40, ['array', 4, ['unsigned long long']]], 'KdDebuggerDataBlock' : [0x80, ['unsigned long long']], 'PhysicalMemoryBlockBuffer' : [ 0x88, ['_PHYSICAL_MEMORY_DESCRIPTOR']], 'ContextRecord' : [ 0x348, ['array', 3000, ['unsigned char']]], 'Exception' : [ 0xf00, ['_EXCEPTION_RECORD64']], 'DumpType' : [ 0xf98, ['unsigned long']], 'RequiredDumpSpace' : [ 0xfa0, ['unsigned long long']], 'SystemTime' : [ 0xfa8, ['unsigned long long']], 'Comment' : [ 0xfb0, ['array', 128, ['unsigned char']]], 'SystemUpTime' : [ 0x1030, ['unsigned long long']], 'MiniDumpFields' : [ 0x1038, ['unsigned long']], 'SecondaryDataState' : [ 0x103c, ['unsigned long']], 'ProductType' : [ 0x1040, ['unsigned long']], 'SuiteMask' : [ 0x1044, ['unsigned long']], 'WriterStatus' : [ 0x1048, ['unsigned long']], 'Unused1' : [ 0x104c, ['unsigned char']], 'KdSecondaryVersion' : [ 0x104d, ['unsigned char']], 'Unused' : [ 0x104e, ['array', 2, ['unsigned char']]], '_reserved0' : [ 0x1050, ['array', 4016, ['unsigned char']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/__init__.py0000644000175000017500000000000011602715531025130 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp1_x64_vtypes.py0000644000175000017500000117642211732225561027423 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1015' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1015']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '__unnamed_1026' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1026']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0x2480, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned char']], 'NestingLevel' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'UserRsp' : [ 0x20, ['unsigned long long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'InitialApicId' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned char']], 'PrcbPad0x' : [ 0x645, ['array', 3, ['unsigned char']]], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'PrcbPad00' : [ 0x650, ['array', 4, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0xb80, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0xd80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0xd88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0xd90, ['long']], 'MmCopyOnWriteCount' : [ 0xd94, ['long']], 'MmTransitionCount' : [ 0xd98, ['long']], 'MmCacheTransitionCount' : [ 0xd9c, ['long']], 'MmDemandZeroCount' : [ 0xda0, ['long']], 'MmPageReadCount' : [ 0xda4, ['long']], 'MmPageReadIoCount' : [ 0xda8, ['long']], 'MmCacheReadCount' : [ 0xdac, ['long']], 'MmCacheIoCount' : [ 0xdb0, ['long']], 'MmDirtyPagesWriteCount' : [ 0xdb4, ['long']], 'MmDirtyWriteIoCount' : [ 0xdb8, ['long']], 'MmMappedPagesWriteCount' : [ 0xdbc, ['long']], 'MmMappedWriteIoCount' : [ 0xdc0, ['long']], 'LookasideIrpFloat' : [ 0xdc4, ['long']], 'KeSystemCalls' : [ 0xdc8, ['unsigned long']], 'IoReadOperationCount' : [ 0xdcc, ['long']], 'IoWriteOperationCount' : [ 0xdd0, ['long']], 'IoOtherOperationCount' : [ 0xdd4, ['long']], 'IoReadTransferCount' : [ 0xdd8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0xde0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0xde8, ['_LARGE_INTEGER']], 'KeContextSwitches' : [ 0xdf0, ['unsigned long']], 'PrcbPad2' : [ 0xdf4, ['array', 12, ['unsigned char']]], 'TargetSet' : [ 0xe00, ['unsigned long long']], 'IpiFrozen' : [ 0xe08, ['unsigned long']], 'PrcbPad3' : [ 0xe0c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0xe80, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x1e80, ['unsigned long long']], 'PrcbPad4' : [ 0x1e88, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x1f00, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1f40, ['pointer64', ['void']]], 'SavedRsp' : [ 0x1f48, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1f50, ['long']], 'DpcRequestRate' : [ 0x1f54, ['unsigned long']], 'MinimumDpcRate' : [ 0x1f58, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1f5c, ['unsigned char']], 'DpcThreadRequested' : [ 0x1f5d, ['unsigned char']], 'DpcRoutineActive' : [ 0x1f5e, ['unsigned char']], 'DpcThreadActive' : [ 0x1f5f, ['unsigned char']], 'TimerHand' : [ 0x1f60, ['unsigned long long']], 'TimerRequest' : [ 0x1f60, ['unsigned long long']], 'TickOffset' : [ 0x1f68, ['long']], 'MasterOffset' : [ 0x1f6c, ['long']], 'DpcLastCount' : [ 0x1f70, ['unsigned long']], 'ThreadDpcEnable' : [ 0x1f74, ['unsigned char']], 'QuantumEnd' : [ 0x1f75, ['unsigned char']], 'PrcbPad50' : [ 0x1f76, ['unsigned char']], 'IdleSchedule' : [ 0x1f77, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1f78, ['long']], 'PrcbPad40' : [ 0x1f7c, ['long']], 'DpcThread' : [ 0x1f80, ['pointer64', ['void']]], 'DpcEvent' : [ 0x1f88, ['_KEVENT']], 'CallDpc' : [ 0x1fa0, ['_KDPC']], 'PrcbPad7' : [ 0x1fe0, ['array', 4, ['unsigned long long']]], 'WaitListHead' : [ 0x2000, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x2010, ['unsigned long']], 'QueueIndex' : [ 0x2014, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x2018, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x2218, ['unsigned long']], 'KernelTime' : [ 0x221c, ['unsigned long']], 'UserTime' : [ 0x2220, ['unsigned long']], 'DpcTime' : [ 0x2224, ['unsigned long']], 'InterruptTime' : [ 0x2228, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x222c, ['unsigned long']], 'SkipTick' : [ 0x2230, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x2231, ['unsigned char']], 'PollSlot' : [ 0x2232, ['unsigned char']], 'PrcbPad8' : [ 0x2233, ['array', 13, ['unsigned char']]], 'ParentNode' : [ 0x2240, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x2248, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x2250, ['pointer64', ['_KPRCB']]], 'Sleeping' : [ 0x2258, ['long']], 'PrcbPad90' : [ 0x225c, ['array', 1, ['unsigned long']]], 'DebugDpcTime' : [ 0x2260, ['unsigned long']], 'PageColor' : [ 0x2264, ['unsigned long']], 'NodeColor' : [ 0x2268, ['unsigned long']], 'NodeShiftedColor' : [ 0x226c, ['unsigned long']], 'SecondaryColorMask' : [ 0x2270, ['unsigned long']], 'PrcbPad9' : [ 0x2274, ['array', 12, ['unsigned char']]], 'CcFastReadNoWait' : [ 0x2280, ['unsigned long']], 'CcFastReadWait' : [ 0x2284, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2288, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x228c, ['unsigned long']], 'CcCopyReadWait' : [ 0x2290, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2294, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x2298, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x229c, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x22a0, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x22a4, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x22a8, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x22ac, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x22b0, ['unsigned long']], 'VendorString' : [ 0x22b4, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x22c1, ['array', 2, ['unsigned char']]], 'FeatureBits' : [ 0x22c4, ['unsigned long']], 'UpdateSignature' : [ 0x22c8, ['_LARGE_INTEGER']], 'PowerState' : [ 0x22d0, ['_PROCESSOR_POWER_STATE']], 'Cache' : [ 0x2440, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x247c, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x200, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Fill' : [ 0x0, ['array', 432, ['unsigned char']]], 'Current' : [ 0x1b0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x1d8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTHREAD' : [ 0x320, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x18, ['_LIST_ENTRY']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'ApcQueueable' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned char']], 'DeferredProcessor' : [ 0x75, ['unsigned char']], 'AdjustReason' : [ 0x76, ['unsigned char']], 'AdjustIncrement' : [ 0x77, ['unsigned char']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'Alertable' : [ 0x90, ['unsigned char']], 'WaitNext' : [ 0x91, ['unsigned char']], 'WaitReason' : [ 0x92, ['unsigned char']], 'Priority' : [ 0x93, ['unsigned char']], 'EnableStackSwap' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'SystemAffinityActive' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x1d0, ['pointer64', ['void']]], 'ServiceTable' : [ 0x1d8, ['pointer64', ['void']]], 'KernelLimit' : [ 0x1e0, ['unsigned long']], 'ApcStateIndex' : [ 0x1e4, ['unsigned char']], 'IdealProcessor' : [ 0x1e5, ['unsigned char']], 'Preempted' : [ 0x1e6, ['unsigned char']], 'ProcessReadyQueue' : [ 0x1e7, ['unsigned char']], 'Win32kTable' : [ 0x1e8, ['pointer64', ['void']]], 'Win32kLimit' : [ 0x1f0, ['unsigned long']], 'KernelStackResident' : [ 0x1f4, ['unsigned char']], 'BasePriority' : [ 0x1f5, ['unsigned char']], 'PriorityDecrement' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'UserAffinity' : [ 0x1f8, ['unsigned long long']], 'Process' : [ 0x200, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x208, ['unsigned long long']], 'ApcStatePointer' : [ 0x210, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x220, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x220, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x24b, ['unsigned char']], 'SuspendCount' : [ 0x24c, ['unsigned char']], 'UserIdealProcessor' : [ 0x24d, ['unsigned char']], 'CalloutActive' : [ 0x24e, ['unsigned char']], 'CodePatchInProgress' : [ 0x24f, ['unsigned char']], 'Win32Thread' : [ 0x250, ['pointer64', ['void']]], 'StackBase' : [ 0x258, ['pointer64', ['void']]], 'SuspendApc' : [ 0x260, ['_KAPC']], 'SuspendApcFill0' : [ 0x260, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x261, ['unsigned char']], 'SuspendApcFill1' : [ 0x260, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x263, ['unsigned char']], 'SuspendApcFill2' : [ 0x260, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x264, ['unsigned long']], 'SuspendApcFill3' : [ 0x260, ['array', 64, ['unsigned char']]], 'TlsArray' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill4' : [ 0x260, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x260, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2b3, ['unsigned char']], 'UserTime' : [ 0x2b4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2d4, ['unsigned long']], 'ThreadListEntry' : [ 0x2d8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2e8, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f0, ['long long']], 'WriteOperationCount' : [ 0x2f8, ['long long']], 'OtherOperationCount' : [ 0x300, ['long long']], 'ReadTransferCount' : [ 0x308, ['long long']], 'WriteTransferCount' : [ 0x310, ['long long']], 'OtherTransferCount' : [ 0x318, ['long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x428, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x320, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x328, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x328, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x328, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x338, ['long']], 'OfsChain' : [ 0x338, ['pointer64', ['void']]], 'PostBlockList' : [ 0x340, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x350, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x350, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x350, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x358, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x360, ['_LIST_ENTRY']], 'Cid' : [ 0x370, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x380, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x380, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x3a0, ['pointer64', ['void']]], 'LpcWaitingOnPort' : [ 0x3a0, ['pointer64', ['void']]], 'ImpersonationInfo' : [ 0x3a8, ['pointer64', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x3b0, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c0, ['unsigned long long']], 'DeviceToVerify' : [ 0x3c8, ['pointer64', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x3d0, ['pointer64', ['_EPROCESS']]], 'StartAddress' : [ 0x3d8, ['pointer64', ['void']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'LpcReceivedMessageId' : [ 0x3e0, ['unsigned long']], 'ThreadListEntry' : [ 0x3e8, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3f8, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x400, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x408, ['unsigned long']], 'ReadClusterSize' : [ 0x40c, ['unsigned long']], 'GrantedAccess' : [ 0x410, ['unsigned long']], 'CrossThreadFlags' : [ 0x414, ['unsigned long']], 'Terminated' : [ 0x414, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x414, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x414, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x414, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x414, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x414, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x414, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x414, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x414, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x418, ['unsigned long']], 'ActiveExWorker' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x41c, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x41c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x41d, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x41d, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x420, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x421, ['unsigned char']], 'ActiveFaultCount' : [ 0x422, ['unsigned char']], } ], '_EPROCESS' : [ 0x3e0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xc8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xd8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf0, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x108, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x120, ['unsigned long long']], 'PeakVirtualSize' : [ 0x128, ['unsigned long long']], 'VirtualSize' : [ 0x130, ['unsigned long long']], 'SessionProcessLinks' : [ 0x138, ['_LIST_ENTRY']], 'DebugPort' : [ 0x148, ['pointer64', ['void']]], 'ExceptionPort' : [ 0x150, ['pointer64', ['void']]], 'ObjectTable' : [ 0x158, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x160, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x168, ['unsigned long long']], 'AddressCreationLock' : [ 0x170, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x1a8, ['unsigned long long']], 'ForkInProgress' : [ 0x1b0, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x1b8, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x1c0, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1c8, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1d0, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1d8, ['unsigned long long']], 'Win32Process' : [ 0x1e0, ['pointer64', ['void']]], 'Job' : [ 0x1e8, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1f0, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x200, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x208, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x210, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x218, ['pointer64', ['void']]], 'LdtInformation' : [ 0x220, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x228, ['pointer64', ['void']]], 'VdmObjects' : [ 0x230, ['pointer64', ['void']]], 'DeviceMap' : [ 0x238, ['pointer64', ['void']]], 'Spare0' : [ 0x240, ['array', 3, ['pointer64', ['void']]]], 'PageDirectoryPte' : [ 0x258, ['_HARDWARE_PTE']], 'Filler' : [ 0x258, ['unsigned long long']], 'Session' : [ 0x260, ['pointer64', ['void']]], 'ImageFileName' : [ 0x268, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x278, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x288, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x290, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x2a0, ['pointer64', ['void']]], 'Wow64Process' : [ 0x2a8, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x2b0, ['unsigned long']], 'GrantedAccess' : [ 0x2b4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x2b8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x2bc, ['long']], 'Peb' : [ 0x2c0, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x2c8, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2d0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2d8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2e0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2e8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2f0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2f8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x300, ['unsigned long long']], 'CommitChargePeak' : [ 0x308, ['unsigned long long']], 'AweInfo' : [ 0x310, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x318, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x320, ['_MMSUPPORT']], 'Spares' : [ 0x378, ['array', 2, ['unsigned long']]], 'ModifiedPageCount' : [ 0x380, ['unsigned long']], 'JobStatus' : [ 0x384, ['unsigned long']], 'Flags' : [ 0x388, ['unsigned long']], 'CreateReported' : [ 0x388, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x388, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x388, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x388, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x388, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x388, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x388, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x388, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x388, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x388, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x388, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x388, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x388, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x388, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x388, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x388, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x388, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x388, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x388, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x388, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x388, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x388, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x388, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x388, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x388, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x388, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x388, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x38c, ['long']], 'NextPageColor' : [ 0x390, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x392, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x393, ['unsigned char']], 'SubSystemVersion' : [ 0x392, ['unsigned short']], 'PriorityClass' : [ 0x394, ['unsigned char']], 'VadRoot' : [ 0x398, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3d8, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0x2c0, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_1161' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1161']], } ], '__unnamed_116c' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_116e' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1171' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1173' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1171']], } ], '__unnamed_117b' : [ 0x8, { 'EntireFrame' : [ 0x0, ['unsigned long long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 57, native_type='unsigned long long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 60, native_type='unsigned long long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 63, native_type='unsigned long long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_116c']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x10, ['__unnamed_116e']], 'u3' : [ 0x18, ['__unnamed_1173']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned long']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_117b']], } ], '__unnamed_1182' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_1185' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_118a' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_118a']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '__unnamed_119c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'u' : [ 0x8, ['__unnamed_119c']], 'StartingSector' : [ 0xc, ['unsigned long']], 'NumberOfFullSectors' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x18, ['pointer64', ['_MMPTE']]], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'PtesInSubsection' : [ 0x24, ['unsigned long']], 'NextSubsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x78, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'CurrentUsage' : [ 0x20, ['unsigned long long']], 'PeakUsage' : [ 0x28, ['unsigned long long']], 'HighestPage' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x50, ['_UNICODE_STRING']], 'Bitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1216' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1216']], } ], '__unnamed_121d' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_121d']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_SHARED_CACHE_MAP' : [ 0x1b0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObject' : [ 0x60, ['pointer64', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'VacbPushLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], } ], '_FILE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_1247' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1247']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_125c' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_125e' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0xae8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'ForceFlags' : [ 0x18, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x1c, ['unsigned long']], 'SegmentReserve' : [ 0x20, ['unsigned long long']], 'SegmentCommit' : [ 0x28, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0x30, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0x38, ['unsigned long long']], 'TotalFreeSize' : [ 0x40, ['unsigned long long']], 'MaximumAllocationSize' : [ 0x48, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0x50, ['unsigned short']], 'HeaderValidateLength' : [ 0x52, ['unsigned short']], 'HeaderValidateCopy' : [ 0x58, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0x60, ['unsigned short']], 'MaximumTagIndex' : [ 0x62, ['unsigned short']], 'TagEntries' : [ 0x68, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x70, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x78, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x80, ['unsigned long long']], 'AlignMask' : [ 0x88, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x90, ['_LIST_ENTRY']], 'Segments' : [ 0xa0, ['array', 64, ['pointer64', ['_HEAP_SEGMENT']]]], 'u' : [ 0x2a0, ['__unnamed_125c']], 'u2' : [ 0x2b0, ['__unnamed_125e']], 'AllocatorBackTraceIndex' : [ 0x2b2, ['unsigned short']], 'NonDedicatedListLength' : [ 0x2b4, ['unsigned long']], 'LargeBlocksIndex' : [ 0x2b8, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x2c0, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x2c8, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0xac8, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xad0, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0xad8, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0xae0, ['unsigned short']], 'FrontEndHeapType' : [ 0xae2, ['unsigned char']], 'LastSegmentIndex' : [ 0xae3, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x68, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'Heap' : [ 0x18, ['pointer64', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x20, ['unsigned long long']], 'BaseAddress' : [ 0x28, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x30, ['unsigned long']], 'FirstEntry' : [ 0x38, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x48, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x4c, ['unsigned long']], 'UnCommittedRanges' : [ 0x50, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'LastEntryInSegment' : [ 0x60, ['pointer64', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'Bucket' : [ 0x0, ['pointer64', ['void']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'FreeThreshold' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TOKEN' : [ 0xd0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x70, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x78, ['pointer64', ['void']]], 'Privileges' : [ 0x80, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x88, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0x90, ['pointer64', ['_ACL']]], 'TokenType' : [ 0x98, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x9c, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xa0, ['unsigned char']], 'TokenInUse' : [ 0xa1, ['unsigned char']], 'ProxyData' : [ 0xa8, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xb0, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xb8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'VariablePart' : [ 0xc8, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'pDeviceMap' : [ 0x18, ['pointer64', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['pointer64', ['void']]]], 'SubProcessTag' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x8, ['unsigned long long']], 'CommittedSize' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerThreads' : [ 0x30, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x50, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x54, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x56, ['unsigned short']], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x98, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x1e0, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long long']], 'ResourceDatabase' : [ 0x30, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x38, ['pointer64', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x40, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x44, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x48, ['unsigned long']], 'NodesSearched' : [ 0x4c, ['unsigned long']], 'MaxNodesSearched' : [ 0x50, ['unsigned long']], 'SequenceNumber' : [ 0x54, ['unsigned long']], 'RecursionDepthLimit' : [ 0x58, ['unsigned long']], 'SearchedNodesLimit' : [ 0x5c, ['unsigned long']], 'DepthLimitHits' : [ 0x60, ['unsigned long']], 'SearchLimitHits' : [ 0x64, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x68, ['unsigned long']], 'OutOfOrderReleases' : [ 0x6c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x70, ['unsigned long']], 'TotalReleases' : [ 0x74, ['unsigned long']], 'RootNodesDeleted' : [ 0x78, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x7c, ['unsigned long']], 'PoolTrimCounter' : [ 0x80, ['unsigned long']], 'FreeResourceList' : [ 0x88, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x98, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0xa8, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0xb8, ['unsigned long']], 'FreeThreadCount' : [ 0xbc, ['unsigned long']], 'FreeNodeCount' : [ 0xc0, ['unsigned long']], 'Instigator' : [ 0xc8, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0xd0, ['unsigned long']], 'Participant' : [ 0xd8, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x1d8, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_SEGMENT_OBJECT' : [ 0x48, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x30, ['pointer64', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x38, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x40, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1371' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_1371']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x70, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleTableLock' : [ 0x18, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x38, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x48, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x50, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x58, ['long']], 'FirstFree' : [ 0x5c, ['unsigned long']], 'LastFree' : [ 0x60, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x64, ['unsigned long']], 'HandleCount' : [ 0x68, ['long']], 'Flags' : [ 0x6c, ['unsigned long']], 'StrictFIFO' : [ 0x6c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_MMSUPPORT' : [ 0x58, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x10, ['_LARGE_INTEGER']], 'Flags' : [ 0x18, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x1c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x20, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x24, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x28, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x2c, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'NextEstimationSlot' : [ 0x3c, ['unsigned long']], 'NextAgingSlot' : [ 0x40, ['unsigned long']], 'EstimatedAvailable' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetMutex' : [ 0x50, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x78, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x60, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x70, ['unsigned long']], 'ProcessCount' : [ 0x74, ['unsigned long']], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'RefCount' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], } ], '_EJOB' : [ 0x220, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'UIRestrictionsClass' : [ 0x10c, ['unsigned long']], 'SecurityLimitFlags' : [ 0x110, ['unsigned long']], 'Token' : [ 0x118, ['pointer64', ['void']]], 'Filter' : [ 0x120, ['pointer64', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0x128, ['unsigned long']], 'CompletionPort' : [ 0x130, ['pointer64', ['void']]], 'CompletionKey' : [ 0x138, ['pointer64', ['void']]], 'SessionId' : [ 0x140, ['unsigned long']], 'SchedulingClass' : [ 0x144, ['unsigned long']], 'ReadOperationCount' : [ 0x148, ['unsigned long long']], 'WriteOperationCount' : [ 0x150, ['unsigned long long']], 'OtherOperationCount' : [ 0x158, ['unsigned long long']], 'ReadTransferCount' : [ 0x160, ['unsigned long long']], 'WriteTransferCount' : [ 0x168, ['unsigned long long']], 'OtherTransferCount' : [ 0x170, ['unsigned long long']], 'IoInfo' : [ 0x178, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x1a8, ['unsigned long long']], 'JobMemoryLimit' : [ 0x1b0, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x1b8, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x1c0, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1c8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1d0, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x208, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x218, ['unsigned long']], 'JobFlags' : [ 0x21c, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x68, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_1371']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], 'StartingFrame' : [ 0x48, ['unsigned long long']], 'UserGlobalList' : [ 0x50, ['_LIST_ENTRY']], 'SessionId' : [ 0x60, ['unsigned long']], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x38, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x10, ['unsigned long']], 'CapturedGroupCount' : [ 0x14, ['unsigned long']], 'CapturedGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x20, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x24, ['unsigned long']], 'CapturedPrivileges' : [ 0x28, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'Reserved' : [ 0x78, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x10, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x18, ['unsigned long']], 'CmHiveFlags' : [ 0x1c, ['unsigned long']], 'CmHive2' : [ 0x20, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x28, ['unsigned char']], 'ThreadStarted' : [ 0x29, ['unsigned char']], 'Allocate' : [ 0x2a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0x10, { 'Token' : [ 0x0, ['pointer64', ['void']]], 'CopyOnOpen' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], 'ImpersonationLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_142e' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1430' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1434' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1c0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x38, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x88, ['unsigned long']], 'CompletionStatus' : [ 0x8c, ['long']], 'PendingIrp' : [ 0x90, ['pointer64', ['_IRP']]], 'Flags' : [ 0x98, ['unsigned long']], 'UserFlags' : [ 0x9c, ['unsigned long']], 'Problem' : [ 0xa0, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xa8, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xb0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xb8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc0, ['_UNICODE_STRING']], 'ServiceName' : [ 0xd0, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xe0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xe8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf4, ['unsigned long']], 'ChildInterfaceType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xfc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x100, ['unsigned short']], 'RemovalPolicy' : [ 0x102, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x103, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x118, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x128, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x138, ['unsigned short']], 'QueryTranslatorMask' : [ 0x13a, ['unsigned short']], 'NoArbiterMask' : [ 0x13c, ['unsigned short']], 'QueryArbiterMask' : [ 0x13e, ['unsigned short']], 'OverUsed1' : [ 0x140, ['__unnamed_142e']], 'OverUsed2' : [ 0x148, ['__unnamed_1430']], 'BootResources' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x158, ['unsigned long']], 'DockInfo' : [ 0x160, ['__unnamed_1434']], 'DisableableDepends' : [ 0x180, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x198, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x1a8, ['unsigned long']], 'PreviousParent' : [ 0x1b0, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1b8, ['unsigned long']], } ], '__unnamed_1439' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_1439']], } ], '_PEB64' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'SparePtr2' : [ 0x48, ['unsigned long long']], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_KPCR' : [ 0x2600, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'PerfGlobalGroupMask' : [ 0x10, ['pointer64', ['void']]], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0x18, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0xb8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['array', 2, ['unsigned long long']]], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Reserved1' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1469' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1d80, { 'GlobalVirtualAddress' : [ 0x0, ['pointer64', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1469']], 'SessionId' : [ 0x10, ['unsigned long']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x28, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x30, ['unsigned long long']], 'NonPagablePages' : [ 0x38, ['unsigned long long']], 'CommittedPages' : [ 0x40, ['unsigned long long']], 'PagedPoolStart' : [ 0x48, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x50, ['pointer64', ['void']]], 'PagedPoolBasePde' : [ 0x58, ['pointer64', ['_MMPTE']]], 'Color' : [ 0x60, ['unsigned long']], 'ResidentProcessCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'LastProcess' : [ 0xa8, ['pointer64', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0xb0, ['long']], 'WsListEntry' : [ 0xb8, ['_LIST_ENTRY']], 'Lookaside' : [ 0x100, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xbe8, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xc20, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc60, ['_MMSUPPORT']], 'Wsle' : [ 0xcb8, ['pointer64', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xcc0, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc8, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1d10, ['_MMPTE']], 'SpecialPoolFirstPte' : [ 0x1d18, ['pointer64', ['_MMPTE']]], 'SpecialPoolLastPte' : [ 0x1d20, ['pointer64', ['_MMPTE']]], 'NextPdeForSpecialPoolExpansion' : [ 0x1d28, ['pointer64', ['_MMPTE']]], 'LastPdeForSpecialPoolExpansion' : [ 0x1d30, ['pointer64', ['_MMPTE']]], 'SpecialPagesInUse' : [ 0x1d38, ['unsigned long long']], 'ImageLoadingCount' : [ 0x1d40, ['long']], } ], '_PEB' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'SparePtr2' : [ 0x48, ['pointer64', ['void']]], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['pointer64', ['void']]]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_1499' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa8, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x10, ['_LARGE_INTEGER']], 'u' : [ 0x18, ['__unnamed_1499']], 'Irp' : [ 0x28, ['pointer64', ['_IRP']]], 'LastPageToWrite' : [ 0x30, ['unsigned long long']], 'PagingListHead' : [ 0x38, ['pointer64', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x48, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x50, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x58, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer64', ['_ERESOURCE']]], 'IssueTime' : [ 0x68, ['_LARGE_INTEGER']], 'Mdl' : [ 0x70, ['_MDL']], 'Page' : [ 0xa0, ['array', 1, ['unsigned long long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TEB32' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['unsigned long']]], 'SubProcessTag' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x20, { 'Usage' : [ 0x0, ['unsigned long long']], 'Limit' : [ 0x8, ['unsigned long long']], 'Peak' : [ 0x10, ['unsigned long long']], 'Return' : [ 0x18, ['unsigned long long']], } ], '__unnamed_14be' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_14be']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x170, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'Idle0KernelTimeLimit' : [ 0x8, ['unsigned long']], 'Idle0LastTime' : [ 0xc, ['unsigned long']], 'IdleHandlers' : [ 0x10, ['pointer64', ['void']]], 'IdleState' : [ 0x18, ['pointer64', ['void']]], 'IdleHandlersCount' : [ 0x20, ['unsigned long']], 'LastCheck' : [ 0x28, ['unsigned long long']], 'IdleTimes' : [ 0x30, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x50, ['unsigned long']], 'PromotionCheck' : [ 0x54, ['unsigned long']], 'IdleTime2' : [ 0x58, ['unsigned long']], 'CurrentThrottle' : [ 0x5c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x5d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x5e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x5f, ['unsigned char']], 'LastKernelUserTime' : [ 0x60, ['unsigned long']], 'PerfIdleTime' : [ 0x64, ['unsigned long']], 'DebugDelta' : [ 0x68, ['unsigned long long']], 'DebugCount' : [ 0x70, ['unsigned long']], 'LastSysTime' : [ 0x74, ['unsigned long']], 'TotalIdleStateTime' : [ 0x78, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x90, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0xa0, ['unsigned long long']], 'KneeThrottleIndex' : [ 0xa8, ['unsigned char']], 'ThrottleLimitIndex' : [ 0xa9, ['unsigned char']], 'PerfStatesCount' : [ 0xaa, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xab, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0xac, ['unsigned char']], 'LastBusyPercentage' : [ 0xad, ['unsigned char']], 'LastC3Percentage' : [ 0xae, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0xaf, ['unsigned char']], 'PromotionCount' : [ 0xb0, ['unsigned long']], 'DemotionCount' : [ 0xb4, ['unsigned long']], 'ErrorCount' : [ 0xb8, ['unsigned long']], 'RetryCount' : [ 0xbc, ['unsigned long']], 'Flags' : [ 0xc0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xc8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xd0, ['unsigned long']], 'PerfTimer' : [ 0xd8, ['_KTIMER']], 'PerfDpc' : [ 0x118, ['_KDPC']], 'PerfStates' : [ 0x158, ['pointer64', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x160, ['pointer64', ['void']]], 'LastC3KernelUserTime' : [ 0x168, ['unsigned long']], 'Spare1' : [ 0x16c, ['array', 1, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x80, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0x120, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc0, ['pointer64', ['_IRP']]], 'Info' : [ 0xc8, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_TEB64' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['unsigned long long']]], 'SubProcessTag' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CMHIVE' : [ 0xab8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x578, ['array', 3, ['pointer64', ['void']]]], 'NotifyList' : [ 0x590, ['_LIST_ENTRY']], 'HiveList' : [ 0x5a0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5b0, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x5b8, ['pointer64', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x5c0, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x5c8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x5d0, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x5d8, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x5e8, ['_LIST_ENTRY']], 'FileObject' : [ 0x5f8, ['pointer64', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x600, ['_UNICODE_STRING']], 'FileUserName' : [ 0x610, ['_UNICODE_STRING']], 'MappedViews' : [ 0x620, ['unsigned short']], 'PinnedViews' : [ 0x622, ['unsigned short']], 'UseCount' : [ 0x624, ['unsigned long']], 'SecurityCount' : [ 0x628, ['unsigned long']], 'SecurityCacheSize' : [ 0x62c, ['unsigned long']], 'SecurityHitHint' : [ 0x630, ['long']], 'SecurityCache' : [ 0x638, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x640, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0xa40, ['pointer64', ['_KEVENT']]], 'RootKcb' : [ 0xa48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xa50, ['unsigned char']], 'UnloadWorkItem' : [ 0xa58, ['pointer64', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0xa60, ['unsigned char']], 'GrowOffset' : [ 0xa64, ['unsigned long']], 'KcbConvertListHead' : [ 0xa68, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xa78, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa88, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xa90, ['unsigned long']], 'TrustClassEntry' : [ 0xa98, ['_LIST_ENTRY']], 'FlushCount' : [ 0xaa8, ['unsigned long']], 'CreatorOwner' : [ 0xab0, ['pointer64', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x578, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'Log' : [ 0x72, ['unsigned char']], 'DirtyFlag' : [ 0x73, ['unsigned char']], 'HiveFlags' : [ 0x74, ['unsigned long']], 'LogSize' : [ 0x78, ['unsigned long']], 'RefreshCount' : [ 0x7c, ['unsigned long']], 'StorageTypeCount' : [ 0x80, ['unsigned long']], 'Version' : [ 0x84, ['unsigned long']], 'Storage' : [ 0x88, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x28, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['pointer64', ['void']]], 'WatchInfo' : [ 0x18, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '__unnamed_1587' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1587']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_PEB32' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'SparePtr2' : [ 0x24, ['unsigned long']], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x40, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x10, ['_LIST_ENTRY']], 'FileOffset' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'ViewAddress' : [ 0x28, ['pointer64', ['unsigned long long']]], 'Bcb' : [ 0x30, ['pointer64', ['void']]], 'UseCount' : [ 0x38, ['unsigned long']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '__unnamed_15db' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_15e1' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x68, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_118a']], 'u3' : [ 0x50, ['__unnamed_15db']], 'u4' : [ 0x60, ['__unnamed_15e1']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['void']]], 'PendingFreeDepth' : [ 0x30, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x40, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer64', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x8, ['pointer64', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x10, ['pointer64', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x20, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x28, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x38, ['unsigned long long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['unsigned short']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x68, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x40, ['pointer64', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x48, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x50, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x54, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x58, ['unsigned long']], 'BitmapFailures' : [ 0x5c, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'QuotaObject' : [ 0x10, ['pointer64', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x10, { 'FaultingPc' : [ 0x0, ['pointer64', ['void']]], 'FaultingVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0x120, { 'Next' : [ 0x0, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'Slot' : [ 0x38, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x48, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x50, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x58, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x5c, ['unsigned long']], 'VendorId' : [ 0x60, ['unsigned short']], 'DeviceId' : [ 0x62, ['unsigned short']], 'SubsystemVendorId' : [ 0x64, ['unsigned short']], 'SubsystemId' : [ 0x66, ['unsigned short']], 'RevisionId' : [ 0x68, ['unsigned char']], 'ProgIf' : [ 0x69, ['unsigned char']], 'SubClass' : [ 0x6a, ['unsigned char']], 'BaseClass' : [ 0x6b, ['unsigned char']], 'AdditionalResourceCount' : [ 0x6c, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x6d, ['unsigned char']], 'InterruptPin' : [ 0x6e, ['unsigned char']], 'RawInterruptLine' : [ 0x6f, ['unsigned char']], 'CapabilitiesPtr' : [ 0x70, ['unsigned char']], 'SavedLatencyTimer' : [ 0x71, ['unsigned char']], 'SavedCacheLineSize' : [ 0x72, ['unsigned char']], 'HeaderType' : [ 0x73, ['unsigned char']], 'NotPresent' : [ 0x74, ['unsigned char']], 'ReportedMissing' : [ 0x75, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x76, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x77, ['unsigned char']], 'LegacyDriver' : [ 0x78, ['unsigned char']], 'UpdateHardware' : [ 0x79, ['unsigned char']], 'MovedDevice' : [ 0x7a, ['unsigned char']], 'DisablePowerDown' : [ 0x7b, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x7c, ['unsigned char']], 'IDEInNativeMode' : [ 0x7d, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x7e, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x7f, ['unsigned char']], 'OnDebugPath' : [ 0x80, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x81, ['unsigned char']], 'PowerState' : [ 0x88, ['PCI_POWER_STATE']], 'Dependent' : [ 0xd8, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xe0, ['unsigned long long']], 'Resources' : [ 0xe8, ['pointer64', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xf0, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xf8, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0x100, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0x108, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0x118, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0x11a, ['unsigned char']], 'CommandEnables' : [ 0x11c, ['unsigned short']], 'InitialCommand' : [ 0x11e, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_1650' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1652' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1650']], 'Merged' : [ 0x10, ['__unnamed_1652']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStamp' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill1' : [ 0x172, ['array', 3, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['array', 1, ['unsigned short']]], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '__unnamed_1680' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0x130, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x50, ['_KEVENT']], 'ChildPdoList' : [ 0x68, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x70, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x78, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x80, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x88, ['pointer64', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x90, ['unsigned char']], 'BusHandler' : [ 0x98, ['pointer64', ['_BUS_HANDLER']]], 'BaseBus' : [ 0xa0, ['unsigned char']], 'Fake' : [ 0xa1, ['unsigned char']], 'ChildDelete' : [ 0xa2, ['unsigned char']], 'Scanned' : [ 0xa3, ['unsigned char']], 'ArbitersInitialized' : [ 0xa4, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0xa5, ['unsigned char']], 'Hibernated' : [ 0xa6, ['unsigned char']], 'PowerState' : [ 0xa8, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xf8, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0x100, ['unsigned long']], 'PreservedConfig' : [ 0x108, ['pointer64', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0x110, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0x120, ['__unnamed_1680']], 'BusHackFlags' : [ 0x128, ['unsigned long']], } ], '__unnamed_1684' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1686' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1688' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_168a' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_168c' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_168e' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1690' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1684']], 'Port' : [ 0x0, ['__unnamed_1684']], 'Interrupt' : [ 0x0, ['__unnamed_1686']], 'Memory' : [ 0x0, ['__unnamed_1684']], 'Dma' : [ 0x0, ['__unnamed_1688']], 'DevicePrivate' : [ 0x0, ['__unnamed_168a']], 'BusNumber' : [ 0x0, ['__unnamed_168c']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_168e']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1690']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa8, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'RealKeyName' : [ 0xa0, ['pointer64', ['unsigned char']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ReadConfig' : [ 0x20, ['pointer64', ['void']]], 'WriteConfig' : [ 0x28, ['pointer64', ['void']]], 'PinToLine' : [ 0x30, ['pointer64', ['void']]], 'LineToPin' : [ 0x38, ['pointer64', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x20, ['unsigned long']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '__unnamed_16d3' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_16d8' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_16da' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_16d8']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_16e2' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_16e4' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_16e2']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_16d3']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_16da']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_16e4']], } ], '_PCI_LOCK' : [ 0x10, { 'Atom' : [ 0x0, ['unsigned long long']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_16f2' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_16f2']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_16f8' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_16f8']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1718' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1718']], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '__unnamed_1722' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1722']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0x18, ['unsigned char']], 'OrderLevel' : [ 0x19, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Node' : [ 0x28, ['pointer64', ['void']]], 'DeviceName' : [ 0x30, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x38, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x40, ['unsigned long']], 'ActiveChild' : [ 0x44, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '__unnamed_174c' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_174e' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_174c']], 'type1' : [ 0x0, ['__unnamed_174e']], 'type2' : [ 0x0, ['__unnamed_174e']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'ServiceContext' : [ 0x20, ['pointer64', ['void']]], 'SpinLock' : [ 0x28, ['unsigned long long']], 'TickCount' : [ 0x30, ['unsigned long']], 'ActualLock' : [ 0x38, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x40, ['pointer64', ['void']]], 'Vector' : [ 0x48, ['unsigned long']], 'Irql' : [ 0x4c, ['unsigned char']], 'SynchronizeIrql' : [ 0x4d, ['unsigned char']], 'FloatingSave' : [ 0x4e, ['unsigned char']], 'Connected' : [ 0x4f, ['unsigned char']], 'Number' : [ 0x50, ['unsigned char']], 'ShareVector' : [ 0x51, ['unsigned char']], 'Mode' : [ 0x54, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x58, ['unsigned long']], 'DispatchCount' : [ 0x5c, ['unsigned long']], 'TrapFrame' : [ 0x60, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x68, ['pointer64', ['void']]], 'DispatchCode' : [ 0x70, ['array', 4, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0x190, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0x18, ['pointer64', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x20, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x28, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x58, ['_ARBITER_INSTANCE']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x40, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x8, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x10, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0x18, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x28, ['pointer64', ['void']]], 'OtherIrpDispatchStyle' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x38, ['pointer64', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_178e' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_1792' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_178e']], 'Bits' : [ 0x4, ['__unnamed_1792']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY' : [ 0x140, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x80, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer64', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'HashTableStart' : [ 0x30, ['pointer64', ['void']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer64', ['void']]], 'NumberOfImageWaiters' : [ 0x40, ['unsigned long']], 'VadBitMapHint' : [ 0x44, ['unsigned long']], 'HighestUserAddress' : [ 0x48, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x50, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x54, ['unsigned long']], 'CommittedPageTables' : [ 0x58, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x60, ['unsigned long']], 'CommittedPageDirectories' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x70, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x78, ['array', 1, ['unsigned long long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x170, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '__unnamed_17c3' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_17c7' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'Spare0' : [ 0x10, ['unsigned long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x20, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x28, ['unsigned long long']], 'ExtendInfo' : [ 0x30, ['pointer64', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x38, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_17c3']], 'u2' : [ 0x50, ['__unnamed_17c7']], 'PrototypePte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x60, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x38, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x28, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x20, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], 'PCI_SECONDARY_EXTENSION' : [ 0x18, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_17f4' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_17f4']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'Spare1' : [ 0x33, ['unsigned char']], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'Reserved' : [ 0x3c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x10, ['_SLIST_HEADER']], 'Alignment' : [ 0x10, ['unsigned long long']], 'ProcessorMask' : [ 0x18, ['unsigned long long']], 'Color' : [ 0x20, ['unsigned char']], 'Seed' : [ 0x21, ['unsigned char']], 'NodeNumber' : [ 0x22, ['unsigned char']], 'Flags' : [ 0x23, ['_flags']], 'MmShiftedColor' : [ 0x24, ['unsigned long']], 'FreeCount' : [ 0x28, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x38, ['pointer64', ['_SLIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x28, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'MinSize' : [ 0x8, ['unsigned short']], 'MinVersion' : [ 0xa, ['unsigned short']], 'MaxVersion' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'ReferenceCount' : [ 0x10, ['long']], 'Signature' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x18, ['pointer64', ['void']]], 'Initializer' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x50, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x28, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x30, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1182']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1185']], } ], '__unnamed_183c' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_183c']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x30, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'Descriptor' : [ 0x1c, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x18, ['long']], 'Allocation' : [ 0x20, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x30, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x40, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x50, ['long']], 'Interface' : [ 0x58, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x60, ['unsigned long']], 'AllocationStack' : [ 0x68, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x70, ['pointer64', ['void']]], 'PackResource' : [ 0x78, ['pointer64', ['void']]], 'UnpackResource' : [ 0x80, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x88, ['pointer64', ['void']]], 'TestAllocation' : [ 0x90, ['pointer64', ['void']]], 'RetestAllocation' : [ 0x98, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa0, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xa8, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb0, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xb8, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc0, ['pointer64', ['void']]], 'AddReserved' : [ 0xc8, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd0, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xd8, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe0, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xe8, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf0, ['pointer64', ['void']]], 'AddAllocation' : [ 0xf8, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x100, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x108, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x110, ['unsigned char']], 'Extension' : [ 0x118, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x120, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x128, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x130, ['pointer64', ['void']]], } ], '_BUS_HANDLER' : [ 0xb8, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x18, ['pointer64', ['_BUS_HANDLER']]], 'BusData' : [ 0x20, ['pointer64', ['void']]], 'DeviceControlExtensionSize' : [ 0x28, ['unsigned long']], 'BusAddresses' : [ 0x30, ['pointer64', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x38, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x48, ['pointer64', ['void']]], 'SetBusData' : [ 0x50, ['pointer64', ['void']]], 'AdjustResourceList' : [ 0x58, ['pointer64', ['void']]], 'AssignSlotResources' : [ 0x60, ['pointer64', ['void']]], 'GetInterruptVector' : [ 0x68, ['pointer64', ['void']]], 'TranslateBusAddress' : [ 0x70, ['pointer64', ['void']]], 'Spare1' : [ 0x78, ['pointer64', ['void']]], 'Spare2' : [ 0x80, ['pointer64', ['void']]], 'Spare3' : [ 0x88, ['pointer64', ['void']]], 'Spare4' : [ 0x90, ['pointer64', ['void']]], 'Spare5' : [ 0x98, ['pointer64', ['void']]], 'Spare6' : [ 0xa0, ['pointer64', ['void']]], 'Spare7' : [ 0xa8, ['pointer64', ['void']]], 'Spare8' : [ 0xb0, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x10, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0xba8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x20, ['unsigned long long']], 'Thread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x448, ['long']], 'FailedDevice' : [ 0x450, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x458, ['unsigned char']], 'Cancelled' : [ 0x459, ['unsigned char']], 'IgnoreErrors' : [ 0x45a, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x45b, ['unsigned char']], 'WaitAny' : [ 0x45c, ['unsigned char']], 'WaitAll' : [ 0x45d, ['unsigned char']], 'PresentIrpQueue' : [ 0x460, ['_LIST_ENTRY']], 'Head' : [ 0x470, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x4c8, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x50, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x30, ['pointer64', ['_IRP']]], 'SavedCancelRoutine' : [ 0x38, ['pointer64', ['void']]], 'Paging' : [ 0x40, ['long']], 'Hibernate' : [ 0x44, ['long']], 'CrashDump' : [ 0x48, ['long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_18e1' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_18e5' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_18e9' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_18eb' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_18ef' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_18f1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_18f3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_18f5' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_18f7' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_18f9' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18fd' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_18ff' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1901' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1903' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1905' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1907' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1909' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_190d' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1911' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1915' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1917' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_191b' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_191d' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_191f' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1921' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1925' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1929' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_192d' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_192f' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1933' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1937' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1939' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_193b' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_193d' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_193f' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_18e1']], 'CreatePipe' : [ 0x0, ['__unnamed_18e5']], 'CreateMailslot' : [ 0x0, ['__unnamed_18e9']], 'Read' : [ 0x0, ['__unnamed_18eb']], 'Write' : [ 0x0, ['__unnamed_18eb']], 'QueryDirectory' : [ 0x0, ['__unnamed_18ef']], 'NotifyDirectory' : [ 0x0, ['__unnamed_18f1']], 'QueryFile' : [ 0x0, ['__unnamed_18f3']], 'SetFile' : [ 0x0, ['__unnamed_18f5']], 'QueryEa' : [ 0x0, ['__unnamed_18f7']], 'SetEa' : [ 0x0, ['__unnamed_18f9']], 'QueryVolume' : [ 0x0, ['__unnamed_18fd']], 'SetVolume' : [ 0x0, ['__unnamed_18fd']], 'FileSystemControl' : [ 0x0, ['__unnamed_18ff']], 'LockControl' : [ 0x0, ['__unnamed_1901']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1903']], 'QuerySecurity' : [ 0x0, ['__unnamed_1905']], 'SetSecurity' : [ 0x0, ['__unnamed_1907']], 'MountVolume' : [ 0x0, ['__unnamed_1909']], 'VerifyVolume' : [ 0x0, ['__unnamed_1909']], 'Scsi' : [ 0x0, ['__unnamed_190d']], 'QueryQuota' : [ 0x0, ['__unnamed_1911']], 'SetQuota' : [ 0x0, ['__unnamed_18f9']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1915']], 'QueryInterface' : [ 0x0, ['__unnamed_1917']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_191b']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_191d']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_191f']], 'SetLock' : [ 0x0, ['__unnamed_1921']], 'QueryId' : [ 0x0, ['__unnamed_1925']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1929']], 'UsageNotification' : [ 0x0, ['__unnamed_192d']], 'WaitWake' : [ 0x0, ['__unnamed_192f']], 'PowerSequence' : [ 0x0, ['__unnamed_1933']], 'Power' : [ 0x0, ['__unnamed_1937']], 'StartDevice' : [ 0x0, ['__unnamed_1939']], 'WMI' : [ 0x0, ['__unnamed_193b']], 'Others' : [ 0x0, ['__unnamed_193d']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_193f']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1946' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1948' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_194a' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_194c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_194e' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1950' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1946']], 'Memory' : [ 0x0, ['__unnamed_1946']], 'Interrupt' : [ 0x0, ['__unnamed_1948']], 'Dma' : [ 0x0, ['__unnamed_194a']], 'Generic' : [ 0x0, ['__unnamed_1946']], 'DevicePrivate' : [ 0x0, ['__unnamed_168a']], 'BusNumber' : [ 0x0, ['__unnamed_194c']], 'ConfigData' : [ 0x0, ['__unnamed_194e']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1950']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '__unnamed_1959' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_195b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1959']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_195d' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_195f' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_195d']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_195b']], 'u2' : [ 0x4, ['__unnamed_195f']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x150, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['unsigned long long']], 'MapFrozen' : [ 0x18, ['unsigned char']], 'MemoryMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x40, ['unsigned long']], 'NextCloneRange' : [ 0x48, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long long']], 'LoaderMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'Clones' : [ 0x60, ['pointer64', ['_MDL']]], 'NextClone' : [ 0x68, ['pointer64', ['unsigned char']]], 'NoClones' : [ 0x70, ['unsigned long long']], 'Spares' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPage' : [ 0x88, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x90, ['pointer64', ['void']]], 'DumpStack' : [ 0x98, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa0, ['pointer64', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0xa8, ['unsigned long']], 'HiberVa' : [ 0xb0, ['unsigned long long']], 'HiberPte' : [ 0xb8, ['_LARGE_INTEGER']], 'Status' : [ 0xc0, ['long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xd0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xd8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xe0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xe8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xf0, ['pointer64', ['void']]], 'DmaIO' : [ 0xf8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0x100, ['pointer64', ['void']]], 'PerfInfo' : [ 0x108, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x10, { 'StartVpn' : [ 0x0, ['unsigned long long']], 'EndVpn' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '__unnamed_199a' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_199c' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_199a']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_199c']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xc0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x30, ['unsigned long']], 'Memory' : [ 0x38, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x60, ['unsigned long']], 'PrefetchMemory' : [ 0x68, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x90, ['unsigned long']], 'Dma' : [ 0x98, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_19cb' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_19cd' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_19d1' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_19d3' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_19d5' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_19d7' : [ 0x20, { 'TestAllocation' : [ 0x0, ['__unnamed_19cb']], 'RetestAllocation' : [ 0x0, ['__unnamed_19cb']], 'BootAllocation' : [ 0x0, ['__unnamed_19cd']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_19d1']], 'QueryConflict' : [ 0x0, ['__unnamed_19d3']], 'QueryArbitrate' : [ 0x0, ['__unnamed_19cd']], 'AddReserved' : [ 0x0, ['__unnamed_19d5']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_19d7']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xc0, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'ImageType' : [ 0x1c, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Spare' : [ 0x28, ['array', 2, ['unsigned long']]], } ], '__unnamed_19fb' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_19fd' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_19ff' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a01' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a03' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1a05' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a07' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a09' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1a0b' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a0d' : [ 0x18, { 'DeviceClass' : [ 0x0, ['__unnamed_19fb']], 'TargetDevice' : [ 0x0, ['__unnamed_19fd']], 'InstallDevice' : [ 0x0, ['__unnamed_19ff']], 'CustomNotification' : [ 0x0, ['__unnamed_1a01']], 'ProfileNotification' : [ 0x0, ['__unnamed_1a03']], 'PowerNotification' : [ 0x0, ['__unnamed_1a05']], 'VetoNotification' : [ 0x0, ['__unnamed_1a07']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1a09']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1a0b']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x48, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1a0d']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1a24' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a26' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1a28' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1a24']], 'Gpt' : [ 0x0, ['__unnamed_1a26']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1a28']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x410, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x80, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x18, ['unsigned long']], 'ActiveCount' : [ 0x1c, ['unsigned long']], 'WaitSleep' : [ 0x20, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x30, ['_LIST_ENTRY']], 'Pending' : [ 0x40, ['_LIST_ENTRY']], 'Complete' : [ 0x50, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x60, ['_LIST_ENTRY']], 'WaitS0' : [ 0x70, ['_LIST_ENTRY']], } ], '__unnamed_1a58' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1a58']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x58, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer64', ['_IRP']]], 'Notify' : [ 0x10, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0x18, ['_LIST_ENTRY']], 'Complete' : [ 0x28, ['_LIST_ENTRY']], 'Abort' : [ 0x38, ['_LIST_ENTRY']], 'Failed' : [ 0x48, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x8, ['unsigned long']], 'SystemBase' : [ 0x10, ['long long']], 'Base' : [ 0x18, ['long long']], 'Limit' : [ 0x20, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1ae3' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1ae5' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1ae9' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1aeb' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1ae3']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1ae5']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1ae9']], 'Others' : [ 0x0, ['__unnamed_1aeb']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp0_x64_syscalls.py0000644000175000017500000011636312227253532027745 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Vista SP0 x64 """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAcquireCMFViewOwnership', # 0x66 'NtAddBootEntry', # 0x67 'NtAddDriverEntry', # 0x68 'NtAdjustGroupsToken', # 0x69 'NtAlertResumeThread', # 0x6a 'NtAlertThread', # 0x6b 'NtAllocateLocallyUniqueId', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelDeviceWakeupRequest', # 0x86 'NtCancelIoFileEx', # 0x87 'NtCancelSynchronousIoFile', # 0x88 'NtClearAllSavepointsTransaction', # 0x89 'NtClearSavepointTransaction', # 0x8a 'NtCommitComplete', # 0x8b 'NtCommitEnlistment', # 0x8c 'NtCommitTransaction', # 0x8d 'NtCompactKeys', # 0x8e 'NtCompareTokens', # 0x8f 'NtCompleteConnectPort', # 0x90 'NtCompressKey', # 0x91 'NtConnectPort', # 0x92 'NtCreateDebugObject', # 0x93 'NtCreateDirectoryObject', # 0x94 'NtCreateEnlistment', # 0x95 'NtCreateEventPair', # 0x96 'NtCreateIoCompletion', # 0x97 'NtCreateJobObject', # 0x98 'NtCreateJobSet', # 0x99 'NtCreateKeyTransacted', # 0x9a 'NtCreateKeyedEvent', # 0x9b 'NtCreateMailslotFile', # 0x9c 'NtCreateMutant', # 0x9d 'NtCreateNamedPipeFile', # 0x9e 'NtCreatePagingFile', # 0x9f 'NtCreatePort', # 0xa0 'NtCreatePrivateNamespace', # 0xa1 'NtCreateProcess', # 0xa2 'NtCreateProfile', # 0xa3 'NtCreateResourceManager', # 0xa4 'NtCreateSemaphore', # 0xa5 'NtCreateSymbolicLinkObject', # 0xa6 'NtCreateThreadEx', # 0xa7 'NtCreateTimer', # 0xa8 'NtCreateToken', # 0xa9 'NtCreateTransaction', # 0xaa 'NtCreateTransactionManager', # 0xab 'NtCreateUserProcess', # 0xac 'NtCreateWaitablePort', # 0xad 'NtCreateWorkerFactory', # 0xae 'NtDebugActiveProcess', # 0xaf 'NtDebugContinue', # 0xb0 'NtDeleteAtom', # 0xb1 'NtDeleteBootEntry', # 0xb2 'NtDeleteDriverEntry', # 0xb3 'NtDeleteFile', # 0xb4 'NtDeleteKey', # 0xb5 'NtDeleteObjectAuditAlarm', # 0xb6 'NtDeletePrivateNamespace', # 0xb7 'NtDeleteValueKey', # 0xb8 'NtDisplayString', # 0xb9 'NtEnumerateBootEntries', # 0xba 'NtEnumerateDriverEntries', # 0xbb 'NtEnumerateSystemEnvironmentValuesEx', # 0xbc 'NtEnumerateTransactionObject', # 0xbd 'NtExtendSection', # 0xbe 'NtFilterToken', # 0xbf 'NtFlushInstallUILanguage', # 0xc0 'NtFlushInstructionCache', # 0xc1 'NtFlushKey', # 0xc2 'NtFlushProcessWriteBuffers', # 0xc3 'NtFlushVirtualMemory', # 0xc4 'NtFlushWriteBuffer', # 0xc5 'NtFreeUserPhysicalPages', # 0xc6 'NtFreezeRegistry', # 0xc7 'NtFreezeTransactions', # 0xc8 'NtGetContextThread', # 0xc9 'NtGetCurrentProcessorNumber', # 0xca 'NtGetDevicePowerState', # 0xcb 'NtGetMUIRegistryInfo', # 0xcc 'NtGetNextProcess', # 0xcd 'NtGetNextThread', # 0xce 'NtGetNlsSectionPtr', # 0xcf 'NtGetNotificationResourceManager', # 0xd0 'NtGetPlugPlayEvent', # 0xd1 'NtGetWriteWatch', # 0xd2 'NtImpersonateAnonymousToken', # 0xd3 'NtImpersonateThread', # 0xd4 'NtInitializeNlsFiles', # 0xd5 'NtInitializeRegistry', # 0xd6 'NtInitiatePowerAction', # 0xd7 'NtIsSystemResumeAutomatic', # 0xd8 'NtIsUILanguageComitted', # 0xd9 'NtListTransactions', # 0xda 'NtListenPort', # 0xdb 'NtLoadDriver', # 0xdc 'NtLoadKey', # 0xdd 'NtLoadKey2', # 0xde 'NtLoadKeyEx', # 0xdf 'NtLockFile', # 0xe0 'NtLockProductActivationKeys', # 0xe1 'NtLockRegistryKey', # 0xe2 'NtLockVirtualMemory', # 0xe3 'NtMakePermanentObject', # 0xe4 'NtMakeTemporaryObject', # 0xe5 'NtMapCMFModule', # 0xe6 'NtMapUserPhysicalPages', # 0xe7 'NtMarshallTransaction', # 0xe8 'NtModifyBootEntry', # 0xe9 'NtModifyDriverEntry', # 0xea 'NtNotifyChangeDirectoryFile', # 0xeb 'NtNotifyChangeKey', # 0xec 'NtNotifyChangeMultipleKeys', # 0xed 'NtOpenEnlistment', # 0xee 'NtOpenEventPair', # 0xef 'NtOpenIoCompletion', # 0xf0 'NtOpenJobObject', # 0xf1 'NtOpenKeyTransacted', # 0xf2 'NtOpenKeyedEvent', # 0xf3 'NtOpenMutant', # 0xf4 'NtOpenObjectAuditAlarm', # 0xf5 'NtOpenPrivateNamespace', # 0xf6 'NtOpenProcessToken', # 0xf7 'NtOpenResourceManager', # 0xf8 'NtOpenSemaphore', # 0xf9 'NtOpenSession', # 0xfa 'NtOpenSymbolicLinkObject', # 0xfb 'NtOpenThread', # 0xfc 'NtOpenTimer', # 0xfd 'NtOpenTransaction', # 0xfe 'NtOpenTransactionManager', # 0xff 'NtPlugPlayControl', # 0x100 'NtPrePrepareComplete', # 0x101 'NtPrePrepareEnlistment', # 0x102 'NtPrepareComplete', # 0x103 'NtPrepareEnlistment', # 0x104 'NtPrivilegeCheck', # 0x105 'NtPrivilegeObjectAuditAlarm', # 0x106 'NtPrivilegedServiceAuditAlarm', # 0x107 'NtPropagationComplete', # 0x108 'NtPropagationFailed', # 0x109 'NtPullTransaction', # 0x10a 'NtPulseEvent', # 0x10b 'NtQueryBootEntryOrder', # 0x10c 'NtQueryBootOptions', # 0x10d 'NtQueryDebugFilterState', # 0x10e 'NtQueryDirectoryObject', # 0x10f 'NtQueryDriverEntryOrder', # 0x110 'NtQueryEaFile', # 0x111 'NtQueryFullAttributesFile', # 0x112 'NtQueryInformationAtom', # 0x113 'NtQueryInformationEnlistment', # 0x114 'NtQueryInformationJobObject', # 0x115 'NtQueryInformationPort', # 0x116 'NtQueryInformationResourceManager', # 0x117 'NtQueryInformationTransaction', # 0x118 'NtQueryInformationTransactionManager', # 0x119 'NtQueryInformationWorkerFactory', # 0x11a 'NtQueryInstallUILanguage', # 0x11b 'NtQueryIntervalProfile', # 0x11c 'NtQueryIoCompletion', # 0x11d 'NtQueryLicenseValue', # 0x11e 'NtQueryMultipleValueKey', # 0x11f 'NtQueryMutant', # 0x120 'NtQueryOpenSubKeys', # 0x121 'NtQueryOpenSubKeysEx', # 0x122 'NtQueryPortInformationProcess', # 0x123 'NtQueryQuotaInformationFile', # 0x124 'NtQuerySecurityObject', # 0x125 'NtQuerySemaphore', # 0x126 'NtQuerySymbolicLinkObject', # 0x127 'NtQuerySystemEnvironmentValue', # 0x128 'NtQuerySystemEnvironmentValueEx', # 0x129 'NtQueryTimerResolution', # 0x12a 'NtRaiseException', # 0x12b 'NtRaiseHardError', # 0x12c 'NtReadOnlyEnlistment', # 0x12d 'NtRecoverEnlistment', # 0x12e 'NtRecoverResourceManager', # 0x12f 'NtRecoverTransactionManager', # 0x130 'NtRegisterProtocolAddressInformation', # 0x131 'NtRegisterThreadTerminatePort', # 0x132 'NtReleaseCMFViewOwnership', # 0x133 'NtReleaseKeyedEvent', # 0x134 'NtReleaseWorkerFactoryWorker', # 0x135 'NtRemoveIoCompletionEx', # 0x136 'NtRemoveProcessDebug', # 0x137 'NtRenameKey', # 0x138 'NtReplaceKey', # 0x139 'NtReplyWaitReplyPort', # 0x13a 'NtRequestDeviceWakeup', # 0x13b 'NtRequestPort', # 0x13c 'NtRequestWakeupLatency', # 0x13d 'NtResetEvent', # 0x13e 'NtResetWriteWatch', # 0x13f 'NtRestoreKey', # 0x140 'NtResumeProcess', # 0x141 'NtRollbackComplete', # 0x142 'NtRollbackEnlistment', # 0x143 'NtRollbackSavepointTransaction', # 0x144 'NtRollbackTransaction', # 0x145 'NtRollforwardTransactionManager', # 0x146 'NtSaveKey', # 0x147 'NtSaveKeyEx', # 0x148 'NtSaveMergedKeys', # 0x149 'NtSavepointComplete', # 0x14a 'NtSavepointTransaction', # 0x14b 'NtSecureConnectPort', # 0x14c 'NtSetBootEntryOrder', # 0x14d 'NtSetBootOptions', # 0x14e 'NtSetContextThread', # 0x14f 'NtSetDebugFilterState', # 0x150 'NtSetDefaultHardErrorPort', # 0x151 'NtSetDefaultLocale', # 0x152 'NtSetDefaultUILanguage', # 0x153 'NtSetDriverEntryOrder', # 0x154 'NtSetEaFile', # 0x155 'NtSetHighEventPair', # 0x156 'NtSetHighWaitLowEventPair', # 0x157 'NtSetInformationDebugObject', # 0x158 'NtSetInformationEnlistment', # 0x159 'NtSetInformationJobObject', # 0x15a 'NtSetInformationKey', # 0x15b 'NtSetInformationResourceManager', # 0x15c 'NtSetInformationToken', # 0x15d 'NtSetInformationTransaction', # 0x15e 'NtSetInformationTransactionManager', # 0x15f 'NtSetInformationWorkerFactory', # 0x160 'NtSetIntervalProfile', # 0x161 'NtSetIoCompletion', # 0x162 'NtSetLdtEntries', # 0x163 'NtSetLowEventPair', # 0x164 'NtSetLowWaitHighEventPair', # 0x165 'NtSetQuotaInformationFile', # 0x166 'NtSetSecurityObject', # 0x167 'NtSetSystemEnvironmentValue', # 0x168 'NtSetSystemEnvironmentValueEx', # 0x169 'NtSetSystemInformation', # 0x16a 'NtSetSystemPowerState', # 0x16b 'NtSetSystemTime', # 0x16c 'NtSetThreadExecutionState', # 0x16d 'NtSetTimerResolution', # 0x16e 'NtSetUuidSeed', # 0x16f 'NtSetVolumeInformationFile', # 0x170 'NtShutdownSystem', # 0x171 'NtShutdownWorkerFactory', # 0x172 'NtSignalAndWaitForSingleObject', # 0x173 'NtSinglePhaseReject', # 0x174 'NtStartProfile', # 0x175 'NtStartTm', # 0x176 'NtStopProfile', # 0x177 'NtSuspendProcess', # 0x178 'NtSuspendThread', # 0x179 'NtSystemDebugControl', # 0x17a 'NtTerminateJobObject', # 0x17b 'NtTestAlert', # 0x17c 'NtThawRegistry', # 0x17d 'NtThawTransactions', # 0x17e 'NtTraceControl', # 0x17f 'NtTranslateFilePath', # 0x180 'NtUnloadDriver', # 0x181 'NtUnloadKey', # 0x182 'NtUnloadKey2', # 0x183 'NtUnloadKeyEx', # 0x184 'NtUnlockFile', # 0x185 'NtUnlockVirtualMemory', # 0x186 'NtVdmControl', # 0x187 'NtWaitForDebugEvent', # 0x188 'NtWaitForKeyedEvent', # 0x189 'NtWaitForWorkViaWorkerFactory', # 0x18a 'NtWaitHighEventPair', # 0x18b 'NtWaitLowEventPair', # 0x18c 'NtWorkerFactoryWorkerReady', # 0x18d ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtGdiConsoleTextOut', # 0x6e 'NtUserFindWindowEx', # 0x6f 'NtGdiPolyPatBlt', # 0x70 'NtUserUnhookWindowsHookEx', # 0x71 'NtGdiGetNearestColor', # 0x72 'NtGdiTransformPoints', # 0x73 'NtGdiGetDCPoint', # 0x74 'NtUserCheckImeHotKey', # 0x75 'NtGdiCreateDIBBrush', # 0x76 'NtGdiGetTextMetricsW', # 0x77 'NtUserCreateWindowEx', # 0x78 'NtUserSetParent', # 0x79 'NtUserGetKeyboardState', # 0x7a 'NtUserToUnicodeEx', # 0x7b 'NtUserGetControlBrush', # 0x7c 'NtUserGetClassName', # 0x7d 'NtGdiAlphaBlend', # 0x7e 'NtGdiDdBlt', # 0x7f 'NtGdiOffsetRgn', # 0x80 'NtUserDefSetText', # 0x81 'NtGdiGetTextFaceW', # 0x82 'NtGdiStretchDIBitsInternal', # 0x83 'NtUserSendInput', # 0x84 'NtUserGetThreadDesktop', # 0x85 'NtGdiCreateRectRgn', # 0x86 'NtGdiGetDIBitsInternal', # 0x87 'NtUserGetUpdateRgn', # 0x88 'NtGdiDeleteClientObj', # 0x89 'NtUserGetIconSize', # 0x8a 'NtUserFillWindow', # 0x8b 'NtGdiExtCreateRegion', # 0x8c 'NtGdiComputeXformCoefficients', # 0x8d 'NtUserSetWindowsHookEx', # 0x8e 'NtUserNotifyProcessCreate', # 0x8f 'NtGdiUnrealizeObject', # 0x90 'NtUserGetTitleBarInfo', # 0x91 'NtGdiRectangle', # 0x92 'NtUserSetThreadDesktop', # 0x93 'NtUserGetDCEx', # 0x94 'NtUserGetScrollBarInfo', # 0x95 'NtGdiGetTextExtent', # 0x96 'NtUserSetWindowFNID', # 0x97 'NtGdiSetLayout', # 0x98 'NtUserCalcMenuBar', # 0x99 'NtUserThunkedMenuItemInfo', # 0x9a 'NtGdiExcludeClipRect', # 0x9b 'NtGdiCreateDIBSection', # 0x9c 'NtGdiGetDCforBitmap', # 0x9d 'NtUserDestroyCursor', # 0x9e 'NtUserDestroyWindow', # 0x9f 'NtUserCallHwndParam', # 0xa0 'NtGdiCreateDIBitmapInternal', # 0xa1 'NtUserOpenWindowStation', # 0xa2 'NtGdiDdDeleteSurfaceObject', # 0xa3 'NtGdiEnumFontClose', # 0xa4 'NtGdiEnumFontOpen', # 0xa5 'NtGdiEnumFontChunk', # 0xa6 'NtGdiDdCanCreateSurface', # 0xa7 'NtGdiDdCreateSurface', # 0xa8 'NtUserSetCursorIconData', # 0xa9 'NtGdiDdDestroySurface', # 0xaa 'NtUserCloseDesktop', # 0xab 'NtUserOpenDesktop', # 0xac 'NtUserSetProcessWindowStation', # 0xad 'NtUserGetAtomName', # 0xae 'NtGdiDdResetVisrgn', # 0xaf 'NtGdiExtCreatePen', # 0xb0 'NtGdiCreatePaletteInternal', # 0xb1 'NtGdiSetBrushOrg', # 0xb2 'NtUserBuildNameList', # 0xb3 'NtGdiSetPixel', # 0xb4 'NtUserRegisterClassExWOW', # 0xb5 'NtGdiCreatePatternBrushInternal', # 0xb6 'NtUserGetAncestor', # 0xb7 'NtGdiGetOutlineTextMetricsInternalW', # 0xb8 'NtGdiSetBitmapBits', # 0xb9 'NtUserCloseWindowStation', # 0xba 'NtUserGetDoubleClickTime', # 0xbb 'NtUserEnableScrollBar', # 0xbc 'NtGdiCreateSolidBrush', # 0xbd 'NtUserGetClassInfoEx', # 0xbe 'NtGdiCreateClientObj', # 0xbf 'NtUserUnregisterClass', # 0xc0 'NtUserDeleteMenu', # 0xc1 'NtGdiRectInRegion', # 0xc2 'NtUserScrollWindowEx', # 0xc3 'NtGdiGetPixel', # 0xc4 'NtUserSetClassLong', # 0xc5 'NtUserGetMenuBarInfo', # 0xc6 'NtGdiDdCreateSurfaceEx', # 0xc7 'NtGdiDdCreateSurfaceObject', # 0xc8 'NtGdiGetNearestPaletteIndex', # 0xc9 'NtGdiDdLockD3D', # 0xca 'NtGdiDdUnlockD3D', # 0xcb 'NtGdiGetCharWidthW', # 0xcc 'NtUserInvalidateRgn', # 0xcd 'NtUserGetClipboardOwner', # 0xce 'NtUserSetWindowRgn', # 0xcf 'NtUserBitBltSysBmp', # 0xd0 'NtGdiGetCharWidthInfo', # 0xd1 'NtUserValidateRect', # 0xd2 'NtUserCloseClipboard', # 0xd3 'NtUserOpenClipboard', # 0xd4 'NtGdiGetStockObject', # 0xd5 'NtUserSetClipboardData', # 0xd6 'NtUserEnableMenuItem', # 0xd7 'NtUserAlterWindowStyle', # 0xd8 'NtGdiFillRgn', # 0xd9 'NtUserGetWindowPlacement', # 0xda 'NtGdiModifyWorldTransform', # 0xdb 'NtGdiGetFontData', # 0xdc 'NtUserGetOpenClipboardWindow', # 0xdd 'NtUserSetThreadState', # 0xde 'NtGdiOpenDCW', # 0xdf 'NtUserTrackMouseEvent', # 0xe0 'NtGdiGetTransform', # 0xe1 'NtUserDestroyMenu', # 0xe2 'NtGdiGetBitmapBits', # 0xe3 'NtUserConsoleControl', # 0xe4 'NtUserSetActiveWindow', # 0xe5 'NtUserSetInformationThread', # 0xe6 'NtUserSetWindowPlacement', # 0xe7 'NtUserGetControlColor', # 0xe8 'NtGdiSetMetaRgn', # 0xe9 'NtGdiSetMiterLimit', # 0xea 'NtGdiSetVirtualResolution', # 0xeb 'NtGdiGetRasterizerCaps', # 0xec 'NtUserSetWindowWord', # 0xed 'NtUserGetClipboardFormatName', # 0xee 'NtUserRealInternalGetMessage', # 0xef 'NtUserCreateLocalMemHandle', # 0xf0 'NtUserAttachThreadInput', # 0xf1 'NtGdiCreateHalftonePalette', # 0xf2 'NtUserPaintMenuBar', # 0xf3 'NtUserSetKeyboardState', # 0xf4 'NtGdiCombineTransform', # 0xf5 'NtUserCreateAcceleratorTable', # 0xf6 'NtUserGetCursorFrameInfo', # 0xf7 'NtUserGetAltTabInfo', # 0xf8 'NtUserGetCaretBlinkTime', # 0xf9 'NtGdiQueryFontAssocInfo', # 0xfa 'NtUserProcessConnect', # 0xfb 'NtUserEnumDisplayDevices', # 0xfc 'NtUserEmptyClipboard', # 0xfd 'NtUserGetClipboardData', # 0xfe 'NtUserRemoveMenu', # 0xff 'NtGdiSetBoundsRect', # 0x100 'NtUserSetInformationProcess', # 0x101 'NtGdiGetBitmapDimension', # 0x102 'NtUserConvertMemHandle', # 0x103 'NtUserDestroyAcceleratorTable', # 0x104 'NtUserGetGUIThreadInfo', # 0x105 'NtGdiCloseFigure', # 0x106 'NtUserSetWindowsHookAW', # 0x107 'NtUserSetMenuDefaultItem', # 0x108 'NtUserCheckMenuItem', # 0x109 'NtUserSetWinEventHook', # 0x10a 'NtUserUnhookWinEvent', # 0x10b 'NtGdiSetupPublicCFONT', # 0x10c 'NtUserLockWindowUpdate', # 0x10d 'NtUserSetSystemMenu', # 0x10e 'NtUserThunkedMenuInfo', # 0x10f 'NtGdiBeginPath', # 0x110 'NtGdiEndPath', # 0x111 'NtGdiFillPath', # 0x112 'NtUserCallHwnd', # 0x113 'NtUserDdeInitialize', # 0x114 'NtUserModifyUserStartupInfoFlags', # 0x115 'NtUserCountClipboardFormats', # 0x116 'NtGdiAddFontMemResourceEx', # 0x117 'NtGdiEqualRgn', # 0x118 'NtGdiGetSystemPaletteUse', # 0x119 'NtGdiRemoveFontMemResourceEx', # 0x11a 'NtUserEnumDisplaySettings', # 0x11b 'NtUserPaintDesktop', # 0x11c 'NtGdiExtEscape', # 0x11d 'NtGdiSetBitmapDimension', # 0x11e 'NtGdiSetFontEnumeration', # 0x11f 'NtUserChangeClipboardChain', # 0x120 'NtUserResolveDesktop', # 0x121 'NtUserSetClipboardViewer', # 0x122 'NtUserShowWindowAsync', # 0x123 'NtUserSetConsoleReserveKeys', # 0x124 'NtGdiCreateColorSpace', # 0x125 'NtGdiDeleteColorSpace', # 0x126 'NtUserActivateKeyboardLayout', # 0x127 'NtGdiAbortDoc', # 0x128 'NtGdiAbortPath', # 0x129 'NtGdiAddEmbFontToDC', # 0x12a 'NtGdiAddFontResourceW', # 0x12b 'NtGdiAddRemoteFontToDC', # 0x12c 'NtGdiAddRemoteMMInstanceToDC', # 0x12d 'NtGdiAngleArc', # 0x12e 'NtGdiAnyLinkedFonts', # 0x12f 'NtGdiArcInternal', # 0x130 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x131 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x132 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x133 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x134 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x135 'NtGdiCLIPOBJ_bEnum', # 0x136 'NtGdiCLIPOBJ_cEnumStart', # 0x137 'NtGdiCLIPOBJ_ppoGetPath', # 0x138 'NtGdiCancelDC', # 0x139 'NtGdiChangeGhostFont', # 0x13a 'NtGdiCheckBitmapBits', # 0x13b 'NtGdiClearBitmapAttributes', # 0x13c 'NtGdiClearBrushAttributes', # 0x13d 'NtGdiColorCorrectPalette', # 0x13e 'NtGdiConfigureOPMProtectedOutput', # 0x13f 'NtGdiConvertMetafileRect', # 0x140 'NtGdiCreateColorTransform', # 0x141 'NtGdiCreateEllipticRgn', # 0x142 'NtGdiCreateHatchBrushInternal', # 0x143 'NtGdiCreateMetafileDC', # 0x144 'NtGdiCreateOPMProtectedOutputs', # 0x145 'NtGdiCreateRoundRectRgn', # 0x146 'NtGdiCreateServerMetaFile', # 0x147 'NtGdiD3dContextCreate', # 0x148 'NtGdiD3dContextDestroy', # 0x149 'NtGdiD3dContextDestroyAll', # 0x14a 'NtGdiD3dValidateTextureStageState', # 0x14b 'NtGdiDDCCIGetCapabilitiesString', # 0x14c 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x14d 'NtGdiDDCCIGetTimingReport', # 0x14e 'NtGdiDDCCIGetVCPFeature', # 0x14f 'NtGdiDDCCISaveCurrentSettings', # 0x150 'NtGdiDDCCISetVCPFeature', # 0x151 'NtGdiDdAddAttachedSurface', # 0x152 'NtGdiDdAlphaBlt', # 0x153 'NtGdiDdAttachSurface', # 0x154 'NtGdiDdBeginMoCompFrame', # 0x155 'NtGdiDdCanCreateD3DBuffer', # 0x156 'NtGdiDdColorControl', # 0x157 'NtGdiDdCreateD3DBuffer', # 0x158 'NtGdiDdCreateDirectDrawObject', # 0x159 'NtGdiDdCreateMoComp', # 0x15a 'NtGdiDdDDICheckExclusiveOwnership', # 0x15b 'NtGdiDdDDICheckMonitorPowerState', # 0x15c 'NtGdiDdDDICheckOcclusion', # 0x15d 'NtGdiDdDDICloseAdapter', # 0x15e 'NtGdiDdDDICreateAllocation', # 0x15f 'NtGdiDdDDICreateContext', # 0x160 'NtGdiDdDDICreateDCFromMemory', # 0x161 'NtGdiDdDDICreateDevice', # 0x162 'NtGdiDdDDICreateOverlay', # 0x163 'NtGdiDdDDICreateSynchronizationObject', # 0x164 'NtGdiDdDDIDestroyAllocation', # 0x165 'NtGdiDdDDIDestroyContext', # 0x166 'NtGdiDdDDIDestroyDCFromMemory', # 0x167 'NtGdiDdDDIDestroyDevice', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetPresentHistory', # 0x171 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x172 'NtGdiDdDDIGetRuntimeData', # 0x173 'NtGdiDdDDIGetScanLine', # 0x174 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x175 'NtGdiDdDDIInvalidateActiveVidPn', # 0x176 'NtGdiDdDDILock', # 0x177 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x178 'NtGdiDdDDIOpenAdapterFromHdc', # 0x179 'NtGdiDdDDIOpenResource', # 0x17a 'NtGdiDdDDIPollDisplayChildren', # 0x17b 'NtGdiDdDDIPresent', # 0x17c 'NtGdiDdDDIQueryAdapterInfo', # 0x17d 'NtGdiDdDDIQueryAllocationResidency', # 0x17e 'NtGdiDdDDIQueryResourceInfo', # 0x17f 'NtGdiDdDDIQueryStatistics', # 0x180 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x181 'NtGdiDdDDIRender', # 0x182 'NtGdiDdDDISetAllocationPriority', # 0x183 'NtGdiDdDDISetContextSchedulingPriority', # 0x184 'NtGdiDdDDISetDisplayMode', # 0x185 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x186 'NtGdiDdDDISetGammaRamp', # 0x187 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x188 'NtGdiDdDDISetQueuedLimit', # 0x189 'NtGdiDdDDISetVidPnSourceOwner', # 0x18a 'NtGdiDdDDISharedPrimaryLockNotification', # 0x18b 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x18c 'NtGdiDdDDISignalSynchronizationObject', # 0x18d 'NtGdiDdDDIUnlock', # 0x18e 'NtGdiDdDDIUpdateOverlay', # 0x18f 'NtGdiDdDDIWaitForIdle', # 0x190 'NtGdiDdDDIWaitForSynchronizationObject', # 0x191 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x192 'NtGdiDdDeleteDirectDrawObject', # 0x193 'NtGdiDdDestroyD3DBuffer', # 0x194 'NtGdiDdDestroyMoComp', # 0x195 'NtGdiDdEndMoCompFrame', # 0x196 'NtGdiDdFlip', # 0x197 'NtGdiDdFlipToGDISurface', # 0x198 'NtGdiDdGetAvailDriverMemory', # 0x199 'NtGdiDdGetBltStatus', # 0x19a 'NtGdiDdGetDC', # 0x19b 'NtGdiDdGetDriverInfo', # 0x19c 'NtGdiDdGetDriverState', # 0x19d 'NtGdiDdGetDxHandle', # 0x19e 'NtGdiDdGetFlipStatus', # 0x19f 'NtGdiDdGetInternalMoCompInfo', # 0x1a0 'NtGdiDdGetMoCompBuffInfo', # 0x1a1 'NtGdiDdGetMoCompFormats', # 0x1a2 'NtGdiDdGetMoCompGuids', # 0x1a3 'NtGdiDdGetScanLine', # 0x1a4 'NtGdiDdLock', # 0x1a5 'NtGdiDdQueryDirectDrawObject', # 0x1a6 'NtGdiDdQueryMoCompStatus', # 0x1a7 'NtGdiDdReenableDirectDrawObject', # 0x1a8 'NtGdiDdReleaseDC', # 0x1a9 'NtGdiDdRenderMoComp', # 0x1aa 'NtGdiDdSetColorKey', # 0x1ab 'NtGdiDdSetExclusiveMode', # 0x1ac 'NtGdiDdSetGammaRamp', # 0x1ad 'NtGdiDdSetOverlayPosition', # 0x1ae 'NtGdiDdUnattachSurface', # 0x1af 'NtGdiDdUnlock', # 0x1b0 'NtGdiDdUpdateOverlay', # 0x1b1 'NtGdiDdWaitForVerticalBlank', # 0x1b2 'NtGdiDeleteColorTransform', # 0x1b3 'NtGdiDescribePixelFormat', # 0x1b4 'NtGdiDestroyOPMProtectedOutput', # 0x1b5 'NtGdiDestroyPhysicalMonitor', # 0x1b6 'NtGdiDoBanding', # 0x1b7 'NtGdiDrawEscape', # 0x1b8 'NtGdiDvpAcquireNotification', # 0x1b9 'NtGdiDvpCanCreateVideoPort', # 0x1ba 'NtGdiDvpColorControl', # 0x1bb 'NtGdiDvpCreateVideoPort', # 0x1bc 'NtGdiDvpDestroyVideoPort', # 0x1bd 'NtGdiDvpFlipVideoPort', # 0x1be 'NtGdiDvpGetVideoPortBandwidth', # 0x1bf 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c0 'NtGdiDvpGetVideoPortField', # 0x1c1 'NtGdiDvpGetVideoPortFlipStatus', # 0x1c2 'NtGdiDvpGetVideoPortInputFormats', # 0x1c3 'NtGdiDvpGetVideoPortLine', # 0x1c4 'NtGdiDvpGetVideoPortOutputFormats', # 0x1c5 'NtGdiDvpGetVideoSignalStatus', # 0x1c6 'NtGdiDvpReleaseNotification', # 0x1c7 'NtGdiDvpUpdateVideoPort', # 0x1c8 'NtGdiDvpWaitForVideoPortSync', # 0x1c9 'NtGdiDwmGetDirtyRgn', # 0x1ca 'NtGdiDwmGetSurfaceData', # 0x1cb 'NtGdiDxgGenericThunk', # 0x1cc 'NtGdiEllipse', # 0x1cd 'NtGdiEnableEudc', # 0x1ce 'NtGdiEndDoc', # 0x1cf 'NtGdiEndPage', # 0x1d0 'NtGdiEngAlphaBlend', # 0x1d1 'NtGdiEngAssociateSurface', # 0x1d2 'NtGdiEngBitBlt', # 0x1d3 'NtGdiEngCheckAbort', # 0x1d4 'NtGdiEngComputeGlyphSet', # 0x1d5 'NtGdiEngCopyBits', # 0x1d6 'NtGdiEngCreateBitmap', # 0x1d7 'NtGdiEngCreateClip', # 0x1d8 'NtGdiEngCreateDeviceBitmap', # 0x1d9 'NtGdiEngCreateDeviceSurface', # 0x1da 'NtGdiEngCreatePalette', # 0x1db 'NtGdiEngDeleteClip', # 0x1dc 'NtGdiEngDeletePalette', # 0x1dd 'NtGdiEngDeletePath', # 0x1de 'NtGdiEngDeleteSurface', # 0x1df 'NtGdiEngEraseSurface', # 0x1e0 'NtGdiEngFillPath', # 0x1e1 'NtGdiEngGradientFill', # 0x1e2 'NtGdiEngLineTo', # 0x1e3 'NtGdiEngLockSurface', # 0x1e4 'NtGdiEngMarkBandingSurface', # 0x1e5 'NtGdiEngPaint', # 0x1e6 'NtGdiEngPlgBlt', # 0x1e7 'NtGdiEngStretchBlt', # 0x1e8 'NtGdiEngStretchBltROP', # 0x1e9 'NtGdiEngStrokeAndFillPath', # 0x1ea 'NtGdiEngStrokePath', # 0x1eb 'NtGdiEngTextOut', # 0x1ec 'NtGdiEngTransparentBlt', # 0x1ed 'NtGdiEngUnlockSurface', # 0x1ee 'NtGdiEnumObjects', # 0x1ef 'NtGdiEudcLoadUnloadLink', # 0x1f0 'NtGdiExtFloodFill', # 0x1f1 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1f2 'NtGdiFONTOBJ_cGetGlyphs', # 0x1f3 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1f4 'NtGdiFONTOBJ_pfdg', # 0x1f5 'NtGdiFONTOBJ_pifi', # 0x1f6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1f7 'NtGdiFONTOBJ_pxoGetXform', # 0x1f8 'NtGdiFONTOBJ_vGetInfo', # 0x1f9 'NtGdiFlattenPath', # 0x1fa 'NtGdiFontIsLinked', # 0x1fb 'NtGdiForceUFIMapping', # 0x1fc 'NtGdiFrameRgn', # 0x1fd 'NtGdiFullscreenControl', # 0x1fe 'NtGdiGetBoundsRect', # 0x1ff 'NtGdiGetCOPPCompatibleOPMInformation', # 0x200 'NtGdiGetCertificate', # 0x201 'NtGdiGetCertificateSize', # 0x202 'NtGdiGetCharABCWidthsW', # 0x203 'NtGdiGetCharacterPlacementW', # 0x204 'NtGdiGetColorAdjustment', # 0x205 'NtGdiGetColorSpaceforBitmap', # 0x206 'NtGdiGetDeviceCaps', # 0x207 'NtGdiGetDeviceCapsAll', # 0x208 'NtGdiGetDeviceGammaRamp', # 0x209 'NtGdiGetDeviceWidth', # 0x20a 'NtGdiGetDhpdev', # 0x20b 'NtGdiGetETM', # 0x20c 'NtGdiGetEmbUFI', # 0x20d 'NtGdiGetEmbedFonts', # 0x20e 'NtGdiGetEudcTimeStampEx', # 0x20f 'NtGdiGetFontResourceInfoInternalW', # 0x210 'NtGdiGetFontUnicodeRanges', # 0x211 'NtGdiGetGlyphIndicesW', # 0x212 'NtGdiGetGlyphIndicesWInternal', # 0x213 'NtGdiGetGlyphOutline', # 0x214 'NtGdiGetKerningPairs', # 0x215 'NtGdiGetLinkedUFIs', # 0x216 'NtGdiGetMiterLimit', # 0x217 'NtGdiGetMonitorID', # 0x218 'NtGdiGetNumberOfPhysicalMonitors', # 0x219 'NtGdiGetOPMInformation', # 0x21a 'NtGdiGetOPMRandomNumber', # 0x21b 'NtGdiGetObjectBitmapHandle', # 0x21c 'NtGdiGetPath', # 0x21d 'NtGdiGetPerBandInfo', # 0x21e 'NtGdiGetPhysicalMonitorDescription', # 0x21f 'NtGdiGetPhysicalMonitors', # 0x220 'NtGdiGetRealizationInfo', # 0x221 'NtGdiGetServerMetaFileBits', # 0x222 'NtGdiGetSpoolMessage', # 0x223 'NtGdiGetStats', # 0x224 'NtGdiGetStringBitmapW', # 0x225 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x226 'NtGdiGetTextExtentExW', # 0x227 'NtGdiGetUFI', # 0x228 'NtGdiGetUFIPathname', # 0x229 'NtGdiGradientFill', # 0x22a 'NtGdiHT_Get8BPPFormatPalette', # 0x22b 'NtGdiHT_Get8BPPMaskPalette', # 0x22c 'NtGdiIcmBrushInfo', # 0x22d 'NtGdiInit', # 0x22e 'NtGdiInitSpool', # 0x22f 'NtGdiMakeFontDir', # 0x230 'NtGdiMakeInfoDC', # 0x231 'NtGdiMakeObjectUnXferable', # 0x232 'NtGdiMakeObjectXferable', # 0x233 'NtGdiMirrorWindowOrg', # 0x234 'NtGdiMonoBitmap', # 0x235 'NtGdiMoveTo', # 0x236 'NtGdiOffsetClipRgn', # 0x237 'NtGdiPATHOBJ_bEnum', # 0x238 'NtGdiPATHOBJ_bEnumClipLines', # 0x239 'NtGdiPATHOBJ_vEnumStart', # 0x23a 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x23b 'NtGdiPATHOBJ_vGetBounds', # 0x23c 'NtGdiPathToRegion', # 0x23d 'NtGdiPlgBlt', # 0x23e 'NtGdiPolyDraw', # 0x23f 'NtGdiPolyTextOutW', # 0x240 'NtGdiPtInRegion', # 0x241 'NtGdiPtVisible', # 0x242 'NtGdiQueryFonts', # 0x243 'NtGdiRemoveFontResourceW', # 0x244 'NtGdiRemoveMergeFont', # 0x245 'NtGdiResetDC', # 0x246 'NtGdiResizePalette', # 0x247 'NtGdiRoundRect', # 0x248 'NtGdiSTROBJ_bEnum', # 0x249 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x24a 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x24b 'NtGdiSTROBJ_dwGetCodePage', # 0x24c 'NtGdiSTROBJ_vEnumStart', # 0x24d 'NtGdiScaleViewportExtEx', # 0x24e 'NtGdiScaleWindowExtEx', # 0x24f 'NtGdiSelectBrush', # 0x250 'NtGdiSelectClipPath', # 0x251 'NtGdiSelectPen', # 0x252 'NtGdiSetBitmapAttributes', # 0x253 'NtGdiSetBrushAttributes', # 0x254 'NtGdiSetColorAdjustment', # 0x255 'NtGdiSetColorSpace', # 0x256 'NtGdiSetDeviceGammaRamp', # 0x257 'NtGdiSetFontXform', # 0x258 'NtGdiSetIcmMode', # 0x259 'NtGdiSetLinkedUFIs', # 0x25a 'NtGdiSetMagicColors', # 0x25b 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x25c 'NtGdiSetPUMPDOBJ', # 0x25d 'NtGdiSetPixelFormat', # 0x25e 'NtGdiSetRectRgn', # 0x25f 'NtGdiSetSizeDevice', # 0x260 'NtGdiSetSystemPaletteUse', # 0x261 'NtGdiSetTextJustification', # 0x262 'NtGdiStartDoc', # 0x263 'NtGdiStartPage', # 0x264 'NtGdiStrokeAndFillPath', # 0x265 'NtGdiStrokePath', # 0x266 'NtGdiSwapBuffers', # 0x267 'NtGdiTransparentBlt', # 0x268 'NtGdiUMPDEngFreeUserMem', # 0x269 'NtGdiUnloadPrinterDriver', # 0x26a 'EngRestoreFloatingPointState', # 0x26b 'NtGdiUpdateColors', # 0x26c 'NtGdiUpdateTransform', # 0x26d 'NtGdiWidenPath', # 0x26e 'NtGdiXFORMOBJ_bApplyXform', # 0x26f 'NtGdiXFORMOBJ_iGetXform', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_hGetColorTransform', # 0x272 'NtGdiXLATEOBJ_iXlate', # 0x273 'NtUserAddClipboardFormatListener', # 0x274 'NtUserAssociateInputContext', # 0x275 'NtUserBlockInput', # 0x276 'NtUserBuildHimcList', # 0x277 'NtUserBuildPropList', # 0x278 'NtUserCallHwndOpt', # 0x279 'NtUserChangeDisplaySettings', # 0x27a 'NtUserCheckAccessForIntegrityLevel', # 0x27b 'NtUserCheckDesktopByThreadId', # 0x27c 'NtUserCheckWindowThreadDesktop', # 0x27d 'NtUserChildWindowFromPointEx', # 0x27e 'NtUserClipCursor', # 0x27f 'NtUserCreateDesktopEx', # 0x280 'NtUserCreateInputContext', # 0x281 'NtUserCreateWindowStation', # 0x282 'NtUserCtxDisplayIOCtl', # 0x283 'NtUserDestroyInputContext', # 0x284 'NtUserDisableThreadIme', # 0x285 'NtUserDoSoundConnect', # 0x286 'NtUserDoSoundDisconnect', # 0x287 'NtUserDragDetect', # 0x288 'NtUserDragObject', # 0x289 'NtUserDrawAnimatedRects', # 0x28a 'NtUserDrawCaption', # 0x28b 'NtUserDrawCaptionTemp', # 0x28c 'NtUserDrawMenuBarTemp', # 0x28d 'NtUserDwmGetDxRgn', # 0x28e 'NtUserDwmHintDxUpdate', # 0x28f 'NtUserDwmStartRedirection', # 0x290 'NtUserDwmStopRedirection', # 0x291 'NtUserEndMenu', # 0x292 'NtUserEvent', # 0x293 'NtUserFlashWindowEx', # 0x294 'NtUserFrostCrashedWindow', # 0x295 'NtUserGetAppImeLevel', # 0x296 'NtUserGetCaretPos', # 0x297 'NtUserGetClipCursor', # 0x298 'NtUserGetClipboardViewer', # 0x299 'NtUserGetComboBoxInfo', # 0x29a 'NtUserGetCursorInfo', # 0x29b 'NtUserGetGuiResources', # 0x29c 'NtUserGetImeHotKey', # 0x29d 'NtUserGetImeInfoEx', # 0x29e 'NtUserGetInternalWindowPos', # 0x29f 'NtUserGetKeyNameText', # 0x2a0 'NtUserGetKeyboardLayoutName', # 0x2a1 'NtUserGetLayeredWindowAttributes', # 0x2a2 'NtUserGetListBoxInfo', # 0x2a3 'NtUserGetMenuIndex', # 0x2a4 'NtUserGetMenuItemRect', # 0x2a5 'NtUserGetMouseMovePointsEx', # 0x2a6 'NtUserGetPriorityClipboardFormat', # 0x2a7 'NtUserGetRawInputBuffer', # 0x2a8 'NtUserGetRawInputData', # 0x2a9 'NtUserGetRawInputDeviceInfo', # 0x2aa 'NtUserGetRawInputDeviceList', # 0x2ab 'NtUserGetRegisteredRawInputDevices', # 0x2ac 'NtUserGetUpdatedClipboardFormats', # 0x2ad 'NtUserGetWOWClass', # 0x2ae 'NtUserGetWindowMinimizeRect', # 0x2af 'NtUserGetWindowRgnEx', # 0x2b0 'NtUserGhostWindowFromHungWindow', # 0x2b1 'NtUserHardErrorControl', # 0x2b2 'NtUserHiliteMenuItem', # 0x2b3 'NtUserHungWindowFromGhostWindow', # 0x2b4 'NtUserImpersonateDdeClientWindow', # 0x2b5 'NtUserInitTask', # 0x2b6 'NtUserInitialize', # 0x2b7 'NtUserInitializeClientPfnArrays', # 0x2b8 'NtUserInternalGetWindowIcon', # 0x2b9 'NtUserLoadKeyboardLayoutEx', # 0x2ba 'NtUserLockWindowStation', # 0x2bb 'NtUserLockWorkStation', # 0x2bc 'NtUserLogicalToPhysicalPoint', # 0x2bd 'NtUserMNDragLeave', # 0x2be 'NtUserMNDragOver', # 0x2bf 'NtUserMenuItemFromPoint', # 0x2c0 'NtUserMinMaximize', # 0x2c1 'NtUserNotifyIMEStatus', # 0x2c2 'NtUserOpenInputDesktop', # 0x2c3 'NtUserOpenThreadDesktop', # 0x2c4 'NtUserPaintMonitor', # 0x2c5 'NtUserPhysicalToLogicalPoint', # 0x2c6 'NtUserPrintWindow', # 0x2c7 'NtUserQueryInformationThread', # 0x2c8 'NtUserQueryInputContext', # 0x2c9 'NtUserQuerySendMessage', # 0x2ca 'NtUserRealChildWindowFromPoint', # 0x2cb 'NtUserRealWaitMessageEx', # 0x2cc 'NtUserRegisterErrorReportingDialog', # 0x2cd 'NtUserRegisterHotKey', # 0x2ce 'NtUserRegisterRawInputDevices', # 0x2cf 'NtUserRegisterSessionPort', # 0x2d0 'NtUserRegisterTasklist', # 0x2d1 'NtUserRegisterUserApiHook', # 0x2d2 'NtUserRemoteConnect', # 0x2d3 'NtUserRemoteRedrawRectangle', # 0x2d4 'NtUserRemoteRedrawScreen', # 0x2d5 'NtUserRemoteStopScreenUpdates', # 0x2d6 'NtUserRemoveClipboardFormatListener', # 0x2d7 'NtUserResolveDesktopForWOW', # 0x2d8 'NtUserSetAppImeLevel', # 0x2d9 'NtUserSetClassWord', # 0x2da 'NtUserSetCursorContents', # 0x2db 'NtUserSetImeHotKey', # 0x2dc 'NtUserSetImeInfoEx', # 0x2dd 'NtUserSetImeOwnerWindow', # 0x2de 'NtUserSetInternalWindowPos', # 0x2df 'NtUserSetLayeredWindowAttributes', # 0x2e0 'NtUserSetMenu', # 0x2e1 'NtUserSetMenuContextHelpId', # 0x2e2 'NtUserSetMenuFlagRtoL', # 0x2e3 'NtUserSetMirrorRendering', # 0x2e4 'NtUserSetObjectInformation', # 0x2e5 'NtUserSetProcessDPIAware', # 0x2e6 'NtUserSetShellWindowEx', # 0x2e7 'NtUserSetSysColors', # 0x2e8 'NtUserSetSystemCursor', # 0x2e9 'NtUserSetSystemTimer', # 0x2ea 'NtUserSetThreadLayoutHandles', # 0x2eb 'NtUserSetWindowRgnEx', # 0x2ec 'NtUserSetWindowStationUser', # 0x2ed 'NtUserShowSystemCursor', # 0x2ee 'NtUserSoundSentry', # 0x2ef 'NtUserSwitchDesktop', # 0x2f0 'NtUserTestForInteractiveUser', # 0x2f1 'NtUserTrackPopupMenuEx', # 0x2f2 'NtUserUnloadKeyboardLayout', # 0x2f3 'NtUserUnlockWindowStation', # 0x2f4 'NtUserUnregisterHotKey', # 0x2f5 'NtUserUnregisterSessionPort', # 0x2f6 'NtUserUnregisterUserApiHook', # 0x2f7 'NtUserUpdateInputContext', # 0x2f8 'NtUserUpdateInstance', # 0x2f9 'NtUserUpdateLayeredWindow', # 0x2fa 'NtUserUpdatePerUserSystemParameters', # 0x2fb 'NtUserUpdateWindowTransform', # 0x2fc 'NtUserUserHandleGrantAccess', # 0x2fd 'NtUserValidateHandleSecure', # 0x2fe 'NtUserWaitForInputIdle', # 0x2ff 'NtUserWaitForMsgAndEvent', # 0x300 'NtUserWin32PoolAllocationStats', # 0x301 'NtUserWindowFromPhysicalPoint', # 0x302 'NtUserYieldTask', # 0x303 'NtUserSetClassLongPtr', # 0x304 'NtUserSetWindowLongPtr', # 0x305 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp0_x64_vtypes.py0000644000175000017500000172610711732225561027205 0ustar mikemike00000000000000ntkrnlmp_types = { '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x68, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'WorkItem' : [ 0x38, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x58, ['pointer64', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x60, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '__unnamed_205d' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0xb0, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_205d']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x58, ['pointer64', ['void']]], 'PStateContext' : [ 0x60, ['unsigned long long']], 'TStateHandler' : [ 0x68, ['pointer64', ['void']]], 'TStateContext' : [ 0x70, ['unsigned long long']], 'FeedbackHandler' : [ 0x78, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x80, ['pointer64', ['void']]], 'State' : [ 0x88, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xc0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x58, ['unsigned long long']], 'WakeOnRTC' : [ 0x60, ['unsigned char']], 'WakeTimerInfo' : [ 0x68, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x70, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_209f' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_20a1' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_209f']], 'Button' : [ 0x10, ['__unnamed_20a1']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x148, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x18, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x28, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x30, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x38, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x40, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x48, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x50, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x58, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x60, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x70, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x78, ['unsigned long']], 'LastBootSucceeded' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x80, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x88, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x98, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa0, ['_GUID']], 'ResumePages' : [ 0xb0, ['unsigned long']], 'DumpHeader' : [ 0xb8, ['pointer64', ['void']]], 'BgContext' : [ 0xc0, ['pointer64', ['void']]], 'NumaLocalityInfo' : [ 0xc8, ['pointer64', ['void']]], 'NumaGroupAssignment' : [ 0xd0, ['pointer64', ['void']]], 'AttachedHives' : [ 0xd8, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0xe8, ['unsigned long']], 'MemoryCachingRequirements' : [ 0xf0, ['pointer64', ['void']]], 'TpmBootEntropyResult' : [ 0xf8, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0x140, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x400, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pContextData' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2146' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2146']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'SessionPoolAllocationFailures' : [ 0x64, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea0, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ed8, ['long']], 'PagedPoolPdeCount' : [ 0x1edc, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee0, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1ee4, ['unsigned long']], 'SystemPteInfo' : [ 0x1ee8, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f30, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f38, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f48, ['unsigned long long']], 'IoState' : [ 0x1f50, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f54, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f58, ['_KEVENT']], 'CpuQuotaBlock' : [ 0x1f70, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x40, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x48, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0x50, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x58, ['pointer64', ['void']]], 'PerfHandler' : [ 0x60, ['pointer64', ['void']]], 'Processors' : [ 0x68, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x70, ['unsigned long long']], 'ProcessorCount' : [ 0x78, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x7c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x80, ['unsigned long']], 'PreviousFrequency' : [ 0x84, ['unsigned long']], 'CurrentFrequency' : [ 0x88, ['unsigned long']], 'CurrentPerfContext' : [ 0x8c, ['unsigned long']], 'DesiredFrequency' : [ 0x90, ['unsigned long']], 'MaxFrequency' : [ 0x94, ['unsigned long']], 'MinPerfPercent' : [ 0x98, ['unsigned long']], 'MinThrottlePercent' : [ 0x9c, ['unsigned long']], 'MaxPercent' : [ 0xa0, ['unsigned long']], 'MinPercent' : [ 0xa4, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0xa8, ['unsigned long']], 'ConstrainedMinPercent' : [ 0xac, ['unsigned long']], 'Coordination' : [ 0xb0, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0xb4, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x20, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'Lock' : [ 0x8, ['unsigned long long']], 'Paged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x20, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x30, ['long long']], 'SpecialPoolPdes' : [ 0x38, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_21bf' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_21c3' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_21bf']], 'Bits' : [ 0x4, ['__unnamed_21c3']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_21df' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_21e1' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_21df']], 'Merged' : [ 0x10, ['__unnamed_21e1']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_21e9' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21e9']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f32']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1fd4']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x10, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_21ff' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_2203' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_21ff']], 'u2' : [ 0x38, ['__unnamed_2203']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_220c' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_220e' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_220c']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_220e']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'SessionId' : [ 0x20, ['unsigned long']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2f8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x2d0, ['_LIST_ENTRY']], 'Status' : [ 0x2e0, ['long']], 'FailedDevice' : [ 0x2e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2f0, ['unsigned char']], 'Cancelled' : [ 0x2f1, ['unsigned char']], 'IgnoreErrors' : [ 0x2f2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2f3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2f4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x60, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0x28, ['pointer64', ['void']]], 'IdleHandler' : [ 0x30, ['pointer64', ['void']]], 'HvConfig' : [ 0x38, ['unsigned long long']], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Latency' : [ 0x48, ['unsigned long']], 'Power' : [ 0x4c, ['unsigned long']], 'TimeCheck' : [ 0x50, ['unsigned long']], 'StateFlags' : [ 0x54, ['unsigned long']], 'PromotePercent' : [ 0x58, ['unsigned char']], 'DemotePercent' : [ 0x59, ['unsigned char']], 'PromotePercentBase' : [ 0x5a, ['unsigned char']], 'DemotePercentBase' : [ 0x5b, ['unsigned char']], 'StateType' : [ 0x5c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2293' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x8, ['pointer64', ['void']]], 'NodeRangeSize' : [ 0x10, ['unsigned long long']], 'NodeCount' : [ 0x18, ['unsigned long long']], 'Tables' : [ 0x20, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x28, ['unsigned long']], 'u1' : [ 0x2c, ['__unnamed_2293']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_22e0' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_22e2' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_22e0']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22e2']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_22f5' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_22f5']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x70, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_234b' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_234d' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2351' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2355' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2357' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_234b']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_234d']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2351']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2355']], 'Others' : [ 0x0, ['__unnamed_2357']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x110, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'NextCloneRange' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long long']], 'LoaderMdl' : [ 0x50, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x70, ['unsigned long']], 'CurrentMcb' : [ 0x78, ['pointer64', ['void']]], 'DumpStack' : [ 0x80, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x88, ['pointer64', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x90, ['unsigned long']], 'IoProgress' : [ 0x94, ['unsigned long']], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0xb8, ['pointer64', ['void']]], 'CompressedWriteBuffer' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0xc8, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0xcc, ['unsigned long']], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'BootLoaderLogMdl' : [ 0xf0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x100, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x108, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_237d' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_237d']], } ], '__unnamed_2381' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2381']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'FirstTablePage' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xc0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xc8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xd0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xd8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x118, ['unsigned long']], 'ResumeContextCheck' : [ 0x11c, ['unsigned long']], 'ResumeContextPages' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x30, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x20, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '__unnamed_23ab' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_23ad' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_23af' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_23ab']], 'Gpt' : [ 0x0, ['__unnamed_23ad']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_23af']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x298, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1043' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1043']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1047' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1047']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1061' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_1061']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TP_TASK' : [ 0x38, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], 'PostGuard' : [ 0x10, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x30, ['pointer64', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_DIRECT' : [ 0x10, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], } ], '_TEB' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x4e80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x4d00, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'PrcbPad00' : [ 0x21, ['array', 3, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2080, ['long']], 'DeferredReadyListHead' : [ 0x2088, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2090, ['long']], 'MmCopyOnWriteCount' : [ 0x2094, ['long']], 'MmTransitionCount' : [ 0x2098, ['long']], 'MmDemandZeroCount' : [ 0x209c, ['long']], 'MmPageReadCount' : [ 0x20a0, ['long']], 'MmPageReadIoCount' : [ 0x20a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x20a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x20ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x20b0, ['long']], 'MmMappedWriteIoCount' : [ 0x20b4, ['long']], 'KeSystemCalls' : [ 0x20b8, ['unsigned long']], 'KeContextSwitches' : [ 0x20bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x20c0, ['unsigned long']], 'CcFastReadWait' : [ 0x20c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x20c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x20cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x20d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x20d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x20d8, ['long']], 'IoReadOperationCount' : [ 0x20dc, ['long']], 'IoWriteOperationCount' : [ 0x20e0, ['long']], 'IoOtherOperationCount' : [ 0x20e4, ['long']], 'IoReadTransferCount' : [ 0x20e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x20f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x20f8, ['_LARGE_INTEGER']], 'TargetCount' : [ 0x2100, ['long']], 'IpiFrozen' : [ 0x2104, ['unsigned long']], 'DpcData' : [ 0x2180, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x21c0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x21c8, ['long']], 'DpcRequestRate' : [ 0x21cc, ['unsigned long']], 'MinimumDpcRate' : [ 0x21d0, ['unsigned long']], 'DpcLastCount' : [ 0x21d4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x21d8, ['unsigned char']], 'QuantumEnd' : [ 0x21d9, ['unsigned char']], 'DpcRoutineActive' : [ 0x21da, ['unsigned char']], 'IdleSchedule' : [ 0x21db, ['unsigned char']], 'DpcRequestSummary' : [ 0x21dc, ['long']], 'DpcRequestSlot' : [ 0x21dc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x21dc, ['short']], 'DpcThreadActive' : [ 0x21de, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x21de, ['short']], 'TimerHand' : [ 0x21e0, ['unsigned long']], 'MasterOffset' : [ 0x21e4, ['long']], 'LastTick' : [ 0x21e8, ['unsigned long']], 'UnusedPad' : [ 0x21ec, ['unsigned long']], 'PrcbPad50' : [ 0x21f0, ['array', 2, ['unsigned long long']]], 'TimerTable' : [ 0x2200, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x4400, ['_KGATE']], 'PrcbPad52' : [ 0x4418, ['pointer64', ['void']]], 'CallDpc' : [ 0x4420, ['_KDPC']], 'ClockKeepAlive' : [ 0x4460, ['long']], 'ClockCheckSlot' : [ 0x4464, ['unsigned char']], 'ClockPollCycle' : [ 0x4465, ['unsigned char']], 'NmiActive' : [ 0x4466, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x4468, ['long']], 'DpcWatchdogCount' : [ 0x446c, ['long']], 'TickOffset' : [ 0x4470, ['unsigned long long']], 'KeSpinLockOrdering' : [ 0x4478, ['long']], 'PrcbPad70' : [ 0x447c, ['unsigned long']], 'WaitListHead' : [ 0x4480, ['_LIST_ENTRY']], 'WaitLock' : [ 0x4490, ['unsigned long long']], 'ReadySummary' : [ 0x4498, ['unsigned long']], 'QueueIndex' : [ 0x449c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x44a0, ['_KDPC']], 'PrcbPad72' : [ 0x44e0, ['array', 4, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x4500, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x4700, ['unsigned long']], 'KernelTime' : [ 0x4704, ['unsigned long']], 'UserTime' : [ 0x4708, ['unsigned long']], 'DpcTime' : [ 0x470c, ['unsigned long']], 'InterruptTime' : [ 0x4710, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4714, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4718, ['unsigned char']], 'PrcbPad80' : [ 0x4719, ['array', 7, ['unsigned char']]], 'DpcTimeCount' : [ 0x4720, ['unsigned long']], 'DpcTimeLimit' : [ 0x4724, ['unsigned long']], 'PeriodicCount' : [ 0x4728, ['unsigned long']], 'PeriodicBias' : [ 0x472c, ['unsigned long']], 'AvailableTime' : [ 0x4730, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x4734, ['unsigned long']], 'ParentNode' : [ 0x4738, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x4740, ['unsigned long long']], 'PrcbPad82' : [ 0x4748, ['array', 3, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x4760, ['long']], 'PageColor' : [ 0x4764, ['unsigned long']], 'NodeColor' : [ 0x4768, ['unsigned long']], 'NodeShiftedColor' : [ 0x476c, ['unsigned long']], 'SecondaryColorMask' : [ 0x4770, ['unsigned long']], 'PrcbPad83' : [ 0x4774, ['unsigned long']], 'CycleTime' : [ 0x4778, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x4780, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x4784, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x4788, ['unsigned long']], 'CcMapDataNoWait' : [ 0x478c, ['unsigned long']], 'CcMapDataWait' : [ 0x4790, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x4794, ['unsigned long']], 'CcPinReadNoWait' : [ 0x4798, ['unsigned long']], 'CcPinReadWait' : [ 0x479c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x47a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x47a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x47a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x47ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x47b0, ['unsigned long']], 'CcDataFlushes' : [ 0x47b4, ['unsigned long']], 'CcDataPages' : [ 0x47b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x47bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x47c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x47c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x47c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x47cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x47d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x47d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x47d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x47dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x47e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x47e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x47e8, ['long']], 'MmCacheReadCount' : [ 0x47ec, ['long']], 'MmCacheIoCount' : [ 0x47f0, ['long']], 'PrcbPad91' : [ 0x47f4, ['array', 1, ['unsigned long']]], 'RuntimeAccumulation' : [ 0x47f8, ['unsigned long long']], 'PowerState' : [ 0x4800, ['_PROCESSOR_POWER_STATE']], 'PrcbPad92' : [ 0x4900, ['array', 16, ['unsigned char']]], 'KeAlignmentFixupCount' : [ 0x4910, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x4918, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x4958, ['_KTIMER']], 'Cache' : [ 0x4998, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x49d4, ['unsigned long']], 'CachedCommit' : [ 0x49d8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x49dc, ['unsigned long']], 'HyperPte' : [ 0x49e0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x49e8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x49f0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x4a00, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x4a10, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x4a20, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x4a28, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x4a30, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x4a38, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x4a40, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x4a68, ['_KAFFINITY_EX']], 'CoreProcessorSet' : [ 0x4a90, ['unsigned long long']], 'PebsIndexAddress' : [ 0x4a98, ['pointer64', ['void']]], 'PrcbPad93' : [ 0x4aa0, ['array', 12, ['unsigned long long']]], 'SpinLockAcquireCount' : [ 0x4b00, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4b04, ['unsigned long']], 'SpinLockSpinCount' : [ 0x4b08, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x4b0c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x4b10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x4b14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x4b18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x4b1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x4b20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x4b24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x4b28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x4b2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x4b30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x4b34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x4b38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x4b3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x4b40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x4b44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x4b48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4b4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x4b50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x4b54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x4b58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x4b5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x4b60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x4b64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x4b68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x4b6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x4b70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x4b74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x4b78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x4b7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x4b80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x4b84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x4b88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x4b8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x4b90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x4b94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x4b98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x4b9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x4ba0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x4ba4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x4ba8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x4bac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x4bb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x4bb4, ['unsigned long']], 'VendorString' : [ 0x4bb8, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x4bc5, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x4bc8, ['unsigned long']], 'UpdateSignature' : [ 0x4bd0, ['_LARGE_INTEGER']], 'Context' : [ 0x4bd8, ['pointer64', ['_CONTEXT']]], 'ContextFlags' : [ 0x4be0, ['unsigned long']], 'ExtendedState' : [ 0x4be8, ['pointer64', ['_XSAVE_AREA']]], 'Mailbox' : [ 0x4c00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x4c80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x360, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'WaitRegister' : [ 0x48, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x49, ['unsigned char']], 'Alerted' : [ 0x4a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x4c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x4c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x4c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x4c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x4c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x4c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x4c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x4c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x4c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x4c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x4c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x4c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x4c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Reserved' : [ 0x4c, ['BitField', dict(start_bit = 13, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x4c, ['long']], 'ApcState' : [ 0x50, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x50, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x7b, ['unsigned char']], 'NextProcessor' : [ 0x7c, ['unsigned long']], 'DeferredProcessor' : [ 0x80, ['unsigned long']], 'ApcQueueLock' : [ 0x88, ['unsigned long long']], 'WaitStatus' : [ 0x90, ['long long']], 'WaitBlockList' : [ 0x98, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xa0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xb0, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb8, ['pointer64', ['void']]], 'Timer' : [ 0xc0, ['_KTIMER']], 'AutoAlignment' : [ 0x100, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x100, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0x100, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0x100, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0x100, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0x100, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x100, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0x100, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x100, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0x100, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x100, ['long']], 'Spare0' : [ 0x104, ['unsigned long']], 'WaitBlock' : [ 0x108, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x108, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x134, ['unsigned long']], 'WaitBlockFill5' : [ 0x108, ['array', 92, ['unsigned char']]], 'State' : [ 0x164, ['unsigned char']], 'NpxState' : [ 0x165, ['unsigned char']], 'WaitIrql' : [ 0x166, ['unsigned char']], 'WaitMode' : [ 0x167, ['unsigned char']], 'WaitBlockFill6' : [ 0x108, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x194, ['unsigned long']], 'WaitBlockFill7' : [ 0x108, ['array', 168, ['unsigned char']]], 'TebMappedLowVa' : [ 0x1b0, ['pointer64', ['void']]], 'Ucb' : [ 0x1b8, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'WaitBlockFill8' : [ 0x108, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1c4, ['short']], 'SpecialApcDisable' : [ 0x1c6, ['short']], 'CombinedApcDisable' : [ 0x1c4, ['unsigned long']], 'QueueListEntry' : [ 0x1c8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1d8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1e0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1e8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1e8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1f0, ['unsigned char']], 'BasePriority' : [ 0x1f1, ['unsigned char']], 'PriorityDecrement' : [ 0x1f2, ['unsigned char']], 'ForegroundBoost' : [ 0x1f2, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x1f2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x1f3, ['unsigned char']], 'AdjustReason' : [ 0x1f4, ['unsigned char']], 'AdjustIncrement' : [ 0x1f5, ['unsigned char']], 'PreviousMode' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'SystemCallNumber' : [ 0x1f8, ['unsigned long']], 'FreezeCount' : [ 0x1fc, ['unsigned long']], 'UserAffinity' : [ 0x200, ['_GROUP_AFFINITY']], 'Process' : [ 0x210, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x218, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x228, ['unsigned long']], 'UserIdealProcessor' : [ 0x22c, ['unsigned long']], 'ApcStatePointer' : [ 0x230, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x240, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x240, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x26b, ['unsigned char']], 'SuspendCount' : [ 0x26c, ['unsigned char']], 'Spare1' : [ 0x26d, ['unsigned char']], 'CodePatchInProgress' : [ 0x26e, ['unsigned char']], 'Win32Thread' : [ 0x270, ['pointer64', ['void']]], 'StackBase' : [ 0x278, ['pointer64', ['void']]], 'SuspendApc' : [ 0x280, ['_KAPC']], 'SuspendApcFill0' : [ 0x280, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x281, ['unsigned char']], 'SuspendApcFill1' : [ 0x280, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x283, ['unsigned char']], 'SuspendApcFill2' : [ 0x280, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x284, ['unsigned long']], 'SuspendApcFill3' : [ 0x280, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c0, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x280, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2c8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x280, ['array', 83, ['unsigned char']]], 'LargeStack' : [ 0x2d3, ['unsigned char']], 'UserTime' : [ 0x2d4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2d8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2d8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2f4, ['unsigned long']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x318, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x320, ['long long']], 'WriteOperationCount' : [ 0x328, ['long long']], 'OtherOperationCount' : [ 0x330, ['long long']], 'ReadTransferCount' : [ 0x338, ['long long']], 'WriteTransferCount' : [ 0x340, ['long long']], 'OtherTransferCount' : [ 0x348, ['long long']], 'ThreadCounters' : [ 0x350, ['pointer64', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x358, ['pointer64', ['_XSTATE_SAVE']]], } ], '_KSTACK_AREA' : [ 0x250, { 'StackControl' : [ 0x0, ['_KERNEL_STACK_CONTROL']], 'NpxFrame' : [ 0x50, ['_XSAVE_FORMAT']], } ], '_KERNEL_STACK_CONTROL' : [ 0x50, { 'Current' : [ 0x0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x28, ['_KERNEL_STACK_SEGMENT']], } ], '_UMS_CONTROL_BLOCK' : [ 0x98, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'PrimaryFlags' : [ 0x88, ['unsigned long']], 'UmsContextHeaderReady' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsContextHeader' : [ 0x30, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'UmsWaitGate' : [ 0x38, ['_KGATE']], 'StagingArea' : [ 0x50, ['pointer64', ['void']]], 'Flags' : [ 0x58, ['long']], 'UmsForceQueueTermination' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsPrimaryDeliveredContext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'TebSelector' : [ 0x90, ['unsigned short']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_11ca' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11cf' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d2' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_11ca']], 'Header16' : [ 0x0, ['__unnamed_11cf']], 'HeaderX64' : [ 0x0, ['__unnamed_11d2']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_IO_STATUS_BLOCK32' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x498, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x360, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x368, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x368, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x378, ['long']], 'PostBlockList' : [ 0x380, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x380, ['pointer64', ['void']]], 'StartAddress' : [ 0x388, ['pointer64', ['void']]], 'TerminationPort' : [ 0x390, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x390, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x390, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x398, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x3a0, ['_LIST_ENTRY']], 'Cid' : [ 0x3b0, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3e0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3e8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3f8, ['unsigned long long']], 'DeviceToVerify' : [ 0x400, ['pointer64', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x408, ['pointer64', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x410, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x418, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x420, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x430, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x438, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x440, ['unsigned long']], 'MmLockOrdering' : [ 0x444, ['long']], 'CrossThreadFlags' : [ 0x448, ['unsigned long']], 'Terminated' : [ 0x448, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x448, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x448, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x448, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x448, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x448, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x448, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x448, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x448, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x448, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x448, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x448, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x448, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x448, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x44c, ['unsigned long']], 'ActiveExWorker' : [ 0x44c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x44c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x44c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x44c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x44c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x44c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x44c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x450, ['unsigned long']], 'Spare' : [ 0x450, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x450, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x450, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x451, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x451, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x451, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x451, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x451, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x451, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x451, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x451, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x452, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x452, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x453, ['unsigned char']], 'CacheManagerActive' : [ 0x454, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x455, ['unsigned char']], 'ActiveFaultCount' : [ 0x456, ['unsigned char']], 'LockOrderState' : [ 0x457, ['unsigned char']], 'AlpcMessageId' : [ 0x458, ['unsigned long long']], 'AlpcMessage' : [ 0x460, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x460, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x468, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x478, ['unsigned long']], 'IoBoostCount' : [ 0x47c, ['unsigned long']], 'IrpListLock' : [ 0x480, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x488, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x490, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'CommitCharge' : [ 0x1b8, ['unsigned long long']], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x1f8, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x1f8, ['unsigned long long']], 'ExceptionPortState' : [ 0x1f8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x200, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x208, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x210, ['unsigned long long']], 'AddressCreationLock' : [ 0x218, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x220, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x228, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x230, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x238, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x240, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x248, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x250, ['unsigned long long']], 'Win32Process' : [ 0x258, ['pointer64', ['void']]], 'Job' : [ 0x260, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x268, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x270, ['pointer64', ['void']]], 'Cookie' : [ 0x278, ['unsigned long']], 'UmsScheduledThreads' : [ 0x27c, ['unsigned long']], 'WorkingSetWatch' : [ 0x280, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x288, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x290, ['pointer64', ['void']]], 'LdtInformation' : [ 0x298, ['pointer64', ['void']]], 'Spare' : [ 0x2a0, ['pointer64', ['void']]], 'ConsoleHostProcess' : [ 0x2a8, ['unsigned long long']], 'DeviceMap' : [ 0x2b0, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x2b8, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x2c0, ['pointer64', ['void']]], 'FreeUmsTebHint' : [ 0x2c8, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x2d0, ['_HARDWARE_PTE']], 'Filler' : [ 0x2d0, ['unsigned long long']], 'Session' : [ 0x2d8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x2e0, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x2ef, ['unsigned char']], 'JobLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x300, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x308, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x318, ['pointer64', ['void']]], 'Wow64Process' : [ 0x320, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x328, ['unsigned long']], 'ImagePathHash' : [ 0x32c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x330, ['unsigned long']], 'LastThreadExitStatus' : [ 0x334, ['long']], 'Peb' : [ 0x338, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x340, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x348, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x350, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x358, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x360, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x368, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x370, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x378, ['unsigned long long']], 'CommitChargePeak' : [ 0x380, ['unsigned long long']], 'AweInfo' : [ 0x388, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x390, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x398, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x420, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x430, ['pointer64', ['void']]], 'ModifiedPageCount' : [ 0x438, ['unsigned long']], 'Flags2' : [ 0x43c, ['unsigned long']], 'JobNotReallyActive' : [ 0x43c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x43c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x43c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x43c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x43c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x43c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x43c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x43c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x43c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x43c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x43c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x43c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x43c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x43c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x43c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x43c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x43c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x43c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x440, ['unsigned long']], 'CreateReported' : [ 0x440, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x440, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x440, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x440, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x440, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x440, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x440, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x440, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x440, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x440, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x440, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x440, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x440, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x440, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x440, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x440, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x440, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x440, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x440, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x440, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x440, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x440, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x440, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x440, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x440, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x440, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x440, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x444, ['long']], 'VadRoot' : [ 0x448, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x488, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x4a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x4b8, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x4bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x4c0, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x4c8, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x160, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x80, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x88, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0xb0, ['long']], 'BasePriority' : [ 0xb4, ['unsigned char']], 'QuantumReset' : [ 0xb5, ['unsigned char']], 'Visited' : [ 0xb6, ['unsigned char']], 'Unused3' : [ 0xb7, ['unsigned char']], 'ThreadSeed' : [ 0xb8, ['array', 4, ['unsigned long']]], 'IdealNode' : [ 0xc8, ['array', 4, ['unsigned short']]], 'IdealGlobalNode' : [ 0xd0, ['unsigned short']], 'Flags' : [ 0xd2, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0xd3, ['unsigned char']], 'Unused2' : [ 0xd4, ['unsigned long']], 'Unused4' : [ 0xd8, ['unsigned long']], 'StackCount' : [ 0xdc, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'CycleTime' : [ 0xf0, ['unsigned long long']], 'KernelTime' : [ 0xf8, ['unsigned long']], 'UserTime' : [ 0xfc, ['unsigned long']], 'InstrumentationCallback' : [ 0x100, ['pointer64', ['void']]], 'LdtSystemDescriptor' : [ 0x108, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x118, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x120, ['_KGUARDED_MUTEX']], 'LdtFreeSelectorHint' : [ 0x158, ['unsigned short']], 'LdtTableLength' : [ 0x15a, ['unsigned short']], } ], '__unnamed_12d7' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_12d7']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xd8, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], } ], '__unnamed_12e6' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_12eb' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_12ed' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12f8' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_12fa' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_12f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_12e6']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_12ed']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_12fa']], } ], '__unnamed_1301' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1305' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1309' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_130b' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_130f' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1311' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1313' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_1315' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1317' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1319' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_131d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_131f' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1321' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1323' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1325' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1327' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_132b' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_132f' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1333' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1337' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_133d' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1341' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1345' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1347' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1349' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_134d' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1351' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1355' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1359' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_135d' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1365' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1369' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_136b' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136d' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136f' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1301']], 'CreatePipe' : [ 0x0, ['__unnamed_1305']], 'CreateMailslot' : [ 0x0, ['__unnamed_1309']], 'Read' : [ 0x0, ['__unnamed_130b']], 'Write' : [ 0x0, ['__unnamed_130b']], 'QueryDirectory' : [ 0x0, ['__unnamed_130f']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1311']], 'QueryFile' : [ 0x0, ['__unnamed_1313']], 'SetFile' : [ 0x0, ['__unnamed_1315']], 'QueryEa' : [ 0x0, ['__unnamed_1317']], 'SetEa' : [ 0x0, ['__unnamed_1319']], 'QueryVolume' : [ 0x0, ['__unnamed_131d']], 'SetVolume' : [ 0x0, ['__unnamed_131d']], 'FileSystemControl' : [ 0x0, ['__unnamed_131f']], 'LockControl' : [ 0x0, ['__unnamed_1321']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1323']], 'QuerySecurity' : [ 0x0, ['__unnamed_1325']], 'SetSecurity' : [ 0x0, ['__unnamed_1327']], 'MountVolume' : [ 0x0, ['__unnamed_132b']], 'VerifyVolume' : [ 0x0, ['__unnamed_132b']], 'Scsi' : [ 0x0, ['__unnamed_132f']], 'QueryQuota' : [ 0x0, ['__unnamed_1333']], 'SetQuota' : [ 0x0, ['__unnamed_1319']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1337']], 'QueryInterface' : [ 0x0, ['__unnamed_133d']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1341']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1345']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1347']], 'SetLock' : [ 0x0, ['__unnamed_1349']], 'QueryId' : [ 0x0, ['__unnamed_134d']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1351']], 'UsageNotification' : [ 0x0, ['__unnamed_1355']], 'WaitWake' : [ 0x0, ['__unnamed_1359']], 'PowerSequence' : [ 0x0, ['__unnamed_135d']], 'Power' : [ 0x0, ['__unnamed_1365']], 'StartDevice' : [ 0x0, ['__unnamed_1369']], 'WMI' : [ 0x0, ['__unnamed_136b']], 'Others' : [ 0x0, ['__unnamed_136d']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_136f']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1385' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1385']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_14ed' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_14ed']], } ], '__unnamed_14fe' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xf0, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x20, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x30, ['_LIST_ENTRY']], 'KernelStack' : [ 0x40, ['unsigned long long']], 'Prcb' : [ 0x48, ['unsigned long long']], 'Process' : [ 0x50, ['unsigned long long']], 'Thread' : [ 0x58, ['unsigned long long']], 'RegistryLength' : [ 0x60, ['unsigned long']], 'RegistryBase' : [ 0x68, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x70, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x78, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x80, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x88, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x90, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x98, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0xa0, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0xa8, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xb0, ['pointer64', ['void']]], 'Extension' : [ 0xb8, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xc0, ['__unnamed_14fe']], 'FirmwareInformation' : [ 0xd0, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_152d' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_152f' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1532' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1534' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1532']], } ], '__unnamed_153c' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_152d']], 'u2' : [ 0x8, ['__unnamed_152f']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_1534']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_153c']], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x88, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'RepurposeCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['array', 2, ['unsigned long']]], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextAgingSlot' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'VadBitMapHint' : [ 0x2c, ['unsigned long']], 'NonDirectCount' : [ 0x30, ['unsigned long']], 'LastVadBit' : [ 0x34, ['unsigned long']], 'MaximumLastVadBit' : [ 0x38, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x3c, ['unsigned long']], 'LastAllocationSize' : [ 0x40, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '__unnamed_156a' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_156a']], } ], '__unnamed_1579' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1583' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1585' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1583']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1579']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1585']], 'LockedPages' : [ 0x68, ['long long']], 'ViewList' : [ 0x70, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x68, ['unsigned long']], 'LastAllocationSize' : [ 0x6c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['unsigned long long']], 'LockOwner' : [ 0x88, ['pointer64', ['_ETHREAD']]], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_15be' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_15c1' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_15c4' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], } ], '__unnamed_15cc' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_15cc']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15d1' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], 'u2' : [ 0x40, ['__unnamed_15d1']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_15dc' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_15dc']], } ], '__unnamed_15e2' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15e4' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_15e2']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_15e4']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x598, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x48, ['pointer64', ['void']]], 'BaseBlock' : [ 0x50, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x58, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x68, ['unsigned long']], 'DirtyAlloc' : [ 0x6c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x70, ['unsigned long']], 'Cluster' : [ 0x74, ['unsigned long']], 'Flat' : [ 0x78, ['unsigned char']], 'ReadOnly' : [ 0x79, ['unsigned char']], 'DirtyFlag' : [ 0x7a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x7c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x80, ['unsigned long']], 'HvUsedCellsUse' : [ 0x84, ['unsigned long']], 'CmUsedCellsUse' : [ 0x88, ['unsigned long']], 'HiveFlags' : [ 0x8c, ['unsigned long']], 'CurrentLog' : [ 0x90, ['unsigned long']], 'LogSize' : [ 0x94, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x9c, ['unsigned long']], 'StorageTypeCount' : [ 0xa0, ['unsigned long']], 'Version' : [ 0xa4, ['unsigned long']], 'Storage' : [ 0xa8, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_CMHIVE' : [ 0xbe0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x598, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5f8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x600, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x610, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x618, ['unsigned long']], 'Identity' : [ 0x61c, ['unsigned long']], 'HiveLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x628, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x630, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x638, ['unsigned long']], 'ViewUnLockLast' : [ 0x63c, ['unsigned long']], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x660, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x668, ['unsigned long']], 'FlushHiveTruncated' : [ 0x66c, ['unsigned long']], 'FlushLock2' : [ 0x670, ['pointer64', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x678, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x680, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x690, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x6a0, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x6b0, ['unsigned short']], 'PinnedViewCount' : [ 0x6b2, ['unsigned short']], 'UseCount' : [ 0x6b4, ['unsigned long']], 'ViewsPerHive' : [ 0x6b8, ['unsigned long']], 'FileObject' : [ 0x6c0, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x6c8, ['unsigned long']], 'ActualFileSize' : [ 0x6d0, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xba0, ['unsigned long']], 'TrustClassEntry' : [ 0xba8, ['_LIST_ENTRY']], 'FlushCount' : [ 0xbb8, ['unsigned long']], 'CmRm' : [ 0xbc0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xbc8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xbcc, ['long']], 'CreatorOwner' : [ 0xbd0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xbd8, ['pointer64', ['_KTHREAD']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '__unnamed_1668' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_166b' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_166d' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_166f' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1671' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1675' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_1679' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_167b' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1668']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1668']]], 'RegistryIO' : [ 0xd0, ['__unnamed_166b']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_166d']], 'CheckKey' : [ 0xf0, ['__unnamed_166f']], 'CheckValueList' : [ 0x110, ['__unnamed_1671']], 'CheckHive' : [ 0x128, ['__unnamed_1675']], 'CheckHive1' : [ 0x138, ['__unnamed_1675']], 'CheckBin' : [ 0x148, ['__unnamed_1679']], 'RecoverData' : [ 0x158, ['__unnamed_167b']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0x28, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 4, ['unsigned long long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0x18, { 'Affinity' : [ 0x0, ['pointer64', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x8, ['unsigned long long']], 'CurrentIndex' : [ 0x10, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1761' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1763' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1767' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x268, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'State' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xe8, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x138, ['unsigned long']], 'CompletionStatus' : [ 0x13c, ['long']], 'Flags' : [ 0x140, ['unsigned long']], 'UserFlags' : [ 0x144, ['unsigned long']], 'Problem' : [ 0x148, ['unsigned long']], 'ResourceList' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x158, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x160, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x168, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x174, ['unsigned long']], 'ChildInterfaceType' : [ 0x178, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x17c, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x180, ['unsigned short']], 'RemovalPolicy' : [ 0x182, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x183, ['unsigned char']], 'TargetDeviceNotify' : [ 0x188, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x198, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1a8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x1b8, ['unsigned short']], 'QueryTranslatorMask' : [ 0x1ba, ['unsigned short']], 'NoArbiterMask' : [ 0x1bc, ['unsigned short']], 'QueryArbiterMask' : [ 0x1be, ['unsigned short']], 'OverUsed1' : [ 0x1c0, ['__unnamed_1761']], 'OverUsed2' : [ 0x1c8, ['__unnamed_1763']], 'BootResources' : [ 0x1d0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1d8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1e0, ['unsigned long']], 'DockInfo' : [ 0x1e8, ['__unnamed_1767']], 'DisableableDepends' : [ 0x208, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x210, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x220, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x230, ['unsigned long']], 'PreviousParent' : [ 0x238, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x240, ['unsigned long']], 'NumaNodeIndex' : [ 0x244, ['unsigned long']], 'ContainerID' : [ 0x248, ['_GUID']], 'OverrideFlags' : [ 0x258, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x259, ['unsigned char']], 'PendingEjectRelations' : [ 0x260, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x40, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x50, ['unsigned long']], 'NodeNumber' : [ 0x54, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x56, ['unsigned short']], 'MaximumProcessors' : [ 0x58, ['unsigned char']], 'Color' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['_flags']], 'NodePad0' : [ 0x5b, ['unsigned char']], 'Seed' : [ 0x5c, ['unsigned long']], 'MmShiftedColor' : [ 0x60, ['unsigned long']], 'FreeCount' : [ 0x68, ['array', 2, ['unsigned long long']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0xa0, ['long']], 'NodePad1' : [ 0xa4, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_180f' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_180f']], } ], '__unnamed_1816' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1816']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_VOLUME_CACHE_MAP' : [ 0x38, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], 'DirtyPages' : [ 0x28, ['unsigned long long']], 'PagesQueuedToDisk' : [ 0x30, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1f0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x100, ['unsigned long']], 'LazyWritePassCount' : [ 0x104, ['unsigned long']], 'UninitializeEvent' : [ 0x108, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x110, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0x148, ['_LARGE_INTEGER']], 'Event' : [ 0x150, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x168, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x170, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1d8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1e0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1e8, ['unsigned long']], 'WritesInProgress' : [ 0x1ec, ['unsigned long']], } ], '__unnamed_1888' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_1888']], 'Links' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_18a6' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18a8' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18aa' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18ac' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18ae' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18a6']], 'Write' : [ 0x0, ['__unnamed_18a8']], 'Event' : [ 0x0, ['__unnamed_18aa']], 'Notification' : [ 0x0, ['__unnamed_18ac']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18ae']], 'Function' : [ 0x18, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x208, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1f8, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18ff' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_18ff']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pContextData' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xe0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ContextInformation' : [ 0xc8, ['pointer64', ['void']]], 'OriginalBase' : [ 0xd0, ['unsigned long long']], 'LoadTime' : [ 0xd8, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '__unnamed_197d' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_197f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_197d']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1981' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1983' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1981']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_197f']], 'u2' : [ 0x4, ['__unnamed_1983']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '__unnamed_199c' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_199e' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_199c']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_199e']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19b1' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19b3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b1']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19b3']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19b9' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19bb' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b9']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19bb']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19c1' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19c3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c1']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19c3']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19df' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19e1' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19df']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1a0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x88, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x98, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa8, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xb8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xc8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xc8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xd0, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0x118, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x128, ['_LIST_ENTRY']], 'CompletionList' : [ 0x138, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x140, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x148, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x150, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x158, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x168, ['long']], 'u1' : [ 0x16c, ['__unnamed_19e1']], 'TargetQueuePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x178, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x180, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x188, ['unsigned long']], 'PendingQueueLength' : [ 0x18c, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x190, ['unsigned long']], 'CanceledQueueLength' : [ 0x194, ['unsigned long']], 'WaitQueueLength' : [ 0x198, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0xd0, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb8, ['unsigned long']], 'CallbackList' : [ 0xc0, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_197f']], 'u2' : [ 0x4, ['__unnamed_1983']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_19fe' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a00' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19fe']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1a00']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x78, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xb8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd0, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a3f' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a41' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a3f']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a41']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x330, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer64', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'NBQHead' : [ 0x40, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x48, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x50, ['_SLIST_HEADER']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x70, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x70, ['_EX_FAST_REF']], 'LoggerName' : [ 0x78, ['_UNICODE_STRING']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x98, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'ClockType' : [ 0xb8, ['unsigned long']], 'MaximumFileSize' : [ 0xbc, ['unsigned long']], 'LastFlushedBuffer' : [ 0xc0, ['unsigned long']], 'FlushTimer' : [ 0xc4, ['unsigned long']], 'FlushThreshold' : [ 0xc8, ['unsigned long']], 'ByteOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xd8, ['unsigned long']], 'BuffersAvailable' : [ 0xdc, ['long']], 'NumberOfBuffers' : [ 0xe0, ['long']], 'MaximumBuffers' : [ 0xe4, ['unsigned long']], 'EventsLost' : [ 0xe8, ['unsigned long']], 'BuffersWritten' : [ 0xec, ['unsigned long']], 'LogBuffersLost' : [ 0xf0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xf4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xf8, ['unsigned long']], 'SequencePtr' : [ 0x100, ['pointer64', ['long']]], 'LocalSequence' : [ 0x108, ['unsigned long']], 'InstanceGuid' : [ 0x10c, ['_GUID']], 'FileCounter' : [ 0x11c, ['long']], 'BufferCallback' : [ 0x120, ['pointer64', ['void']]], 'PoolType' : [ 0x128, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'TransitionConsumer' : [ 0x158, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x160, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x168, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x178, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x190, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x198, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1a8, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1b8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c0, ['_KEVENT']], 'FlushEvent' : [ 0x1d8, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f0, ['_KTIMER']], 'FlushDpc' : [ 0x230, ['_KDPC']], 'LoggerMutex' : [ 0x270, ['_KMUTANT']], 'LoggerLock' : [ 0x2a8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b0, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2b8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x300, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x308, ['long long']], 'Flags' : [ 0x310, ['unsigned long']], 'Persistent' : [ 0x310, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x310, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x310, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x310, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x310, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x310, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x310, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x310, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x310, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x310, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x314, ['unsigned long']], 'RequestNewFie' : [ 0x314, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x314, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x314, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x314, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x318, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x10, { 'TraceBuffer' : [ 0x0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x8, ['pointer64', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x20, { 'SListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'Next' : [ 0x10, ['unsigned long long']], 'Data' : [ 0x18, ['unsigned long long']], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x1b0, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['array', 8, ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x310, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'LogonSession' : [ 0xd0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xd8, ['_LUID']], 'SidHash' : [ 0xe0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f0, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x300, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x308, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockedExclusive' : [ 0x17, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x70, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x50, ['unsigned long']], 'InBlockDeccommits' : [ 0x54, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], 'HighWatermarkSize' : [ 0x60, ['unsigned long long']], 'LastPolledSize' : [ 0x68, ['unsigned long long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x68, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x60, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'BlockState' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x78, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x38, ['unsigned long']], 'CurrentTemperature' : [ 0x3c, ['unsigned long']], 'PassiveTripPoint' : [ 0x40, ['unsigned long']], 'CriticalTripPoint' : [ 0x44, ['unsigned long']], 'ActiveTripPointCount' : [ 0x48, ['unsigned char']], 'ActiveTripPoint' : [ 0x4c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x74, ['unsigned long']], } ], '__unnamed_1c5a' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c5c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c5a']], 'Private' : [ 0x0, ['__unnamed_1c5c']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c7d' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c83' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x90, { 'u1' : [ 0x0, ['__unnamed_15be']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c4']], 'u2' : [ 0x40, ['__unnamed_15d1']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u3' : [ 0x78, ['__unnamed_1c7d']], 'u4' : [ 0x88, ['__unnamed_1c83']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x1c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xe0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'LimitFlags' : [ 0xf0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xf4, ['unsigned long']], 'Affinity' : [ 0xf8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0x120, ['unsigned char']], 'AccessState' : [ 0x128, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x130, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x134, ['unsigned long']], 'CompletionPort' : [ 0x138, ['pointer64', ['void']]], 'CompletionKey' : [ 0x140, ['pointer64', ['void']]], 'SessionId' : [ 0x148, ['unsigned long']], 'SchedulingClass' : [ 0x14c, ['unsigned long']], 'ReadOperationCount' : [ 0x150, ['unsigned long long']], 'WriteOperationCount' : [ 0x158, ['unsigned long long']], 'OtherOperationCount' : [ 0x160, ['unsigned long long']], 'ReadTransferCount' : [ 0x168, ['unsigned long long']], 'WriteTransferCount' : [ 0x170, ['unsigned long long']], 'OtherTransferCount' : [ 0x178, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x180, ['unsigned long long']], 'JobMemoryLimit' : [ 0x188, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x190, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x198, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1a0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1a8, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x1b0, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1c0, ['unsigned long']], 'JobFlags' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_1c97' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0xa0, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c97']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'NewlyUnparked' : [ 0x14, ['unsigned char']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x40, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1ca0' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1ca0']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned long']], 'ShutDownRequested' : [ 0x5c, ['unsigned char']], 'NewBuffersLost' : [ 0x5d, ['unsigned char']], 'Disconnected' : [ 0x5e, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'Wow' : [ 0x84, ['unsigned char']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer64', ['pointer64', ['void']]]], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'Pad' : [ 0x65, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x70, ['unsigned long']], 'DispatchCount' : [ 0x74, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x40, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x80, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0x28, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_RTL_UMS_CONTEXT' : [ 0x540, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HasQuantumReq' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HasAffinityReq' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HasPriorityReq' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x4f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'QuantumValue' : [ 0x500, ['unsigned long long']], 'AffinityMask' : [ 0x508, ['_GROUP_AFFINITY']], 'Priority' : [ 0x518, ['long']], 'PrimaryUmsContext' : [ 0x520, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x528, ['unsigned long']], 'KernelYieldCount' : [ 0x52c, ['unsigned long']], 'MixedYieldCount' : [ 0x530, ['unsigned long']], 'YieldCount' : [ 0x534, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x100, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x2c, ['unsigned long']], 'ThermalConstraint' : [ 0x30, ['unsigned char']], 'PerfHistoryCount' : [ 0x31, ['unsigned char']], 'PerfHistorySlot' : [ 0x32, ['unsigned char']], 'Reserved' : [ 0x33, ['unsigned char']], 'LastSysTime' : [ 0x34, ['unsigned long']], 'WmiDispatchPtr' : [ 0x38, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x40, ['long']], 'FFHThrottleStateInfo' : [ 0x48, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x68, ['_KDPC']], 'PerfActionMask' : [ 0xa8, ['long']], 'IdleCheck' : [ 0xb0, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0xc0, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xd0, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xd8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xe0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xe8, ['pointer64', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xf0, ['unsigned long']], 'OverUtilizedHistory' : [ 0xf4, ['unsigned long']], 'AffinityCount' : [ 0xf8, ['unsigned long']], 'AffinityHistory' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x110, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1e02' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1e02']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1e5b' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e5d' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e5b']], } ], '__unnamed_1e5f' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e5b']], } ], '__unnamed_1e61' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e5d']], 'NewCell' : [ 0x0, ['__unnamed_1e5f']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e61']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x30, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PercentageCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'TargetFrequency' : [ 0x18, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x1c, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x20, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x24, ['unsigned long']], 'AverageFrequency' : [ 0x28, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'Pad0' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1e74' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e78' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1e7a' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e7c' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e7e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e80' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e82' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e84' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e86' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e88' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e74']], 'Memory' : [ 0x0, ['__unnamed_1e74']], 'Interrupt' : [ 0x0, ['__unnamed_1e78']], 'Dma' : [ 0x0, ['__unnamed_1e7a']], 'Generic' : [ 0x0, ['__unnamed_1e74']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7c']], 'BusNumber' : [ 0x0, ['__unnamed_1e7e']], 'ConfigData' : [ 0x0, ['__unnamed_1e80']], 'Memory40' : [ 0x0, ['__unnamed_1e82']], 'Memory48' : [ 0x0, ['__unnamed_1e84']], 'Memory64' : [ 0x0, ['__unnamed_1e86']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e88']], } ], '_POP_THERMAL_ZONE' : [ 0x1e8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Metrics' : [ 0x150, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1ec3' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1ec5' : [ 0x18, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1ec3']], } ], '_VF_TARGET_DRIVER' : [ 0x30, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1ec5']], 'VerifiedData' : [ 0x28, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1ecd' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1ecf' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed1' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed3' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1ed5' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1ed7' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed9' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1edb' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1edd' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1edf' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ee1' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1ecd']], 'TargetDevice' : [ 0x0, ['__unnamed_1ecf']], 'InstallDevice' : [ 0x0, ['__unnamed_1ed1']], 'CustomNotification' : [ 0x0, ['__unnamed_1ed3']], 'ProfileNotification' : [ 0x0, ['__unnamed_1ed5']], 'PowerNotification' : [ 0x0, ['__unnamed_1ed7']], 'VetoNotification' : [ 0x0, ['__unnamed_1ed9']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1edb']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1edd']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1edf']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1ed1']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1ee1']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x4080, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'CpuShareWeight' : [ 0x14, ['unsigned long']], 'CapturedWeightData' : [ 0x18, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x20, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 256, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1efd' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1efd']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '__unnamed_1f32' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f32']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x10, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x20, ['unsigned long long']], 'CyclesRemaining' : [ 0x28, ['long long']], 'CurrentGeneration' : [ 0x30, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pContextData' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x18, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1fa7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fa9' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fab' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fad' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1fab']], 'Translated' : [ 0x0, ['__unnamed_1fa9']], } ], '__unnamed_1faf' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fbb' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1fa7']], 'Port' : [ 0x0, ['__unnamed_1fa7']], 'Interrupt' : [ 0x0, ['__unnamed_1fa9']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1fad']], 'Memory' : [ 0x0, ['__unnamed_1fa7']], 'Dma' : [ 0x0, ['__unnamed_1faf']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7c']], 'BusNumber' : [ 0x0, ['__unnamed_1fb1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1fb3']], 'Memory40' : [ 0x0, ['__unnamed_1fb5']], 'Memory48' : [ 0x0, ['__unnamed_1fb7']], 'Memory64' : [ 0x0, ['__unnamed_1fb9']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1fbb']], } ], '__unnamed_1fc0' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1fc0']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1fca' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1fca']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1fd4' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_1f32']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1fd4']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fdc' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fde' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1fdc']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_1fde']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp1_x86_vtypes.py0000644000175000017500000110242111732225561027413 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_100d' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_100d']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0xec0, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x520, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x524, ['unsigned long']], 'KernelTime' : [ 0x528, ['unsigned long']], 'UserTime' : [ 0x52c, ['unsigned long']], 'DpcTime' : [ 0x530, ['unsigned long']], 'DebugDpcTime' : [ 0x534, ['unsigned long']], 'InterruptTime' : [ 0x538, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x53c, ['unsigned long']], 'PageColor' : [ 0x540, ['unsigned long']], 'SkipTick' : [ 0x544, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x545, ['unsigned char']], 'NodeColor' : [ 0x546, ['unsigned char']], 'Spare1' : [ 0x547, ['unsigned char']], 'NodeShiftedColor' : [ 0x548, ['unsigned long']], 'ParentNode' : [ 0x54c, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x550, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x554, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x558, ['unsigned long']], 'Sleeping' : [ 0x55c, ['long']], 'CcFastReadNoWait' : [ 0x560, ['unsigned long']], 'CcFastReadWait' : [ 0x564, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x568, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x56c, ['unsigned long']], 'CcCopyReadWait' : [ 0x570, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x578, ['unsigned long']], 'SpareCounter0' : [ 0x57c, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x580, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x584, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x588, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x58c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x590, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x594, ['unsigned long']], 'KeSystemCalls' : [ 0x598, ['unsigned long']], 'IoReadOperationCount' : [ 0x59c, ['long']], 'IoWriteOperationCount' : [ 0x5a0, ['long']], 'IoOtherOperationCount' : [ 0x5a4, ['long']], 'IoReadTransferCount' : [ 0x5a8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x5b0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x5b8, ['_LARGE_INTEGER']], 'SpareCounter1' : [ 0x5c0, ['array', 8, ['unsigned long']]], 'PPLookasideList' : [ 0x5e0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x660, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x760, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x860, ['unsigned long']], 'ReverseStall' : [ 0x864, ['unsigned long']], 'IpiFrame' : [ 0x868, ['pointer', ['void']]], 'PrcbPad2' : [ 0x86c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x8a0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x8ac, ['unsigned long']], 'WorkerRoutine' : [ 0x8b0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x8b4, ['unsigned long']], 'PrcbPad3' : [ 0x8b8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x8e0, ['unsigned long']], 'SignalDone' : [ 0x8e4, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x8e8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x920, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x948, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x94c, ['unsigned long']], 'DpcRequestRate' : [ 0x950, ['unsigned long']], 'MinimumDpcRate' : [ 0x954, ['unsigned long']], 'DpcInterruptRequested' : [ 0x958, ['unsigned char']], 'DpcThreadRequested' : [ 0x959, ['unsigned char']], 'DpcRoutineActive' : [ 0x95a, ['unsigned char']], 'DpcThreadActive' : [ 0x95b, ['unsigned char']], 'PrcbLock' : [ 0x95c, ['unsigned long']], 'DpcLastCount' : [ 0x960, ['unsigned long']], 'TimerHand' : [ 0x964, ['unsigned long']], 'TimerRequest' : [ 0x968, ['unsigned long']], 'DpcThread' : [ 0x96c, ['pointer', ['void']]], 'DpcEvent' : [ 0x970, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x980, ['unsigned char']], 'QuantumEnd' : [ 0x981, ['unsigned char']], 'PrcbPad50' : [ 0x982, ['unsigned char']], 'IdleSchedule' : [ 0x983, ['unsigned char']], 'DpcSetEventRequest' : [ 0x984, ['long']], 'PrcbPad5' : [ 0x988, ['array', 18, ['unsigned char']]], 'TickOffset' : [ 0x99c, ['long']], 'CallDpc' : [ 0x9a0, ['_KDPC']], 'PrcbPad7' : [ 0x9c0, ['array', 8, ['unsigned long']]], 'WaitListHead' : [ 0x9e0, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x9e8, ['unsigned long']], 'QueueIndex' : [ 0x9ec, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x9f0, ['array', 32, ['_LIST_ENTRY']]], 'DeferredReadyListHead' : [ 0xaf0, ['_SINGLE_LIST_ENTRY']], 'PrcbPad72' : [ 0xaf4, ['array', 11, ['unsigned long']]], 'ChainedInterruptList' : [ 0xb20, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0xb24, ['long']], 'MmPageFaultCount' : [ 0xb28, ['long']], 'MmCopyOnWriteCount' : [ 0xb2c, ['long']], 'MmTransitionCount' : [ 0xb30, ['long']], 'MmCacheTransitionCount' : [ 0xb34, ['long']], 'MmDemandZeroCount' : [ 0xb38, ['long']], 'MmPageReadCount' : [ 0xb3c, ['long']], 'MmPageReadIoCount' : [ 0xb40, ['long']], 'MmCacheReadCount' : [ 0xb44, ['long']], 'MmCacheIoCount' : [ 0xb48, ['long']], 'MmDirtyPagesWriteCount' : [ 0xb4c, ['long']], 'MmDirtyWriteIoCount' : [ 0xb50, ['long']], 'MmMappedPagesWriteCount' : [ 0xb54, ['long']], 'MmMappedWriteIoCount' : [ 0xb58, ['long']], 'SpareFields0' : [ 0xb5c, ['array', 1, ['unsigned long']]], 'VendorString' : [ 0xb60, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0xb6d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0xb6e, ['unsigned char']], 'MHz' : [ 0xb70, ['unsigned long']], 'FeatureBits' : [ 0xb74, ['unsigned long']], 'UpdateSignature' : [ 0xb78, ['_LARGE_INTEGER']], 'IsrTime' : [ 0xb80, ['unsigned long long']], 'SpareField1' : [ 0xb88, ['unsigned long long']], 'NpxSaveArea' : [ 0xb90, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xda0, ['_PROCESSOR_POWER_STATE']], } ], '_KPCR' : [ 0xfe0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'PerfGlobalGroupMask' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KTHREAD' : [ 0x1b8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'KernelStack' : [ 0x20, ['pointer', ['void']]], 'ThreadLock' : [ 0x24, ['unsigned long']], 'ApcState' : [ 0x28, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x28, ['array', 23, ['unsigned char']]], 'ApcQueueable' : [ 0x3f, ['unsigned char']], 'NextProcessor' : [ 0x40, ['unsigned char']], 'DeferredProcessor' : [ 0x41, ['unsigned char']], 'AdjustReason' : [ 0x42, ['unsigned char']], 'AdjustIncrement' : [ 0x43, ['unsigned char']], 'ApcQueueLock' : [ 0x44, ['unsigned long']], 'ContextSwitches' : [ 0x48, ['unsigned long']], 'State' : [ 0x4c, ['unsigned char']], 'NpxState' : [ 0x4d, ['unsigned char']], 'WaitIrql' : [ 0x4e, ['unsigned char']], 'WaitMode' : [ 0x4f, ['unsigned char']], 'WaitStatus' : [ 0x50, ['long']], 'WaitBlockList' : [ 0x54, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x54, ['pointer', ['_KGATE']]], 'Alertable' : [ 0x58, ['unsigned char']], 'WaitNext' : [ 0x59, ['unsigned char']], 'WaitReason' : [ 0x5a, ['unsigned char']], 'Priority' : [ 0x5b, ['unsigned char']], 'EnableStackSwap' : [ 0x5c, ['unsigned char']], 'SwapBusy' : [ 0x5d, ['unsigned char']], 'Alerted' : [ 0x5e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x68, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x6c, ['unsigned long']], 'KernelApcDisable' : [ 0x70, ['short']], 'SpecialApcDisable' : [ 0x72, ['short']], 'CombinedApcDisable' : [ 0x70, ['unsigned long']], 'Teb' : [ 0x74, ['pointer', ['void']]], 'Timer' : [ 0x78, ['_KTIMER']], 'TimerFill' : [ 0x78, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xa0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'ReservedFlags' : [ 0xa0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='long')]], 'ThreadFlags' : [ 0xa0, ['long']], 'WaitBlock' : [ 0xa8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xa8, ['array', 23, ['unsigned char']]], 'SystemAffinityActive' : [ 0xbf, ['unsigned char']], 'WaitBlockFill1' : [ 0xa8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xd7, ['unsigned char']], 'WaitBlockFill2' : [ 0xa8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xef, ['unsigned char']], 'WaitBlockFill3' : [ 0xa8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x107, ['unsigned char']], 'QueueListEntry' : [ 0x108, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x110, ['pointer', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x114, ['pointer', ['void']]], 'ServiceTable' : [ 0x118, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x11c, ['unsigned char']], 'IdealProcessor' : [ 0x11d, ['unsigned char']], 'Preempted' : [ 0x11e, ['unsigned char']], 'ProcessReadyQueue' : [ 0x11f, ['unsigned char']], 'KernelStackResident' : [ 0x120, ['unsigned char']], 'BasePriority' : [ 0x121, ['unsigned char']], 'PriorityDecrement' : [ 0x122, ['unsigned char']], 'Saturation' : [ 0x123, ['unsigned char']], 'UserAffinity' : [ 0x124, ['unsigned long']], 'Process' : [ 0x128, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x12c, ['unsigned long']], 'ApcStatePointer' : [ 0x130, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x138, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x138, ['array', 23, ['unsigned char']]], 'FreezeCount' : [ 0x14f, ['unsigned char']], 'SuspendCount' : [ 0x150, ['unsigned char']], 'UserIdealProcessor' : [ 0x151, ['unsigned char']], 'CalloutActive' : [ 0x152, ['unsigned char']], 'Iopl' : [ 0x153, ['unsigned char']], 'Win32Thread' : [ 0x154, ['pointer', ['void']]], 'StackBase' : [ 0x158, ['pointer', ['void']]], 'SuspendApc' : [ 0x15c, ['_KAPC']], 'SuspendApcFill0' : [ 0x15c, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x15d, ['unsigned char']], 'SuspendApcFill1' : [ 0x15c, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x15f, ['unsigned char']], 'SuspendApcFill2' : [ 0x15c, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x160, ['unsigned long']], 'SuspendApcFill3' : [ 0x15c, ['array', 36, ['unsigned char']]], 'TlsArray' : [ 0x180, ['pointer', ['void']]], 'SuspendApcFill4' : [ 0x15c, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x184, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x15c, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x18b, ['unsigned char']], 'UserTime' : [ 0x18c, ['unsigned long']], 'SuspendSemaphore' : [ 0x190, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x190, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1a4, ['unsigned long']], 'ThreadListEntry' : [ 0x1a8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1b0, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x250, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c0, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c0, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1c8, ['long']], 'OfsChain' : [ 0x1c8, ['pointer', ['void']]], 'PostBlockList' : [ 0x1cc, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1d4, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1d4, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1d4, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1d8, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1dc, ['_LIST_ENTRY']], 'Cid' : [ 0x1e4, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1ec, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x200, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x200, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x204, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x208, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x210, ['unsigned long']], 'DeviceToVerify' : [ 0x214, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x218, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x21c, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x220, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x220, ['unsigned long']], 'ThreadListEntry' : [ 0x224, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x22c, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x230, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x234, ['unsigned long']], 'ReadClusterSize' : [ 0x238, ['unsigned long']], 'GrantedAccess' : [ 0x23c, ['unsigned long']], 'CrossThreadFlags' : [ 0x240, ['unsigned long']], 'Terminated' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x244, ['unsigned long']], 'ActiveExWorker' : [ 0x244, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x244, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x244, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x244, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x248, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x249, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x249, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x24c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x24d, ['unsigned char']], 'ActiveFaultCount' : [ 0x24e, ['unsigned char']], } ], '_EPROCESS' : [ 0x278, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x80, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x88, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x90, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x94, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x98, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa0, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xac, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xb8, ['unsigned long']], 'PeakVirtualSize' : [ 0xbc, ['unsigned long']], 'VirtualSize' : [ 0xc0, ['unsigned long']], 'SessionProcessLinks' : [ 0xc4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xcc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xd0, ['pointer', ['void']]], 'ObjectTable' : [ 0xd4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xd8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xdc, ['unsigned long']], 'AddressCreationLock' : [ 0xe0, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x100, ['unsigned long']], 'ForkInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x108, ['unsigned long']], 'PhysicalVadRoot' : [ 0x10c, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x110, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x114, ['unsigned long']], 'NumberOfLockedPages' : [ 0x118, ['unsigned long']], 'Win32Process' : [ 0x11c, ['pointer', ['void']]], 'Job' : [ 0x120, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x124, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x128, ['pointer', ['void']]], 'QuotaBlock' : [ 0x12c, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x130, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x134, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x138, ['pointer', ['void']]], 'LdtInformation' : [ 0x13c, ['pointer', ['void']]], 'VadFreeHint' : [ 0x140, ['pointer', ['void']]], 'VdmObjects' : [ 0x144, ['pointer', ['void']]], 'DeviceMap' : [ 0x148, ['pointer', ['void']]], 'Spare0' : [ 0x14c, ['array', 3, ['pointer', ['void']]]], 'PageDirectoryPte' : [ 0x158, ['_HARDWARE_PTE']], 'Filler' : [ 0x158, ['unsigned long long']], 'Session' : [ 0x160, ['pointer', ['void']]], 'ImageFileName' : [ 0x164, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x174, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x17c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x180, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x188, ['pointer', ['void']]], 'PaeTop' : [ 0x18c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x190, ['unsigned long']], 'GrantedAccess' : [ 0x194, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x198, ['unsigned long']], 'LastThreadExitStatus' : [ 0x19c, ['long']], 'Peb' : [ 0x1a0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1a4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1d8, ['unsigned long']], 'CommitChargePeak' : [ 0x1dc, ['unsigned long']], 'AweInfo' : [ 0x1e0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1e4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1e8, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x230, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x238, ['unsigned long']], 'JobStatus' : [ 0x23c, ['unsigned long']], 'Flags' : [ 0x240, ['unsigned long']], 'CreateReported' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x240, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x240, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x240, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x240, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x240, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x240, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x240, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x240, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x240, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x240, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x240, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x240, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x240, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x240, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x240, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x240, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x240, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x240, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x240, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x240, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x240, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x240, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x240, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x240, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x240, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x244, ['long']], 'NextPageColor' : [ 0x248, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x24a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x24b, ['unsigned char']], 'SubSystemVersion' : [ 0x24a, ['unsigned short']], 'PriorityClass' : [ 0x24c, ['unsigned char']], 'VadRoot' : [ 0x250, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x270, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1154' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1154']], } ], '__unnamed_1161' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1163' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1166' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1168' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1166']], } ], '__unnamed_116d' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 31, native_type='unsigned long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1161']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1163']], 'u3' : [ 0xc, ['__unnamed_1168']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_116d']], } ], '__unnamed_1174' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1177' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_117c' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117c']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0x88, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x4, ['array', 33, ['pointer', ['void']]]], } ], '__unnamed_118e' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_118e']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x3c, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'HighestPage' : [ 0x18, ['unsigned long']], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x28, ['_UNICODE_STRING']], 'Bitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x34, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x34, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x34, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x38, ['pointer', ['void']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_120a' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_120a']], } ], '__unnamed_1211' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1211']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_123a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_123a']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_124f' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_1251' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_124f']], 'u2' : [ 0x168, ['__unnamed_1251']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned char']], 'TokenInUse' : [ 0x89, ['unsigned char']], 'ProxyData' : [ 0x8c, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0x94, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x18, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned long']], 'pDeviceMap' : [ 0x14, ['pointer', ['_DEVICE_MAP']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x128, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'OutOfOrderReleases' : [ 0x60, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x64, ['unsigned long']], 'TotalReleases' : [ 0x68, ['unsigned long']], 'RootNodesDeleted' : [ 0x6c, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x70, ['unsigned long']], 'PoolTrimCounter' : [ 0x74, ['unsigned long']], 'FreeResourceList' : [ 0x78, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x80, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x88, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x90, ['unsigned long']], 'FreeThreadCount' : [ 0x94, ['unsigned long']], 'FreeNodeCount' : [ 0x98, ['unsigned long']], 'Instigator' : [ 0x9c, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0xa0, ['unsigned long']], 'Participant' : [ 0xa4, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x124, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_1337' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x38, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1337']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x8, ['_LARGE_INTEGER']], 'Flags' : [ 0x10, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x14, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x18, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x1c, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x20, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x24, ['unsigned long']], 'VmWorkingSetList' : [ 0x28, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'WorkingSetSize' : [ 0x3c, ['unsigned long']], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x18, ['unsigned long']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_1337']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'FlushInProgressCount' : [ 0x2e, ['unsigned short']], 'WritableUserReferences' : [ 0x30, ['unsigned long']], 'QuadwordPad' : [ 0x34, ['unsigned long']], 'StartingFrame' : [ 0x38, ['unsigned long']], 'UserGlobalList' : [ 0x3c, ['_LIST_ENTRY']], 'SessionId' : [ 0x44, ['unsigned long']], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x1c, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0xc, ['unsigned long']], 'CmHiveFlags' : [ 0x10, ['unsigned long']], 'CmHive2' : [ 0x14, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x18, ['unsigned char']], 'ThreadStarted' : [ 0x19, ['unsigned char']], 'Allocate' : [ 0x1a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_13db' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_13dd' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_13e1' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x120, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_13db']], 'OverUsed2' : [ 0xe4, ['__unnamed_13dd']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_13e1']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], 'PreviousParent' : [ 0x118, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x11c, ['unsigned long']], } ], '__unnamed_13e6' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_13e6']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_KPROCESS' : [ 0x78, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1400' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'GlobalVirtualAddress' : [ 0x0, ['pointer', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x4, ['long']], 'u' : [ 0x8, ['__unnamed_1400']], 'SessionId' : [ 0xc, ['unsigned long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x34, ['pointer', ['_MMPTE']]], 'Color' : [ 0x38, ['unsigned long']], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachEvent' : [ 0x60, ['_KEVENT']], 'LastProcess' : [ 0x70, ['pointer', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0x74, ['long']], 'WsListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 26, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xdc0, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xde0, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xe00, ['_MMSUPPORT']], 'Wsle' : [ 0xe48, ['pointer', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xe4c, ['pointer', ['void']]], 'PagedPool' : [ 0xe50, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1e80, ['pointer', ['_MMPTE']]], 'ImageLoadingCount' : [ 0x1e84, ['long']], } ], '_PEB' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'SparePtr2' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['pointer', ['void']]]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_142f' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_142f']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'IssueTime' : [ 0x38, ['_LARGE_INTEGER']], 'Mdl' : [ 0x40, ['_MDL']], 'Page' : [ 0x5c, ['array', 1, ['unsigned long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_1445' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1445']], } ], '__unnamed_144b' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_144b']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'PerfIdleTime' : [ 0x54, ['unsigned long']], 'DebugDelta' : [ 0x58, ['unsigned long long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'LastBusyPercentage' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'Spare1' : [ 0x11c, ['array', 1, ['unsigned long']]], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x57c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2d0, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x2dc, ['_LIST_ENTRY']], 'HiveList' : [ 0x2e4, ['_LIST_ENTRY']], 'HiveLock' : [ 0x2ec, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x2f0, ['pointer', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x2f4, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x2f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x2fc, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x300, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x308, ['_LIST_ENTRY']], 'FileObject' : [ 0x310, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x314, ['_UNICODE_STRING']], 'FileUserName' : [ 0x31c, ['_UNICODE_STRING']], 'MappedViews' : [ 0x324, ['unsigned short']], 'PinnedViews' : [ 0x326, ['unsigned short']], 'UseCount' : [ 0x328, ['unsigned long']], 'SecurityCount' : [ 0x32c, ['unsigned long']], 'SecurityCacheSize' : [ 0x330, ['unsigned long']], 'SecurityHitHint' : [ 0x334, ['long']], 'SecurityCache' : [ 0x338, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x33c, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x53c, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x540, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x544, ['unsigned char']], 'UnloadWorkItem' : [ 0x548, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x54c, ['unsigned char']], 'GrowOffset' : [ 0x550, ['unsigned long']], 'KcbConvertListHead' : [ 0x554, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x55c, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x564, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x568, ['unsigned long']], 'TrustClassEntry' : [ 0x56c, ['_LIST_ENTRY']], 'FlushCount' : [ 0x574, ['unsigned long']], 'CreatorOwner' : [ 0x578, ['pointer', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2d0, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'DirtyFlag' : [ 0x43, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '__unnamed_151b' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_151b']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_1565' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_156b' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_117c']], 'u3' : [ 0x28, ['__unnamed_1565']], 'u4' : [ 0x30, ['__unnamed_156b']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1030, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'TotalBytes' : [ 0x28, ['unsigned long']], 'Spare0' : [ 0x2c, ['unsigned long']], 'ListHeads' : [ 0x30, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x20, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x8, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x10, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x14, ['unsigned long']], 'PagedPoolCommit' : [ 0x18, ['unsigned long']], 'AllocatedPagedPool' : [ 0x1c, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x40, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'BitmapFailures' : [ 0x38, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x3c, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], 'QuotaObject' : [ 0xc, ['pointer', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'IDEInNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x59, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_15da' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_15dc' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_15da']], 'Merged' : [ 0x10, ['__unnamed_15dc']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1600' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1607' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1609' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1600']], 'Bits' : [ 0x0, ['__unnamed_1607']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1609']], } ], '__unnamed_1613' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_1613']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_1617' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1619' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_161b' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_161d' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_161f' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1621' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1623' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1617']], 'Port' : [ 0x0, ['__unnamed_1617']], 'Interrupt' : [ 0x0, ['__unnamed_1619']], 'Memory' : [ 0x0, ['__unnamed_1617']], 'Dma' : [ 0x0, ['__unnamed_161b']], 'DevicePrivate' : [ 0x0, ['__unnamed_161d']], 'BusNumber' : [ 0x0, ['__unnamed_161f']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1621']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1623']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x60, { 'RefCount' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_165d' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1663' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1665' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1663']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_166d' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_166f' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_166d']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_165d']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_1665']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_166f']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_167b' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_167b']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_1681' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_1681']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1697' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_1697']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_16a1' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_16a1']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_16c7' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_16c9' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_16c7']], 'type1' : [ 0x0, ['__unnamed_16c9']], 'type2' : [ 0x0, ['__unnamed_16c9']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa0, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['unsigned long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x698, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x14, ['unsigned long']], 'NonDirectCount' : [ 0x18, ['unsigned long']], 'HashTable' : [ 0x1c, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x20, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x24, ['unsigned long']], 'HashTableStart' : [ 0x28, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x2c, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x30, ['unsigned long']], 'VadBitMapHint' : [ 0x34, ['unsigned long']], 'UsedPageTableEntries' : [ 0x38, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x638, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '__unnamed_1733' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1737' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'Spare0' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x24, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_1733']], 'u2' : [ 0x30, ['__unnamed_1737']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TEB' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['pointer', ['void']]]], 'SubProcessTag' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_1776' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_1776']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x8, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x10, ['unsigned long']], 'Color' : [ 0x14, ['unsigned char']], 'Seed' : [ 0x15, ['unsigned char']], 'NodeNumber' : [ 0x16, ['unsigned char']], 'Flags' : [ 0x17, ['_flags']], 'MmShiftedColor' : [ 0x18, ['unsigned long']], 'FreeCount' : [ 0x1c, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1174']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1177']], } ], '__unnamed_17bd' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_17bd']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '__unnamed_185f' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1863' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1867' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1869' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_186d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_186f' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1871' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_1873' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1875' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1877' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_187b' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_187d' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_187f' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1881' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1883' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1885' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1887' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_188b' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_188f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1893' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1895' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1899' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_189b' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_189d' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_189f' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_18a3' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_18a7' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_18ab' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_18ad' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_18b1' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_18b5' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_18b7' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_18b9' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18bb' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_18bd' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_185f']], 'CreatePipe' : [ 0x0, ['__unnamed_1863']], 'CreateMailslot' : [ 0x0, ['__unnamed_1867']], 'Read' : [ 0x0, ['__unnamed_1869']], 'Write' : [ 0x0, ['__unnamed_1869']], 'QueryDirectory' : [ 0x0, ['__unnamed_186d']], 'NotifyDirectory' : [ 0x0, ['__unnamed_186f']], 'QueryFile' : [ 0x0, ['__unnamed_1871']], 'SetFile' : [ 0x0, ['__unnamed_1873']], 'QueryEa' : [ 0x0, ['__unnamed_1875']], 'SetEa' : [ 0x0, ['__unnamed_1877']], 'QueryVolume' : [ 0x0, ['__unnamed_187b']], 'SetVolume' : [ 0x0, ['__unnamed_187b']], 'FileSystemControl' : [ 0x0, ['__unnamed_187d']], 'LockControl' : [ 0x0, ['__unnamed_187f']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1881']], 'QuerySecurity' : [ 0x0, ['__unnamed_1883']], 'SetSecurity' : [ 0x0, ['__unnamed_1885']], 'MountVolume' : [ 0x0, ['__unnamed_1887']], 'VerifyVolume' : [ 0x0, ['__unnamed_1887']], 'Scsi' : [ 0x0, ['__unnamed_188b']], 'QueryQuota' : [ 0x0, ['__unnamed_188f']], 'SetQuota' : [ 0x0, ['__unnamed_1877']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1893']], 'QueryInterface' : [ 0x0, ['__unnamed_1895']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1899']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_189b']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_189d']], 'SetLock' : [ 0x0, ['__unnamed_189f']], 'QueryId' : [ 0x0, ['__unnamed_18a3']], 'QueryDeviceText' : [ 0x0, ['__unnamed_18a7']], 'UsageNotification' : [ 0x0, ['__unnamed_18ab']], 'WaitWake' : [ 0x0, ['__unnamed_18ad']], 'PowerSequence' : [ 0x0, ['__unnamed_18b1']], 'Power' : [ 0x0, ['__unnamed_18b5']], 'StartDevice' : [ 0x0, ['__unnamed_18b7']], 'WMI' : [ 0x0, ['__unnamed_18b9']], 'Others' : [ 0x0, ['__unnamed_18bb']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_18bd']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_18c4' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_18c6' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_18c8' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_18ca' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_18cc' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_18ce' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_18c4']], 'Memory' : [ 0x0, ['__unnamed_18c4']], 'Interrupt' : [ 0x0, ['__unnamed_18c6']], 'Dma' : [ 0x0, ['__unnamed_18c8']], 'Generic' : [ 0x0, ['__unnamed_18c4']], 'DevicePrivate' : [ 0x0, ['__unnamed_161d']], 'BusNumber' : [ 0x0, ['__unnamed_18ca']], 'ConfigData' : [ 0x0, ['__unnamed_18cc']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_18ce']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '__unnamed_18d7' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_18d9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18d7']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_18db' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_18dd' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_18db']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_18d9']], 'u2' : [ 0x4, ['__unnamed_18dd']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_1918' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_191a' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_1918']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_191a']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '__unnamed_194b' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_194d' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_1951' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_1953' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_1955' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1957' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_194b']], 'RetestAllocation' : [ 0x0, ['__unnamed_194b']], 'BootAllocation' : [ 0x0, ['__unnamed_194d']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_1951']], 'QueryConflict' : [ 0x0, ['__unnamed_1953']], 'QueryArbitrate' : [ 0x0, ['__unnamed_194d']], 'AddReserved' : [ 0x0, ['__unnamed_1955']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_1957']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '__unnamed_197a' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_197c' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_197e' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1980' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1982' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1984' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1986' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1988' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_198a' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_198c' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_197a']], 'TargetDevice' : [ 0x0, ['__unnamed_197c']], 'InstallDevice' : [ 0x0, ['__unnamed_197e']], 'CustomNotification' : [ 0x0, ['__unnamed_1980']], 'ProfileNotification' : [ 0x0, ['__unnamed_1982']], 'PowerNotification' : [ 0x0, ['__unnamed_1984']], 'VetoNotification' : [ 0x0, ['__unnamed_1986']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1988']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_198a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_198c']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_19a3' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_19a5' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_19a7' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_19a3']], 'Gpt' : [ 0x0, ['__unnamed_19a5']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_19a7']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_19d7' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_19d7']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['unsigned long']], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1a65' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_1a67' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_1a6b' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a6d' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1a65']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1a67']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1a6b']], 'Others' : [ 0x0, ['__unnamed_1a6d']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/pe_vtypes.py0000644000175000017500000004207612232063457025435 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.exceptions as exceptions import volatility.obj as obj pe_vtypes = { '_IMAGE_EXPORT_DIRECTORY': [ 0x28, { 'Base': [ 0x10, ['unsigned int']], 'NumberOfFunctions': [ 0x14, ['unsigned int']], 'NumberOfNames': [ 0x18, ['unsigned int']], 'AddressOfFunctions': [ 0x1C, ['unsigned int']], 'AddressOfNames': [ 0x20, ['unsigned int']], 'AddressOfNameOrdinals': [ 0x24, ['unsigned int']], }], '_IMAGE_IMPORT_DESCRIPTOR': [ 0x14, { # 0 for terminating null import descriptor 'OriginalFirstThunk': [ 0x0, ['unsigned int']], 'TimeDateStamp': [ 0x4, ['unsigned int']], 'ForwarderChain': [ 0x8, ['unsigned int']], 'Name': [ 0xC, ['unsigned int']], # If bound this has actual addresses 'FirstThunk': [ 0x10, ['unsigned int']], }], '_IMAGE_THUNK_DATA' : [ 0x4, { # Fake member for testing if the highest bit is set 'OrdinalBit' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32)]], 'Function' : [ 0x0, ['pointer', ['void']]], 'Ordinal' : [ 0x0, ['unsigned long']], 'AddressOfData' : [ 0x0, ['unsigned int']], 'ForwarderString' : [ 0x0, ['unsigned int']], }], '_IMAGE_IMPORT_BY_NAME' : [ None, { 'Hint' : [ 0x0, ['unsigned short']], 'Name' : [ 0x2, ['String', dict(length = 128)]], }], } pe_vtypes_64 = { '_IMAGE_THUNK_DATA' : [ 0x8, { # Fake member for testing if the highest bit is set 'OrdinalBit' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64)]], 'Function' : [ 0x0, ['pointer64', ['void']]], 'Ordinal' : [ 0x0, ['unsigned long long']], 'AddressOfData' : [ 0x0, ['unsigned long long']], 'ForwarderString' : [ 0x0, ['unsigned long long']], }], } class _IMAGE_EXPORT_DIRECTORY(obj.CType): """Class for PE export directory""" def valid(self, nt_header): """ Check the sanity of export table fields. The RVAs cannot be larger than the module size. The function and name counts cannot be larger than 32K. """ try: return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and self.NumberOfFunctions < 0x7FFF and self.NumberOfNames < 0x7FFF) except obj.InvalidOffsetError: return False def _name(self, name_rva): """ Return a String object for the function name. Names are truncated at 128 characters although its possible they may be longer. Thus, infrequently a function name will be missing some data. However, that's better than hard-coding a larger value which frequently causes us to cross page boundaries and return a NoneObject anyway. """ return obj.Object("String", offset = self.obj_parent.DllBase + name_rva, vm = self.obj_native_vm, length = 128) def _exported_functions(self): """ Generator for exported functions. @return: tuple (Ordinal, FunctionRVA, Name) Ordinal is an integer and should never be None. If the function is forwarded, FunctionRVA is None. Otherwise, FunctionRVA is an RVA to the function's code (relative to module base). Name is a String containing the exported function's name. If the Name is paged, it will be None. If the function is forwarded, Name is the forwarded function name including the DLL (ntdll.EtwLogTraceEvent). """ mod_base = self.obj_parent.DllBase exp_dir = self.obj_parent.export_dir() # PE files with a large number of functions will have arrays # that spans multiple pages. Thus the first entries may be valid, # last entries may be valid, but middle entries may be invalid # (paged). In the various checks below, we test for None (paged) # and zero (non-paged but invalid RVA). # Array of RVAs to function code address_of_functions = obj.Object('Array', offset = mod_base + self.AddressOfFunctions, targetType = 'unsigned int', count = self.NumberOfFunctions, vm = self.obj_native_vm) # Array of RVAs to function names address_of_names = obj.Object('Array', offset = mod_base + self.AddressOfNames, targetType = 'unsigned int', count = self.NumberOfNames, vm = self.obj_native_vm) # Array of RVAs to function ordinals address_of_name_ordinals = obj.Object('Array', offset = mod_base + self.AddressOfNameOrdinals, targetType = 'unsigned short', count = self.NumberOfNames, vm = self.obj_native_vm) # When functions are exported by Name, it will increase # NumberOfNames by 1 and NumberOfFunctions by 1. When # functions are exported by Ordinal, only the NumberOfFunctions # will increase. First we enum functions exported by Name # and track their corresponding Ordinals, so that when we enum # functions exported by Ordinal only, we don't duplicate. seen_ordinals = [] # Handle functions exported by name *and* ordinal for i in range(self.NumberOfNames): name_rva = address_of_names[i] ordinal = address_of_name_ordinals[i] if name_rva in (0, None): continue # Check the sanity of ordinal values before using it as an index if ordinal == None or ordinal >= self.NumberOfFunctions: continue func_rva = address_of_functions[ordinal] if func_rva in (0, None): continue # Handle forwarded exports. If the function's RVA is inside the exports # section (as given by the VirtualAddress and Size fields in the # DataDirectory), the symbol is forwarded. Return the name of the # forwarded function and None as the function address. if (func_rva >= exp_dir.VirtualAddress and func_rva < exp_dir.VirtualAddress + exp_dir.Size): n = self._name(func_rva) f = obj.NoneObject("Ordinal function {0} in module {1} forwards to {2}".format( ordinal, self.obj_parent.BaseDllName, n)) else: n = self._name(name_rva) f = func_rva # Add the ordinal base and save it ordinal += self.Base seen_ordinals.append(ordinal) yield ordinal, f, n # Handle functions exported by ordinal only for i in range(self.NumberOfFunctions): ordinal = self.Base + i # Skip functions already enumberated above if ordinal not in seen_ordinals: func_rva = address_of_functions[i] if func_rva in (0, None): continue seen_ordinals.append(ordinal) # There is no name RVA yield ordinal, func_rva, obj.NoneObject("Name RVA not accessible") class _IMAGE_IMPORT_DESCRIPTOR(obj.CType): """Handles IID entries for imported functions""" def valid(self, nt_header): """Check the validity of some fields""" try: return (self.OriginalFirstThunk != 0 and self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and self.FirstThunk != 0 and self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and self.Name < nt_header.OptionalHeader.SizeOfImage) except obj.InvalidOffsetError: return False def _name(self, name_rva): """Return a String object for the name at the given RVA""" return obj.Object("String", offset = self.obj_parent.DllBase + name_rva, vm = self.obj_native_vm, length = 128) def dll_name(self): """Returns the name of the DLL for this IID""" return self._name(self.Name) def _imported_functions(self): """ Generator for imported functions. @return: tuple (Ordinal, FunctionVA, Name) If the function is imported by ordinal, then Ordinal is the ordinal value and Name is None. If the function is imported by name, then Ordinal is the hint and Name is the imported function name (or None if its paged). FunctionVA is the virtual address of the imported function, as applied to the IAT by the Windows loader. If the FirstThunk is paged, then FunctionVA will be None. """ i = 0 while 1: thunk = obj.Object('_IMAGE_THUNK_DATA', offset = self.obj_parent.DllBase + self.OriginalFirstThunk + i * self.obj_vm.profile.get_obj_size('_IMAGE_THUNK_DATA'), vm = self.obj_native_vm) # We've reached the end when the element is zero if thunk == None or thunk.AddressOfData == 0: break o = obj.NoneObject("Ordinal not accessible?") n = obj.NoneObject("Imported by ordinal?") f = obj.NoneObject("FirstThunk not accessible") # If the highest bit (32 for x86 and 64 for x64) is set, the function is # imported by ordinal and the lowest 16-bits contain the ordinal value. # Otherwise, the lowest bits (0-31 for x86 and 0-63 for x64) contain an # RVA to an _IMAGE_IMPORT_BY_NAME struct. if thunk.OrdinalBit == 1: o = thunk.Ordinal & 0xFFFF else: iibn = obj.Object("_IMAGE_IMPORT_BY_NAME", offset = self.obj_parent.DllBase + thunk.AddressOfData, vm = self.obj_native_vm) o = iibn.Hint n = iibn.Name # See if the import is bound (i.e. resolved) first_thunk = obj.Object('_IMAGE_THUNK_DATA', offset = self.obj_parent.DllBase + self.FirstThunk + i * self.obj_vm.profile.get_obj_size('_IMAGE_THUNK_DATA'), vm = self.obj_native_vm) if first_thunk: f = first_thunk.Function.v() yield o, f, n i += 1 def is_list_end(self): """Returns True if we've reached the list end""" data = self.obj_vm.zread( self.obj_offset, self.obj_vm.profile.get_obj_size('_IMAGE_IMPORT_DESCRIPTOR') ) return data.count(chr(0)) == len(data) class _LDR_DATA_TABLE_ENTRY(obj.CType): """ Class for PE file / modules If these classes are instantiated by _EPROCESS.list_*_modules() then its guaranteed to be in the process address space. FIXME: If these classes are found by modscan, ensure we can dereference properly with obj_native_vm. """ def _nt_header(self): """Return the _IMAGE_NT_HEADERS object""" try: dos_header = obj.Object("_IMAGE_DOS_HEADER", offset = self.DllBase, vm = self.obj_native_vm) return dos_header.get_nt_header() except ValueError: return obj.NoneObject("Failed initial sanity checks") except exceptions.SanityCheckException: return obj.NoneObject("Failed initial sanity checks. Try -u or --unsafe") def _directory(self, dir_index): """Return the requested IMAGE_DATA_DIRECTORY""" nt_header = self._nt_header() if nt_header == None: raise ValueError('No directory index {0}'.format(dir_index)) data_dir = nt_header.OptionalHeader.DataDirectory[dir_index] if data_dir == None: raise ValueError('No directory index {0}'.format(dir_index)) # Make sure the directory exists if data_dir.VirtualAddress == 0 or data_dir.Size == 0: raise ValueError('No directory index {0}'.format(dir_index)) # Make sure the directory VA and Size are sane if data_dir.VirtualAddress + data_dir.Size > nt_header.OptionalHeader.SizeOfImage: raise ValueError('Invalid directory for index {0}'.format(dir_index)) return data_dir def export_dir(self): """Return the IMAGE_DATA_DIRECTORY for exports""" return self._directory(0) # DIRECTORY_ENTRY_EXPORT def import_dir(self): """Return the IMAGE_DATA_DIRECTORY for imports""" return self._directory(1) # DIRECTORY_ENTRY_IMPORT def debug_dir(self): """Return the IMAGE_DEBUG_DIRECTORY for debug info""" return self._directory(6) # IMAGE_DEBUG_DIRECTORY def get_debug_directory(self): """Return the debug directory object for this PE""" try: data_dir = self.debug_dir() except ValueError, why: return obj.NoneObject(str(why)) return obj.Object("_IMAGE_DEBUG_DIRECTORY", offset = self.DllBase + data_dir.VirtualAddress, vm = self.obj_native_vm) def getprocaddress(self, func): """Return the RVA of func""" for _, f, n in self.exports(): if str(n or '') == func: return f return None def imports(self): """ Generator for the PE's imported functions. The _DIRECTORY_ENTRY_IMPORT.VirtualAddress points to an array of _IMAGE_IMPORT_DESCRIPTOR structures. The end is reached when the IID structure is all zeros. """ try: data_dir = self.import_dir() except ValueError, why: raise StopIteration(why) i = 0 desc_size = self.obj_vm.profile.get_obj_size('_IMAGE_IMPORT_DESCRIPTOR') while 1: desc = obj.Object('_IMAGE_IMPORT_DESCRIPTOR', vm = self.obj_native_vm, offset = self.DllBase + data_dir.VirtualAddress + (i * desc_size), parent = self) # Stop if the IID is paged or all zeros if desc == None or desc.is_list_end(): break # Stop if the IID contains invalid fields if not desc.valid(self._nt_header()): break dll_name = desc.dll_name() for o, f, n in desc._imported_functions(): yield dll_name, o, f, n i += 1 def exports(self): """Generator for the PE's exported functions""" try: data_dir = self.export_dir() except ValueError, why: raise StopIteration(why) expdir = obj.Object('_IMAGE_EXPORT_DIRECTORY', offset = self.DllBase + data_dir.VirtualAddress, vm = self.obj_native_vm, parent = self) if expdir.valid(self._nt_header()): # Ordinal, Function RVA, and Name Object for o, f, n in expdir._exported_functions(): yield o, f, n class WinPEVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.vtypes.update(pe_vtypes) class WinPEx64VTypes(obj.ProfileModification): before = ['WinPEVTypes'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(pe_vtypes_64) class WinPEObjectClasses(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.object_classes.update({ '_IMAGE_EXPORT_DIRECTORY': _IMAGE_EXPORT_DIRECTORY, '_IMAGE_IMPORT_DESCRIPTOR': _IMAGE_IMPORT_DESCRIPTOR, '_LDR_DATA_TABLE_ENTRY': _LDR_DATA_TABLE_ENTRY, }) volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp2_x64_vtypes.py0000644000175000017500000160322311732225561027442 0ustar mikemike00000000000000ntkrnlmp_types = { '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_202c' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_202e' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_202c']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_202e']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_2040' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_2040']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x50, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_2097' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_2099' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_209d' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_20a1' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_20a3' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_2097']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2099']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_209d']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_20a1']], 'Others' : [ 0x0, ['__unnamed_20a3']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x178, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x80, ['unsigned long']], 'CurrentMcb' : [ 0x88, ['pointer64', ['void']]], 'DumpStack' : [ 0x90, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x98, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0xa0, ['unsigned long long']], 'HiberPte' : [ 0xa8, ['_LARGE_INTEGER']], 'Status' : [ 0xb0, ['long']], 'MemoryImage' : [ 0xb8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xc0, ['pointer64', ['_PO_MEMORY_RANGE_TABLE']]], 'CompressionWorkspace' : [ 0xc8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xd0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xe0, ['pointer64', ['void']]], 'DmaIO' : [ 0xe8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xf0, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf8, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x158, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x160, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x168, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x170, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x10, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x8, ['pointer64', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_20cd' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_20cd']], } ], '__unnamed_20d1' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_20d1']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'PerfInfo' : [ 0x70, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xd0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xd8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xe0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xe8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x128, ['unsigned long']], 'ResumeContextCheck' : [ 0x12c, ['unsigned long']], 'ResumeContextPages' : [ 0x130, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_20f0' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_20f2' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f4' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20f6' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_20f8' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_20fa' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_20fc' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20fe' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_2100' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2102' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_2104' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_20f0']], 'TargetDevice' : [ 0x0, ['__unnamed_20f2']], 'InstallDevice' : [ 0x0, ['__unnamed_20f4']], 'CustomNotification' : [ 0x0, ['__unnamed_20f6']], 'ProfileNotification' : [ 0x0, ['__unnamed_20f8']], 'PowerNotification' : [ 0x0, ['__unnamed_20fa']], 'VetoNotification' : [ 0x0, ['__unnamed_20fc']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20fe']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_2100']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_2102']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_2104']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_2117' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_2119' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_211b' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2117']], 'Gpt' : [ 0x0, ['__unnamed_2119']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_211b']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x10, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_TABLE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_TABLE']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'EntryCount' : [ 0x10, ['unsigned long']], 'Range' : [ 0x18, ['array', 1, ['_PO_MEMORY_RANGE']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_214b' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_214f' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_214b']], 'Bits' : [ 0x4, ['__unnamed_214f']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE' : [ 0x10, { 'StartPage' : [ 0x0, ['unsigned long long']], 'EndPage' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3b20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x980, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0xa80, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1680, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2280, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2288, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2290, ['long']], 'MmCopyOnWriteCount' : [ 0x2294, ['long']], 'MmTransitionCount' : [ 0x2298, ['long']], 'MmDemandZeroCount' : [ 0x229c, ['long']], 'MmPageReadCount' : [ 0x22a0, ['long']], 'MmPageReadIoCount' : [ 0x22a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x22a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x22ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x22b0, ['long']], 'MmMappedWriteIoCount' : [ 0x22b4, ['long']], 'KeSystemCalls' : [ 0x22b8, ['unsigned long']], 'KeContextSwitches' : [ 0x22bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x22c0, ['unsigned long']], 'CcFastReadWait' : [ 0x22c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x22c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x22cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x22d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x22d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x22d8, ['long']], 'IoReadOperationCount' : [ 0x22dc, ['long']], 'IoWriteOperationCount' : [ 0x22e0, ['long']], 'IoOtherOperationCount' : [ 0x22e4, ['long']], 'IoReadTransferCount' : [ 0x22e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x22f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x22f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2300, ['unsigned long long']], 'IpiFrozen' : [ 0x2308, ['unsigned long']], 'PrcbPad3' : [ 0x230c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2380, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3380, ['unsigned long long']], 'PrcbPad4' : [ 0x3388, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3400, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3440, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3448, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3450, ['long']], 'DpcRequestRate' : [ 0x3454, ['unsigned long']], 'MinimumDpcRate' : [ 0x3458, ['unsigned long']], 'DpcInterruptRequested' : [ 0x345c, ['unsigned char']], 'DpcThreadRequested' : [ 0x345d, ['unsigned char']], 'DpcRoutineActive' : [ 0x345e, ['unsigned char']], 'DpcThreadActive' : [ 0x345f, ['unsigned char']], 'TimerHand' : [ 0x3460, ['unsigned long long']], 'TimerRequest' : [ 0x3460, ['unsigned long long']], 'TickOffset' : [ 0x3468, ['long']], 'MasterOffset' : [ 0x346c, ['long']], 'DpcLastCount' : [ 0x3470, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3474, ['unsigned char']], 'QuantumEnd' : [ 0x3475, ['unsigned char']], 'PrcbPad50' : [ 0x3476, ['unsigned char']], 'IdleSchedule' : [ 0x3477, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3478, ['long']], 'KeExceptionDispatchCount' : [ 0x347c, ['unsigned long']], 'DpcEvent' : [ 0x3480, ['_KEVENT']], 'PrcbPad51' : [ 0x3498, ['pointer64', ['void']]], 'CallDpc' : [ 0x34a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x34e0, ['long']], 'ClockCheckSlot' : [ 0x34e4, ['unsigned char']], 'ClockPollCycle' : [ 0x34e5, ['unsigned char']], 'PrcbPad6' : [ 0x34e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x34e8, ['long']], 'DpcWatchdogCount' : [ 0x34ec, ['long']], 'PrcbPad70' : [ 0x34f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3500, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3510, ['unsigned long long']], 'ReadySummary' : [ 0x3518, ['unsigned long']], 'QueueIndex' : [ 0x351c, ['unsigned long']], 'PrcbPad71' : [ 0x3520, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3580, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3780, ['unsigned long']], 'KernelTime' : [ 0x3784, ['unsigned long']], 'UserTime' : [ 0x3788, ['unsigned long']], 'DpcTime' : [ 0x378c, ['unsigned long']], 'InterruptTime' : [ 0x3790, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3794, ['unsigned long']], 'SkipTick' : [ 0x3798, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3799, ['unsigned char']], 'PollSlot' : [ 0x379a, ['unsigned char']], 'PrcbPad80' : [ 0x379b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x37a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x37a4, ['unsigned long']], 'PeriodicCount' : [ 0x37a8, ['unsigned long']], 'PeriodicBias' : [ 0x37ac, ['unsigned long']], 'PrcbPad81' : [ 0x37b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x37c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x37c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x37d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x37d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x37e0, ['long']], 'PageColor' : [ 0x37e4, ['unsigned long']], 'NodeColor' : [ 0x37e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x37ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x37f0, ['unsigned long']], 'Sleeping' : [ 0x37f4, ['long']], 'CycleTime' : [ 0x37f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3800, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3804, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3808, ['unsigned long']], 'CcMapDataNoWait' : [ 0x380c, ['unsigned long']], 'CcMapDataWait' : [ 0x3810, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3814, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3818, ['unsigned long']], 'CcPinReadWait' : [ 0x381c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3820, ['unsigned long']], 'CcMdlReadWait' : [ 0x3824, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3828, ['unsigned long']], 'CcLazyWriteIos' : [ 0x382c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3830, ['unsigned long']], 'CcDataFlushes' : [ 0x3834, ['unsigned long']], 'CcDataPages' : [ 0x3838, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x383c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3840, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3844, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3848, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x384c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3850, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3854, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3858, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x385c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3860, ['unsigned long']], 'CcReadAheadIos' : [ 0x3864, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3868, ['long']], 'MmCacheReadCount' : [ 0x386c, ['long']], 'MmCacheIoCount' : [ 0x3870, ['long']], 'PrcbPad91' : [ 0x3874, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3880, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x3998, ['unsigned long']], 'VendorString' : [ 0x399c, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x39a9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x39ac, ['unsigned long']], 'UpdateSignature' : [ 0x39b0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x39b8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x39f8, ['_KTIMER']], 'Cache' : [ 0x3a38, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3a74, ['unsigned long']], 'CachedCommit' : [ 0x3a78, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3a7c, ['unsigned long']], 'HyperPte' : [ 0x3a80, ['pointer64', ['void']]], 'WheaInfo' : [ 0x3a88, ['pointer64', ['void']]], 'EtwSupport' : [ 0x3a90, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x3aa0, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x3ab0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x3ac0, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x3ac8, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x3ad0, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x3ad8, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x3ae0, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3b08, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3b10, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'FreezeCount' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'Spare02' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1119' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111e' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1121' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1119']], 'Header16' : [ 0x0, ['__unnamed_111e']], 'HeaderX64' : [ 0x0, ['__unnamed_1121']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x423, ['unsigned char']], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'Spare' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x36c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x36c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x36c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x370, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11eb' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_11eb']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '__unnamed_11f9' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_11fe' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1200' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11fe']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_120b' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_120d' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_120b']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_11f9']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1200']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_120d']], } ], '__unnamed_1213' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1217' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_121b' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_121d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1221' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1223' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1225' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1227' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1229' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122b' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_122f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1231' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1233' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1235' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1237' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1239' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_123d' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1241' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1245' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1249' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1250' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1254' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1258' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_125a' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_125c' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1260' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1264' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1268' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_126c' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1270' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1278' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_127c' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_127e' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1280' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1282' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1213']], 'CreatePipe' : [ 0x0, ['__unnamed_1217']], 'CreateMailslot' : [ 0x0, ['__unnamed_121b']], 'Read' : [ 0x0, ['__unnamed_121d']], 'Write' : [ 0x0, ['__unnamed_121d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1221']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1223']], 'QueryFile' : [ 0x0, ['__unnamed_1225']], 'SetFile' : [ 0x0, ['__unnamed_1227']], 'QueryEa' : [ 0x0, ['__unnamed_1229']], 'SetEa' : [ 0x0, ['__unnamed_122b']], 'QueryVolume' : [ 0x0, ['__unnamed_122f']], 'SetVolume' : [ 0x0, ['__unnamed_122f']], 'FileSystemControl' : [ 0x0, ['__unnamed_1231']], 'LockControl' : [ 0x0, ['__unnamed_1233']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1235']], 'QuerySecurity' : [ 0x0, ['__unnamed_1237']], 'SetSecurity' : [ 0x0, ['__unnamed_1239']], 'MountVolume' : [ 0x0, ['__unnamed_123d']], 'VerifyVolume' : [ 0x0, ['__unnamed_123d']], 'Scsi' : [ 0x0, ['__unnamed_1241']], 'QueryQuota' : [ 0x0, ['__unnamed_1245']], 'SetQuota' : [ 0x0, ['__unnamed_122b']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1249']], 'QueryInterface' : [ 0x0, ['__unnamed_1250']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1254']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1258']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_125a']], 'SetLock' : [ 0x0, ['__unnamed_125c']], 'QueryId' : [ 0x0, ['__unnamed_1260']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1264']], 'UsageNotification' : [ 0x0, ['__unnamed_1268']], 'WaitWake' : [ 0x0, ['__unnamed_126c']], 'PowerSequence' : [ 0x0, ['__unnamed_1270']], 'Power' : [ 0x0, ['__unnamed_1278']], 'StartDevice' : [ 0x0, ['__unnamed_127c']], 'WMI' : [ 0x0, ['__unnamed_127e']], 'Others' : [ 0x0, ['__unnamed_1280']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1282']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_132c' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_132c']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13ec' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_13ec']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1409' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_1409']], } ], '__unnamed_1418' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_141a' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_141e' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1420' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1422' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_141e']], 'e3' : [ 0x0, ['__unnamed_1420']], } ], '__unnamed_142a' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1418']], 'u2' : [ 0x8, ['__unnamed_141a']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1422']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_142a']], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'ChargedWslePages' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'ActualWslePages' : [ 0x3c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitGate' : [ 0x50, ['pointer64', ['_KGATE']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_144e' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_144e']], } ], '_MMWSL' : [ 0x498, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'LastVadBit' : [ 0x40, ['unsigned long']], 'MaximumLastVadBit' : [ 0x44, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x48, ['unsigned long']], 'LastAllocationSize' : [ 0x4c, ['unsigned long']], 'NonDirectHash' : [ 0x50, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x60, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x68, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x70, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x74, ['unsigned long']], 'CommittedPageTables' : [ 0x78, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x80, ['unsigned long']], 'CommittedPageDirectories' : [ 0x88, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x488, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x490, ['array', 1, ['unsigned long long']]], } ], '__unnamed_1468' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_146a' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146c' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_146a']], } ], '__unnamed_1476' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1478' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1476']], } ], '_CONTROL_AREA' : [ 0x70, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_1468']], 'u1' : [ 0x3c, ['__unnamed_146c']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1478']], 'LockedPages' : [ 0x68, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14ab' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14ae' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b1' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14bb' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], 'u2' : [ 0x40, ['__unnamed_14bb']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '__unnamed_14cd' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14cf' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14cd']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14cf']], } ], '__unnamed_14d4' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d4']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14dd' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14df' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14dd']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14df']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14e7' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14e7']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15b8' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15ba' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15c1' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x118, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15b8']], 'Hv' : [ 0x18, ['__unnamed_15ba']], 'IdleAccounting' : [ 0x20, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x28, ['pointer64', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x30, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x34, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x38, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x40, ['unsigned long long']], 'ThermalConstraint' : [ 0x48, ['unsigned char']], 'LastBusyPercentage' : [ 0x49, ['unsigned char']], 'Flags' : [ 0x4a, ['__unnamed_15c1']], 'PerfTimer' : [ 0x50, ['_KTIMER']], 'PerfDpc' : [ 0x90, ['_KDPC']], 'LastSysTime' : [ 0xd0, ['unsigned long']], 'PStateMaster' : [ 0xd8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0xe0, ['unsigned long long']], 'CurrentPState' : [ 0xe8, ['unsigned long']], 'DesiredPState' : [ 0xec, ['unsigned long']], 'PStateIdleStartTime' : [ 0xf0, ['unsigned long']], 'PStateIdleTime' : [ 0xf4, ['unsigned long']], 'LastPStateIdleTime' : [ 0xf8, ['unsigned long']], 'PStateStartTime' : [ 0xfc, ['unsigned long']], 'DiaIndex' : [ 0x100, ['unsigned long']], 'Reserved0' : [ 0x104, ['unsigned long']], 'WmiDispatchPtr' : [ 0x108, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x110, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f2' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f2']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_1604' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1606' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_160a' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_1604']], 'OverUsed2' : [ 0x1a0, ['__unnamed_1606']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_160a']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16aa' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16aa']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b1']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1d0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1c0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c8, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1cc, ['unsigned long']], } ], '__unnamed_16f3' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f3']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1701' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1703' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1705' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1707' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1709' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1701']], 'Write' : [ 0x0, ['__unnamed_1703']], 'Event' : [ 0x0, ['__unnamed_1705']], 'Notification' : [ 0x0, ['__unnamed_1707']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_1709']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x370, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x50, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x58, ['_UNICODE_STRING']], 'LogFileName' : [ 0x68, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x78, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x88, ['_UNICODE_STRING']], 'ClockType' : [ 0x98, ['unsigned long']], 'CollectionOn' : [ 0x9c, ['long']], 'MaximumFileSize' : [ 0xa0, ['unsigned long']], 'LoggerMode' : [ 0xa4, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa8, ['unsigned long']], 'FlushTimer' : [ 0xac, ['unsigned long']], 'FlushThreshold' : [ 0xb0, ['unsigned long']], 'ByteOffset' : [ 0xb8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xc0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xc8, ['unsigned long']], 'BuffersAvailable' : [ 0xcc, ['long']], 'NumberOfBuffers' : [ 0xd0, ['long']], 'MaximumBuffers' : [ 0xd4, ['unsigned long']], 'EventsLost' : [ 0xd8, ['unsigned long']], 'BuffersWritten' : [ 0xdc, ['unsigned long']], 'LogBuffersLost' : [ 0xe0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xe4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xe8, ['unsigned long']], 'BufferSize' : [ 0xec, ['unsigned long']], 'MaximumEventSize' : [ 0xf0, ['unsigned long']], 'SequencePtr' : [ 0xf8, ['pointer64', ['long']]], 'LocalSequence' : [ 0x100, ['unsigned long']], 'InstanceGuid' : [ 0x104, ['_GUID']], 'GetCpuClock' : [ 0x118, ['pointer64', ['void']]], 'FileCounter' : [ 0x120, ['long']], 'BufferCallback' : [ 0x128, ['pointer64', ['void']]], 'PoolType' : [ 0x130, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x148, ['unsigned char']], 'Consumers' : [ 0x150, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x160, ['unsigned long']], 'Connecting' : [ 0x168, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x178, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x180, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x188, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x1a0, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x1a8, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1b0, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x1b8, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1c0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1c8, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1d8, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1dc, ['unsigned long']], 'NewRTEventsLost' : [ 0x1e0, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1e8, ['_KEVENT']], 'FlushEvent' : [ 0x200, ['_KEVENT']], 'FlushDpc' : [ 0x218, ['_KDPC']], 'LoggerMutex' : [ 0x258, ['_KMUTANT']], 'LoggerLock' : [ 0x290, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x298, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2e0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2e8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x330, ['long long']], 'AcceptNewEvents' : [ 0x338, ['long']], 'Flags' : [ 0x33c, ['unsigned long']], 'Persistent' : [ 0x33c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x33c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x33c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x33c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x33c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x33c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x33c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x340, ['unsigned long']], 'RequestNewFie' : [ 0x340, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x340, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x340, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x340, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x340, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x344, ['unsigned short']], 'StackTraceFilter' : [ 0x346, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f7' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f9' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f7']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17fb' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17fd' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17fb']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_17f9']], 'u2' : [ 0x4, ['__unnamed_17fd']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1814' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1816' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1814']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_1816']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_1821' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1823' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1821']], } ], '_KALPC_SECTION' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1823']], 'SectionObject' : [ 0x8, ['pointer64', ['void']]], 'Size' : [ 0x10, ['unsigned long long']], 'HandleTable' : [ 0x18, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x20, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x38, ['unsigned long']], 'RegionListHead' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_1830' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1832' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1830']], } ], '_KALPC_REGION' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_1832']], 'RegionListEntry' : [ 0x8, ['_LIST_ENTRY']], 'Section' : [ 0x18, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x20, ['unsigned long long']], 'Size' : [ 0x28, ['unsigned long long']], 'ViewSize' : [ 0x30, ['unsigned long long']], 'ReadOnlyView' : [ 0x38, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x40, ['pointer64', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x48, ['unsigned long']], 'ViewListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '__unnamed_1838' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_183a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1838']], } ], '_KALPC_VIEW' : [ 0x68, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_183a']], 'Region' : [ 0x18, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x28, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x30, ['pointer64', ['void']]], 'Size' : [ 0x38, ['unsigned long long']], 'SecureViewHandle' : [ 0x40, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x48, ['pointer64', ['void']]], 'NumberOfOwnerMessages' : [ 0x50, ['unsigned long']], 'ProcessViewListEntry' : [ 0x58, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x48, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1852' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1854' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1852']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x198, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'SequenceNo' : [ 0x20, ['unsigned long']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x38, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x40, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x48, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x90, ['_LIST_ENTRY']], 'PendingQueue' : [ 0xa0, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xb0, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xc0, ['_LIST_ENTRY']], 'Semaphore' : [ 0xd0, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xd0, ['pointer64', ['_KEVENT']]], 'Lock' : [ 0xd8, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0xe0, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0x128, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x130, ['_LIST_ENTRY']], 'CompletionList' : [ 0x140, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x148, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0x150, ['_LIST_ENTRY']], 'u1' : [ 0x160, ['__unnamed_1854']], 'TargetQueuePort' : [ 0x168, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x178, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x180, ['unsigned long']], 'PendingQueueLength' : [ 0x184, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x188, ['unsigned long']], 'CanceledQueueLength' : [ 0x18c, ['unsigned long']], 'WaitQueueLength' : [ 0x190, ['unsigned long']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f9']], 'u2' : [ 0x4, ['__unnamed_17fd']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1870' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1872' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1870']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x108, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1872']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x78, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x80, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb8, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xc0, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc8, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xd0, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd8, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xe0, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18b1' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18b3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18b1']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_18b3']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0x18, ['unsigned long']], 'TargetThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'TotalLength' : [ 0x30, ['unsigned short']], 'Type' : [ 0x32, ['unsigned short']], 'DataInfoOffset' : [ 0x34, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x238, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0xb0, ['_ERESOURCE']], 'TypeLock' : [ 0x118, ['_EX_PUSH_LOCK']], 'Key' : [ 0x120, ['unsigned long']], 'ObjectLocks' : [ 0x128, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x228, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_19b9' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_19bb' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_19b9']], 'Private' : [ 0x0, ['__unnamed_19bb']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0xb48, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x5f0, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x5f8, ['unsigned long']], 'ViewUnLockLast' : [ 0x5fc, ['unsigned long']], 'WriterLock' : [ 0x600, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x608, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x610, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x618, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x628, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x638, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x648, ['unsigned short']], 'PinnedViewCount' : [ 0x64a, ['unsigned short']], 'UseCount' : [ 0x64c, ['unsigned long']], 'ViewsPerHive' : [ 0x650, ['unsigned long']], 'FileObject' : [ 0x658, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x660, ['unsigned long']], 'ActualFileSize' : [ 0x668, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x670, ['_UNICODE_STRING']], 'FileUserName' : [ 0x680, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x690, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x6a0, ['unsigned long']], 'SecurityCacheSize' : [ 0x6a4, ['unsigned long']], 'SecurityHitHint' : [ 0x6a8, ['long']], 'SecurityCache' : [ 0x6b0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6b8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xab8, ['unsigned long']], 'UnloadEventArray' : [ 0xac0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xac8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xad0, ['unsigned char']], 'UnloadWorkItem' : [ 0xad8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xae0, ['unsigned char']], 'GrowOffset' : [ 0xae4, ['unsigned long']], 'KcbConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xaf8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb08, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb10, ['unsigned long']], 'TrustClassEntry' : [ 0xb18, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb28, ['unsigned long']], 'CmRm' : [ 0xb30, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb38, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb3c, ['long']], 'CreatorOwner' : [ 0xb40, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19ea' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19f0' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14ab']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14ae']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b1']], 'u2' : [ 0x40, ['__unnamed_14bb']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_19ea']], 'u4' : [ 0x70, ['__unnamed_19f0']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_1a03' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_1a03']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1a1c' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1a1c']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x20, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x10, ['unsigned long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x98, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x10, ['_KDPC']], 'ScanTimer' : [ 0x50, ['_KTIMER']], 'ScanActive' : [ 0x90, ['unsigned char']], 'OtherWork' : [ 0x91, ['unsigned char']], 'PendingTeardown' : [ 0x92, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1aa4' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1aa4']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x38, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x30, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b85' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1b85']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bef' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bf5' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1bf7' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bf9' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bfb' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1bfd' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1bff' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c01' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c03' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1c05' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bef']], 'Memory' : [ 0x0, ['__unnamed_1bef']], 'Interrupt' : [ 0x0, ['__unnamed_1bf5']], 'Dma' : [ 0x0, ['__unnamed_1bf7']], 'Generic' : [ 0x0, ['__unnamed_1bef']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bf9']], 'BusNumber' : [ 0x0, ['__unnamed_1bfb']], 'ConfigData' : [ 0x0, ['__unnamed_1bfd']], 'Memory40' : [ 0x0, ['__unnamed_1bff']], 'Memory48' : [ 0x0, ['__unnamed_1c01']], 'Memory64' : [ 0x0, ['__unnamed_1c03']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1c05']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1c48' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c48']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x30, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'ObjectType' : [ 0x18, ['pointer64', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x20, ['unsigned long']], 'ObjectInfo' : [ 0x24, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x28, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1ce7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ce9' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1ceb' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1ced' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1ceb']], 'Translated' : [ 0x0, ['__unnamed_1ce9']], } ], '__unnamed_1cef' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf1' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf3' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf5' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf7' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cf9' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cfb' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1ce7']], 'Port' : [ 0x0, ['__unnamed_1ce7']], 'Interrupt' : [ 0x0, ['__unnamed_1ce9']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1ced']], 'Memory' : [ 0x0, ['__unnamed_1ce7']], 'Dma' : [ 0x0, ['__unnamed_1cef']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bf9']], 'BusNumber' : [ 0x0, ['__unnamed_1cf1']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cf3']], 'Memory40' : [ 0x0, ['__unnamed_1cf5']], 'Memory48' : [ 0x0, ['__unnamed_1cf7']], 'Memory64' : [ 0x0, ['__unnamed_1cf9']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cfb']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1d02' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1d02']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 48, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1d1f' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1d1f']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1d29' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14d4']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1d29']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d2f' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d31' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d2f']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x98, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'DeviceType' : [ 0x30, ['unsigned char']], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x40, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x50, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x60, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x80, ['_LIST_ENTRY']], 'Specific' : [ 0x90, ['__unnamed_1d31']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '__unnamed_1da3' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x98, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1da3']], 'TargetProcessors' : [ 0x30, ['unsigned long long']], 'PStateHandler' : [ 0x38, ['pointer64', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long long']], 'TStateHandler' : [ 0x48, ['pointer64', ['void']]], 'TStateContext' : [ 0x50, ['unsigned long long']], 'FeedbackHandler' : [ 0x58, ['pointer64', ['void']]], 'DiaStats' : [ 0x60, ['pointer64', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x68, ['unsigned long']], 'State' : [ 0x70, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1dff' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e01' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1dff']], 'Button' : [ 0x10, ['__unnamed_1e01']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xc8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], 'ResumePages' : [ 0xb8, ['unsigned long']], 'DumpHeader' : [ 0xc0, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_1e6d' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1e6d']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'SparePebPtr0' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1eab' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1eab']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SystemPteInfo' : [ 0x1d90, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1dd8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1de0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1de8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1df0, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1f25' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1f27' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1f25']], 'Merged' : [ 0x10, ['__unnamed_1f27']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['void']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1f30' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1f30']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d4']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1d29']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f50' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1f54' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_1f50']], 'u2' : [ 0x38, ['__unnamed_1f54']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['pointer64', ['void']]], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x90, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ca0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x3a0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py0000644000175000017500000013167512227253532027573 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateReserveObject', # 0x10 'NtAllocateUserPhysicalPages', # 0x11 'NtAllocateUuids', # 0x12 'NtAllocateVirtualMemory', # 0x13 'NtAlpcAcceptConnectPort', # 0x14 'NtAlpcCancelMessage', # 0x15 'NtAlpcConnectPort', # 0x16 'NtAlpcCreatePort', # 0x17 'NtAlpcCreatePortSection', # 0x18 'NtAlpcCreateResourceReserve', # 0x19 'NtAlpcCreateSectionView', # 0x1a 'NtAlpcCreateSecurityContext', # 0x1b 'NtAlpcDeletePortSection', # 0x1c 'NtAlpcDeleteResourceReserve', # 0x1d 'NtAlpcDeleteSectionView', # 0x1e 'NtAlpcDeleteSecurityContext', # 0x1f 'NtAlpcDisconnectPort', # 0x20 'NtAlpcImpersonateClientOfPort', # 0x21 'NtAlpcOpenSenderProcess', # 0x22 'NtAlpcOpenSenderThread', # 0x23 'NtAlpcQueryInformation', # 0x24 'NtAlpcQueryInformationMessage', # 0x25 'NtAlpcRevokeSecurityContext', # 0x26 'NtAlpcSendWaitReceivePort', # 0x27 'NtAlpcSetInformation', # 0x28 'NtApphelpCacheControl', # 0x29 'NtAreMappedFilesTheSame', # 0x2a 'NtAssignProcessToJobObject', # 0x2b 'NtCallbackReturn', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelIoFileEx', # 0x2e 'NtCancelSynchronousIoFile', # 0x2f 'NtCancelTimer', # 0x30 'NtClearEvent', # 0x31 'NtClose', # 0x32 'NtCloseObjectAuditAlarm', # 0x33 'NtCommitComplete', # 0x34 'NtCommitEnlistment', # 0x35 'NtCommitTransaction', # 0x36 'NtCompactKeys', # 0x37 'NtCompareTokens', # 0x38 'NtCompleteConnectPort', # 0x39 'NtCompressKey', # 0x3a 'NtConnectPort', # 0x3b 'NtContinue', # 0x3c 'NtCreateDebugObject', # 0x3d 'NtCreateDirectoryObject', # 0x3e 'NtCreateEnlistment', # 0x3f 'NtCreateEvent', # 0x40 'NtCreateEventPair', # 0x41 'NtCreateFile', # 0x42 'NtCreateIoCompletion', # 0x43 'NtCreateJobObject', # 0x44 'NtCreateJobSet', # 0x45 'NtCreateKey', # 0x46 'NtCreateKeyedEvent', # 0x47 'NtCreateKeyTransacted', # 0x48 'NtCreateMailslotFile', # 0x49 'NtCreateMutant', # 0x4a 'NtCreateNamedPipeFile', # 0x4b 'NtCreatePagingFile', # 0x4c 'NtCreatePort', # 0x4d 'NtCreatePrivateNamespace', # 0x4e 'NtCreateProcess', # 0x4f 'NtCreateProcessEx', # 0x50 'NtCreateProfile', # 0x51 'NtCreateProfileEx', # 0x52 'NtCreateResourceManager', # 0x53 'NtCreateSection', # 0x54 'NtCreateSemaphore', # 0x55 'NtCreateSymbolicLinkObject', # 0x56 'NtCreateThread', # 0x57 'NtCreateThreadEx', # 0x58 'NtCreateTimer', # 0x59 'NtCreateToken', # 0x5a 'NtCreateTransaction', # 0x5b 'NtCreateTransactionManager', # 0x5c 'NtCreateUserProcess', # 0x5d 'NtCreateWaitablePort', # 0x5e 'NtCreateWorkerFactory', # 0x5f 'NtDebugActiveProcess', # 0x60 'NtDebugContinue', # 0x61 'NtDelayExecution', # 0x62 'NtDeleteAtom', # 0x63 'NtDeleteBootEntry', # 0x64 'NtDeleteDriverEntry', # 0x65 'NtDeleteFile', # 0x66 'NtDeleteKey', # 0x67 'NtDeleteObjectAuditAlarm', # 0x68 'NtDeletePrivateNamespace', # 0x69 'NtDeleteValueKey', # 0x6a 'NtDeviceIoControlFile', # 0x6b 'NtDisableLastKnownGood', # 0x6c 'NtDisplayString', # 0x6d 'NtDrawText', # 0x6e 'NtDuplicateObject', # 0x6f 'NtDuplicateToken', # 0x70 'NtEnableLastKnownGood', # 0x71 'NtEnumerateBootEntries', # 0x72 'NtEnumerateDriverEntries', # 0x73 'NtEnumerateKey', # 0x74 'NtEnumerateSystemEnvironmentValuesEx', # 0x75 'NtEnumerateTransactionObject', # 0x76 'NtEnumerateValueKey', # 0x77 'NtExtendSection', # 0x78 'NtFilterToken', # 0x79 'NtFindAtom', # 0x7a 'NtFlushBuffersFile', # 0x7b 'NtFlushInstallUILanguage', # 0x7c 'NtFlushInstructionCache', # 0x7d 'NtFlushKey', # 0x7e 'NtFlushProcessWriteBuffers', # 0x7f 'NtFlushVirtualMemory', # 0x80 'NtFlushWriteBuffer', # 0x81 'NtFreeUserPhysicalPages', # 0x82 'NtFreeVirtualMemory', # 0x83 'NtFreezeRegistry', # 0x84 'NtFreezeTransactions', # 0x85 'NtFsControlFile', # 0x86 'NtGetContextThread', # 0x87 'NtGetCurrentProcessorNumber', # 0x88 'NtGetDevicePowerState', # 0x89 'NtGetMUIRegistryInfo', # 0x8a 'NtGetNextProcess', # 0x8b 'NtGetNextThread', # 0x8c 'NtGetNlsSectionPtr', # 0x8d 'NtGetNotificationResourceManager', # 0x8e 'NtGetPlugPlayEvent', # 0x8f 'NtGetWriteWatch', # 0x90 'NtImpersonateAnonymousToken', # 0x91 'NtImpersonateClientOfPort', # 0x92 'NtImpersonateThread', # 0x93 'NtInitializeNlsFiles', # 0x94 'NtInitializeRegistry', # 0x95 'NtInitiatePowerAction', # 0x96 'NtIsProcessInJob', # 0x97 'NtIsSystemResumeAutomatic', # 0x98 'NtIsUILanguageComitted', # 0x99 'NtListenPort', # 0x9a 'NtLoadDriver', # 0x9b 'NtLoadKey', # 0x9c 'NtLoadKey2', # 0x9d 'NtLoadKeyEx', # 0x9e 'NtLockFile', # 0x9f 'NtLockProductActivationKeys', # 0xa0 'NtLockRegistryKey', # 0xa1 'NtLockVirtualMemory', # 0xa2 'NtMakePermanentObject', # 0xa3 'NtMakeTemporaryObject', # 0xa4 'NtMapCMFModule', # 0xa5 'NtMapUserPhysicalPages', # 0xa6 'NtMapUserPhysicalPagesScatter', # 0xa7 'NtMapViewOfSection', # 0xa8 'NtModifyBootEntry', # 0xa9 'NtModifyDriverEntry', # 0xaa 'NtNotifyChangeDirectoryFile', # 0xab 'NtNotifyChangeKey', # 0xac 'NtNotifyChangeMultipleKeys', # 0xad 'NtNotifyChangeSession', # 0xae 'NtOpenDirectoryObject', # 0xaf 'NtOpenEnlistment', # 0xb0 'NtOpenEvent', # 0xb1 'NtOpenEventPair', # 0xb2 'NtOpenFile', # 0xb3 'NtOpenIoCompletion', # 0xb4 'NtOpenJobObject', # 0xb5 'NtOpenKey', # 0xb6 'NtOpenKeyEx', # 0xb7 'NtOpenKeyedEvent', # 0xb8 'NtOpenKeyTransacted', # 0xb9 'NtOpenKeyTransactedEx', # 0xba 'NtOpenMutant', # 0xbb 'NtOpenObjectAuditAlarm', # 0xbc 'NtOpenPrivateNamespace', # 0xbd 'NtOpenProcess', # 0xbe 'NtOpenProcessToken', # 0xbf 'NtOpenProcessTokenEx', # 0xc0 'NtOpenResourceManager', # 0xc1 'NtOpenSection', # 0xc2 'NtOpenSemaphore', # 0xc3 'NtOpenSession', # 0xc4 'NtOpenSymbolicLinkObject', # 0xc5 'NtOpenThread', # 0xc6 'NtOpenThreadToken', # 0xc7 'NtOpenThreadTokenEx', # 0xc8 'NtOpenTimer', # 0xc9 'NtOpenTransaction', # 0xca 'NtOpenTransactionManager', # 0xcb 'NtPlugPlayControl', # 0xcc 'NtPowerInformation', # 0xcd 'NtPrepareComplete', # 0xce 'NtPrepareEnlistment', # 0xcf 'NtPrePrepareComplete', # 0xd0 'NtPrePrepareEnlistment', # 0xd1 'NtPrivilegeCheck', # 0xd2 'NtPrivilegedServiceAuditAlarm', # 0xd3 'NtPrivilegeObjectAuditAlarm', # 0xd4 'NtPropagationComplete', # 0xd5 'NtPropagationFailed', # 0xd6 'NtProtectVirtualMemory', # 0xd7 'NtPulseEvent', # 0xd8 'NtQueryAttributesFile', # 0xd9 'NtQueryBootEntryOrder', # 0xda 'NtQueryBootOptions', # 0xdb 'NtQueryDebugFilterState', # 0xdc 'NtQueryDefaultLocale', # 0xdd 'NtQueryDefaultUILanguage', # 0xde 'NtQueryDirectoryFile', # 0xdf 'NtQueryDirectoryObject', # 0xe0 'NtQueryDriverEntryOrder', # 0xe1 'NtQueryEaFile', # 0xe2 'NtQueryEvent', # 0xe3 'NtQueryFullAttributesFile', # 0xe4 'NtQueryInformationAtom', # 0xe5 'NtQueryInformationEnlistment', # 0xe6 'NtQueryInformationFile', # 0xe7 'NtQueryInformationJobObject', # 0xe8 'NtQueryInformationPort', # 0xe9 'NtQueryInformationProcess', # 0xea 'NtQueryInformationResourceManager', # 0xeb 'NtQueryInformationThread', # 0xec 'NtQueryInformationToken', # 0xed 'NtQueryInformationTransaction', # 0xee 'NtQueryInformationTransactionManager', # 0xef 'NtQueryInformationWorkerFactory', # 0xf0 'NtQueryInstallUILanguage', # 0xf1 'NtQueryIntervalProfile', # 0xf2 'NtQueryIoCompletion', # 0xf3 'NtQueryKey', # 0xf4 'NtQueryLicenseValue', # 0xf5 'NtQueryMultipleValueKey', # 0xf6 'NtQueryMutant', # 0xf7 'NtQueryObject', # 0xf8 'NtQueryOpenSubKeys', # 0xf9 'NtQueryOpenSubKeysEx', # 0xfa 'NtQueryPerformanceCounter', # 0xfb 'NtQueryPortInformationProcess', # 0xfc 'NtQueryQuotaInformationFile', # 0xfd 'NtQuerySection', # 0xfe 'NtQuerySecurityAttributesToken', # 0xff 'NtQuerySecurityObject', # 0x100 'NtQuerySemaphore', # 0x101 'NtQuerySymbolicLinkObject', # 0x102 'NtQuerySystemEnvironmentValue', # 0x103 'NtQuerySystemEnvironmentValueEx', # 0x104 'NtQuerySystemInformation', # 0x105 'NtQuerySystemInformationEx', # 0x106 'NtQuerySystemTime', # 0x107 'NtQueryTimer', # 0x108 'NtQueryTimerResolution', # 0x109 'NtQueryValueKey', # 0x10a 'NtQueryVirtualMemory', # 0x10b 'NtQueryVolumeInformationFile', # 0x10c 'NtQueueApcThread', # 0x10d 'NtQueueApcThreadEx', # 0x10e 'NtRaiseException', # 0x10f 'NtRaiseHardError', # 0x110 'NtReadFile', # 0x111 'NtReadFileScatter', # 0x112 'NtReadOnlyEnlistment', # 0x113 'NtReadRequestData', # 0x114 'NtReadVirtualMemory', # 0x115 'NtRecoverEnlistment', # 0x116 'NtRecoverResourceManager', # 0x117 'NtRecoverTransactionManager', # 0x118 'NtRegisterProtocolAddressInformation', # 0x119 'NtRegisterThreadTerminatePort', # 0x11a 'NtReleaseKeyedEvent', # 0x11b 'NtReleaseMutant', # 0x11c 'NtReleaseSemaphore', # 0x11d 'NtReleaseWorkerFactoryWorker', # 0x11e 'NtRemoveIoCompletion', # 0x11f 'NtRemoveIoCompletionEx', # 0x120 'NtRemoveProcessDebug', # 0x121 'NtRenameKey', # 0x122 'NtRenameTransactionManager', # 0x123 'NtReplaceKey', # 0x124 'NtReplacePartitionUnit', # 0x125 'NtReplyPort', # 0x126 'NtReplyWaitReceivePort', # 0x127 'NtReplyWaitReceivePortEx', # 0x128 'NtReplyWaitReplyPort', # 0x129 'NtRequestPort', # 0x12a 'NtRequestWaitReplyPort', # 0x12b 'NtResetEvent', # 0x12c 'NtResetWriteWatch', # 0x12d 'NtRestoreKey', # 0x12e 'NtResumeProcess', # 0x12f 'NtResumeThread', # 0x130 'NtRollbackComplete', # 0x131 'NtRollbackEnlistment', # 0x132 'NtRollbackTransaction', # 0x133 'NtRollforwardTransactionManager', # 0x134 'NtSaveKey', # 0x135 'NtSaveKeyEx', # 0x136 'NtSaveMergedKeys', # 0x137 'NtSecureConnectPort', # 0x138 'NtSerializeBoot', # 0x139 'NtSetBootEntryOrder', # 0x13a 'NtSetBootOptions', # 0x13b 'NtSetContextThread', # 0x13c 'NtSetDebugFilterState', # 0x13d 'NtSetDefaultHardErrorPort', # 0x13e 'NtSetDefaultLocale', # 0x13f 'NtSetDefaultUILanguage', # 0x140 'NtSetDriverEntryOrder', # 0x141 'NtSetEaFile', # 0x142 'NtSetEvent', # 0x143 'NtSetEventBoostPriority', # 0x144 'NtSetHighEventPair', # 0x145 'NtSetHighWaitLowEventPair', # 0x146 'NtSetInformationDebugObject', # 0x147 'NtSetInformationEnlistment', # 0x148 'NtSetInformationFile', # 0x149 'NtSetInformationJobObject', # 0x14a 'NtSetInformationKey', # 0x14b 'NtSetInformationObject', # 0x14c 'NtSetInformationProcess', # 0x14d 'NtSetInformationResourceManager', # 0x14e 'NtSetInformationThread', # 0x14f 'NtSetInformationToken', # 0x150 'NtSetInformationTransaction', # 0x151 'NtSetInformationTransactionManager', # 0x152 'NtSetInformationWorkerFactory', # 0x153 'NtSetIntervalProfile', # 0x154 'NtSetIoCompletion', # 0x155 'NtSetIoCompletionEx', # 0x156 'NtSetLdtEntries', # 0x157 'NtSetLowEventPair', # 0x158 'NtSetLowWaitHighEventPair', # 0x159 'NtSetQuotaInformationFile', # 0x15a 'NtSetSecurityObject', # 0x15b 'NtSetSystemEnvironmentValue', # 0x15c 'NtSetSystemEnvironmentValueEx', # 0x15d 'NtSetSystemInformation', # 0x15e 'NtSetSystemPowerState', # 0x15f 'NtSetSystemTime', # 0x160 'NtSetThreadExecutionState', # 0x161 'NtSetTimer', # 0x162 'NtSetTimerEx', # 0x163 'NtSetTimerResolution', # 0x164 'NtSetUuidSeed', # 0x165 'NtSetValueKey', # 0x166 'NtSetVolumeInformationFile', # 0x167 'NtShutdownSystem', # 0x168 'NtShutdownWorkerFactory', # 0x169 'NtSignalAndWaitForSingleObject', # 0x16a 'NtSinglePhaseReject', # 0x16b 'NtStartProfile', # 0x16c 'NtStopProfile', # 0x16d 'NtSuspendProcess', # 0x16e 'NtSuspendThread', # 0x16f 'NtSystemDebugControl', # 0x170 'NtTerminateJobObject', # 0x171 'NtTerminateProcess', # 0x172 'NtTerminateThread', # 0x173 'NtTestAlert', # 0x174 'NtThawRegistry', # 0x175 'NtThawTransactions', # 0x176 'NtTraceControl', # 0x177 'NtTraceEvent', # 0x178 'NtTranslateFilePath', # 0x179 'NtUmsThreadYield', # 0x17a 'NtUnloadDriver', # 0x17b 'NtUnloadKey', # 0x17c 'NtUnloadKey2', # 0x17d 'NtUnloadKeyEx', # 0x17e 'NtUnlockFile', # 0x17f 'NtUnlockVirtualMemory', # 0x180 'NtUnmapViewOfSection', # 0x181 'NtVdmControl', # 0x182 'NtWaitForDebugEvent', # 0x183 'NtWaitForKeyedEvent', # 0x184 'NtWaitForMultipleObjects', # 0x185 'NtWaitForMultipleObjects32', # 0x186 'NtWaitForSingleObject', # 0x187 'NtWaitForWorkViaWorkerFactory', # 0x188 'NtWaitHighEventPair', # 0x189 'NtWaitLowEventPair', # 0x18a 'NtWorkerFactoryWorkerReady', # 0x18b 'NtWriteFile', # 0x18c 'NtWriteFileGather', # 0x18d 'NtWriteRequestData', # 0x18e 'NtWriteVirtualMemory', # 0x18f 'NtYieldExecution', # 0x190 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginGdiRendering', # 0xc 'NtGdiBeginPath', # 0xd 'NtGdiBitBlt', # 0xe 'NtGdiCancelDC', # 0xf 'NtGdiCheckBitmapBits', # 0x10 'NtGdiCloseFigure', # 0x11 'NtGdiClearBitmapAttributes', # 0x12 'NtGdiClearBrushAttributes', # 0x13 'NtGdiColorCorrectPalette', # 0x14 'NtGdiCombineRgn', # 0x15 'NtGdiCombineTransform', # 0x16 'NtGdiComputeXformCoefficients', # 0x17 'NtGdiConfigureOPMProtectedOutput', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateBitmapFromDxSurface', # 0x1b 'NtGdiCreateClientObj', # 0x1c 'NtGdiCreateColorSpace', # 0x1d 'NtGdiCreateColorTransform', # 0x1e 'NtGdiCreateCompatibleBitmap', # 0x1f 'NtGdiCreateCompatibleDC', # 0x20 'NtGdiCreateDIBBrush', # 0x21 'NtGdiCreateDIBitmapInternal', # 0x22 'NtGdiCreateDIBSection', # 0x23 'NtGdiCreateEllipticRgn', # 0x24 'NtGdiCreateHalftonePalette', # 0x25 'NtGdiCreateHatchBrushInternal', # 0x26 'NtGdiCreateMetafileDC', # 0x27 'NtGdiCreateOPMProtectedOutputs', # 0x28 'NtGdiCreatePaletteInternal', # 0x29 'NtGdiCreatePatternBrushInternal', # 0x2a 'NtGdiCreatePen', # 0x2b 'NtGdiCreateRectRgn', # 0x2c 'NtGdiCreateRoundRectRgn', # 0x2d 'NtGdiCreateServerMetaFile', # 0x2e 'NtGdiCreateSolidBrush', # 0x2f 'NtGdiD3dContextCreate', # 0x30 'NtGdiD3dContextDestroy', # 0x31 'NtGdiD3dContextDestroyAll', # 0x32 'NtGdiD3dValidateTextureStageState', # 0x33 'NtGdiD3dDrawPrimitives2', # 0x34 'NtGdiDdGetDriverState', # 0x35 'NtGdiDdAddAttachedSurface', # 0x36 'NtGdiDdAlphaBlt', # 0x37 'NtGdiDdAttachSurface', # 0x38 'NtGdiDdBeginMoCompFrame', # 0x39 'NtGdiDdBlt', # 0x3a 'NtGdiDdCanCreateSurface', # 0x3b 'NtGdiDdCanCreateD3DBuffer', # 0x3c 'NtGdiDdColorControl', # 0x3d 'NtGdiDdCreateDirectDrawObject', # 0x3e 'NtGdiDdCreateSurface', # 0x3f 'NtGdiDdCreateD3DBuffer', # 0x40 'NtGdiDdCreateMoComp', # 0x41 'NtGdiDdCreateSurfaceObject', # 0x42 'NtGdiDdDeleteDirectDrawObject', # 0x43 'NtGdiDdDeleteSurfaceObject', # 0x44 'NtGdiDdDestroyMoComp', # 0x45 'NtGdiDdDestroySurface', # 0x46 'NtGdiDdDestroyD3DBuffer', # 0x47 'NtGdiDdEndMoCompFrame', # 0x48 'NtGdiDdFlip', # 0x49 'NtGdiDdFlipToGDISurface', # 0x4a 'NtGdiDdGetAvailDriverMemory', # 0x4b 'NtGdiDdGetBltStatus', # 0x4c 'NtGdiDdGetDC', # 0x4d 'NtGdiDdGetDriverInfo', # 0x4e 'NtGdiDdGetDxHandle', # 0x4f 'NtGdiDdGetFlipStatus', # 0x50 'NtGdiDdGetInternalMoCompInfo', # 0x51 'NtGdiDdGetMoCompBuffInfo', # 0x52 'NtGdiDdGetMoCompGuids', # 0x53 'NtGdiDdGetMoCompFormats', # 0x54 'NtGdiDdGetScanLine', # 0x55 'NtGdiDdLock', # 0x56 'NtGdiDdLockD3D', # 0x57 'NtGdiDdQueryDirectDrawObject', # 0x58 'NtGdiDdQueryMoCompStatus', # 0x59 'NtGdiDdReenableDirectDrawObject', # 0x5a 'NtGdiDdReleaseDC', # 0x5b 'NtGdiDdRenderMoComp', # 0x5c 'NtGdiDdResetVisrgn', # 0x5d 'NtGdiDdSetColorKey', # 0x5e 'NtGdiDdSetExclusiveMode', # 0x5f 'NtGdiDdSetGammaRamp', # 0x60 'NtGdiDdCreateSurfaceEx', # 0x61 'NtGdiDdSetOverlayPosition', # 0x62 'NtGdiDdUnattachSurface', # 0x63 'NtGdiDdUnlock', # 0x64 'NtGdiDdUnlockD3D', # 0x65 'NtGdiDdUpdateOverlay', # 0x66 'NtGdiDdWaitForVerticalBlank', # 0x67 'NtGdiDvpCanCreateVideoPort', # 0x68 'NtGdiDvpColorControl', # 0x69 'NtGdiDvpCreateVideoPort', # 0x6a 'NtGdiDvpDestroyVideoPort', # 0x6b 'NtGdiDvpFlipVideoPort', # 0x6c 'NtGdiDvpGetVideoPortBandwidth', # 0x6d 'NtGdiDvpGetVideoPortField', # 0x6e 'NtGdiDvpGetVideoPortFlipStatus', # 0x6f 'NtGdiDvpGetVideoPortInputFormats', # 0x70 'NtGdiDvpGetVideoPortLine', # 0x71 'NtGdiDvpGetVideoPortOutputFormats', # 0x72 'NtGdiDvpGetVideoPortConnectInfo', # 0x73 'NtGdiDvpGetVideoSignalStatus', # 0x74 'NtGdiDvpUpdateVideoPort', # 0x75 'NtGdiDvpWaitForVideoPortSync', # 0x76 'NtGdiDvpAcquireNotification', # 0x77 'NtGdiDvpReleaseNotification', # 0x78 'NtGdiDxgGenericThunk', # 0x79 'NtGdiDeleteClientObj', # 0x7a 'NtGdiDeleteColorSpace', # 0x7b 'NtGdiDeleteColorTransform', # 0x7c 'NtGdiDeleteObjectApp', # 0x7d 'NtGdiDescribePixelFormat', # 0x7e 'NtGdiDestroyOPMProtectedOutput', # 0x7f 'NtGdiGetPerBandInfo', # 0x80 'NtGdiDoBanding', # 0x81 'NtGdiDoPalette', # 0x82 'NtGdiDrawEscape', # 0x83 'NtGdiEllipse', # 0x84 'NtGdiEnableEudc', # 0x85 'NtGdiEndDoc', # 0x86 'NtGdiEndGdiRendering', # 0x87 'NtGdiEndPage', # 0x88 'NtGdiEndPath', # 0x89 'NtGdiEnumFonts', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontFileData', # 0xb7 'NtGdiGetFontFileInfo', # 0xb8 'NtGdiGetFontResourceInfoInternalW', # 0xb9 'NtGdiGetGlyphIndicesW', # 0xba 'NtGdiGetGlyphIndicesWInternal', # 0xbb 'NtGdiGetGlyphOutline', # 0xbc 'NtGdiGetOPMInformation', # 0xbd 'NtGdiGetKerningPairs', # 0xbe 'NtGdiGetLinkedUFIs', # 0xbf 'NtGdiGetMiterLimit', # 0xc0 'NtGdiGetMonitorID', # 0xc1 'NtGdiGetNearestColor', # 0xc2 'NtGdiGetNearestPaletteIndex', # 0xc3 'NtGdiGetObjectBitmapHandle', # 0xc4 'NtGdiGetOPMRandomNumber', # 0xc5 'NtGdiGetOutlineTextMetricsInternalW', # 0xc6 'NtGdiGetPath', # 0xc7 'NtGdiGetPixel', # 0xc8 'NtGdiGetRandomRgn', # 0xc9 'NtGdiGetRasterizerCaps', # 0xca 'NtGdiGetRealizationInfo', # 0xcb 'NtGdiGetRegionData', # 0xcc 'NtGdiGetRgnBox', # 0xcd 'NtGdiGetServerMetaFileBits', # 0xce 'NtGdiGetSpoolMessage', # 0xcf 'NtGdiGetStats', # 0xd0 'NtGdiGetStockObject', # 0xd1 'NtGdiGetStringBitmapW', # 0xd2 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd3 'NtGdiGetSystemPaletteUse', # 0xd4 'NtGdiGetTextCharsetInfo', # 0xd5 'NtGdiGetTextExtent', # 0xd6 'NtGdiGetTextExtentExW', # 0xd7 'NtGdiGetTextFaceW', # 0xd8 'NtGdiGetTextMetricsW', # 0xd9 'NtGdiGetTransform', # 0xda 'NtGdiGetUFI', # 0xdb 'NtGdiGetEmbUFI', # 0xdc 'NtGdiGetUFIPathname', # 0xdd 'NtGdiGetEmbedFonts', # 0xde 'NtGdiChangeGhostFont', # 0xdf 'NtGdiAddEmbFontToDC', # 0xe0 'NtGdiGetFontUnicodeRanges', # 0xe1 'NtGdiGetWidthTable', # 0xe2 'NtGdiGradientFill', # 0xe3 'NtGdiHfontCreate', # 0xe4 'NtGdiIcmBrushInfo', # 0xe5 'NtGdiInit', # 0xe6 'NtGdiInitSpool', # 0xe7 'NtGdiIntersectClipRect', # 0xe8 'NtGdiInvertRgn', # 0xe9 'NtGdiLineTo', # 0xea 'NtGdiMakeFontDir', # 0xeb 'NtGdiMakeInfoDC', # 0xec 'NtGdiMaskBlt', # 0xed 'NtGdiModifyWorldTransform', # 0xee 'NtGdiMonoBitmap', # 0xef 'NtGdiMoveTo', # 0xf0 'NtGdiOffsetClipRgn', # 0xf1 'NtGdiOffsetRgn', # 0xf2 'NtGdiOpenDCW', # 0xf3 'NtGdiPatBlt', # 0xf4 'NtGdiPolyPatBlt', # 0xf5 'NtGdiPathToRegion', # 0xf6 'NtGdiPlgBlt', # 0xf7 'NtGdiPolyDraw', # 0xf8 'NtGdiPolyPolyDraw', # 0xf9 'NtGdiPolyTextOutW', # 0xfa 'NtGdiPtInRegion', # 0xfb 'NtGdiPtVisible', # 0xfc 'NtGdiQueryFonts', # 0xfd 'NtGdiQueryFontAssocInfo', # 0xfe 'NtGdiRectangle', # 0xff 'NtGdiRectInRegion', # 0x100 'NtGdiRectVisible', # 0x101 'NtGdiRemoveFontResourceW', # 0x102 'NtGdiRemoveFontMemResourceEx', # 0x103 'NtGdiResetDC', # 0x104 'NtGdiResizePalette', # 0x105 'NtGdiRestoreDC', # 0x106 'NtGdiRoundRect', # 0x107 'NtGdiSaveDC', # 0x108 'NtGdiScaleViewportExtEx', # 0x109 'NtGdiScaleWindowExtEx', # 0x10a 'NtGdiSelectBitmap', # 0x10b 'NtGdiSelectBrush', # 0x10c 'NtGdiSelectClipPath', # 0x10d 'NtGdiSelectFont', # 0x10e 'NtGdiSelectPen', # 0x10f 'NtGdiSetBitmapAttributes', # 0x110 'NtGdiSetBitmapBits', # 0x111 'NtGdiSetBitmapDimension', # 0x112 'NtGdiSetBoundsRect', # 0x113 'NtGdiSetBrushAttributes', # 0x114 'NtGdiSetBrushOrg', # 0x115 'NtGdiSetColorAdjustment', # 0x116 'NtGdiSetColorSpace', # 0x117 'NtGdiSetDeviceGammaRamp', # 0x118 'NtGdiSetDIBitsToDeviceInternal', # 0x119 'NtGdiSetFontEnumeration', # 0x11a 'NtGdiSetFontXform', # 0x11b 'NtGdiSetIcmMode', # 0x11c 'NtGdiSetLinkedUFIs', # 0x11d 'NtGdiSetMagicColors', # 0x11e 'NtGdiSetMetaRgn', # 0x11f 'NtGdiSetMiterLimit', # 0x120 'NtGdiGetDeviceWidth', # 0x121 'NtGdiMirrorWindowOrg', # 0x122 'NtGdiSetLayout', # 0x123 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x124 'NtGdiSetPixel', # 0x125 'NtGdiSetPixelFormat', # 0x126 'NtGdiSetRectRgn', # 0x127 'NtGdiSetSystemPaletteUse', # 0x128 'NtGdiSetTextJustification', # 0x129 'NtGdiSetVirtualResolution', # 0x12a 'NtGdiSetSizeDevice', # 0x12b 'NtGdiStartDoc', # 0x12c 'NtGdiStartPage', # 0x12d 'NtGdiStretchBlt', # 0x12e 'NtGdiStretchDIBitsInternal', # 0x12f 'NtGdiStrokeAndFillPath', # 0x130 'NtGdiStrokePath', # 0x131 'NtGdiSwapBuffers', # 0x132 'NtGdiTransformPoints', # 0x133 'NtGdiTransparentBlt', # 0x134 'NtGdiUnloadPrinterDriver', # 0x135 'NtGdiUnmapMemFont', # 0x136 'NtGdiUnrealizeObject', # 0x137 'NtGdiUpdateColors', # 0x138 'NtGdiWidenPath', # 0x139 'NtUserActivateKeyboardLayout', # 0x13a 'NtUserAddClipboardFormatListener', # 0x13b 'NtUserAlterWindowStyle', # 0x13c 'NtUserAssociateInputContext', # 0x13d 'NtUserAttachThreadInput', # 0x13e 'NtUserBeginPaint', # 0x13f 'NtUserBitBltSysBmp', # 0x140 'NtUserBlockInput', # 0x141 'NtUserBuildHimcList', # 0x142 'NtUserBuildHwndList', # 0x143 'NtUserBuildNameList', # 0x144 'NtUserBuildPropList', # 0x145 'NtUserCallHwnd', # 0x146 'NtUserCallHwndLock', # 0x147 'NtUserCallHwndOpt', # 0x148 'NtUserCallHwndParam', # 0x149 'NtUserCallHwndParamLock', # 0x14a 'NtUserCallMsgFilter', # 0x14b 'NtUserCallNextHookEx', # 0x14c 'NtUserCallNoParam', # 0x14d 'NtUserCallOneParam', # 0x14e 'NtUserCallTwoParam', # 0x14f 'NtUserChangeClipboardChain', # 0x150 'NtUserChangeDisplaySettings', # 0x151 'NtUserGetDisplayConfigBufferSizes', # 0x152 'NtUserSetDisplayConfig', # 0x153 'NtUserQueryDisplayConfig', # 0x154 'NtUserDisplayConfigGetDeviceInfo', # 0x155 'NtUserDisplayConfigSetDeviceInfo', # 0x156 'NtUserCheckAccessForIntegrityLevel', # 0x157 'NtUserCheckDesktopByThreadId', # 0x158 'NtUserCheckWindowThreadDesktop', # 0x159 'NtUserCheckMenuItem', # 0x15a 'NtUserChildWindowFromPointEx', # 0x15b 'NtUserClipCursor', # 0x15c 'NtUserCloseClipboard', # 0x15d 'NtUserCloseDesktop', # 0x15e 'NtUserCloseWindowStation', # 0x15f 'NtUserConsoleControl', # 0x160 'NtUserConvertMemHandle', # 0x161 'NtUserCopyAcceleratorTable', # 0x162 'NtUserCountClipboardFormats', # 0x163 'NtUserCreateAcceleratorTable', # 0x164 'NtUserCreateCaret', # 0x165 'NtUserCreateDesktopEx', # 0x166 'NtUserCreateInputContext', # 0x167 'NtUserCreateLocalMemHandle', # 0x168 'NtUserCreateWindowEx', # 0x169 'NtUserCreateWindowStation', # 0x16a 'NtUserDdeInitialize', # 0x16b 'NtUserDeferWindowPos', # 0x16c 'NtUserDefSetText', # 0x16d 'NtUserDeleteMenu', # 0x16e 'NtUserDestroyAcceleratorTable', # 0x16f 'NtUserDestroyCursor', # 0x170 'NtUserDestroyInputContext', # 0x171 'NtUserDestroyMenu', # 0x172 'NtUserDestroyWindow', # 0x173 'NtUserDisableThreadIme', # 0x174 'NtUserDispatchMessage', # 0x175 'NtUserDoSoundConnect', # 0x176 'NtUserDoSoundDisconnect', # 0x177 'NtUserDragDetect', # 0x178 'NtUserDragObject', # 0x179 'NtUserDrawAnimatedRects', # 0x17a 'NtUserDrawCaption', # 0x17b 'NtUserDrawCaptionTemp', # 0x17c 'NtUserDrawIconEx', # 0x17d 'NtUserDrawMenuBarTemp', # 0x17e 'NtUserEmptyClipboard', # 0x17f 'NtUserEnableMenuItem', # 0x180 'NtUserEnableScrollBar', # 0x181 'NtUserEndDeferWindowPosEx', # 0x182 'NtUserEndMenu', # 0x183 'NtUserEndPaint', # 0x184 'NtUserEnumDisplayDevices', # 0x185 'NtUserEnumDisplayMonitors', # 0x186 'NtUserEnumDisplaySettings', # 0x187 'NtUserEvent', # 0x188 'NtUserExcludeUpdateRgn', # 0x189 'NtUserFillWindow', # 0x18a 'NtUserFindExistingCursorIcon', # 0x18b 'NtUserFindWindowEx', # 0x18c 'NtUserFlashWindowEx', # 0x18d 'NtUserFrostCrashedWindow', # 0x18e 'NtUserGetAltTabInfo', # 0x18f 'NtUserGetAncestor', # 0x190 'NtUserGetAppImeLevel', # 0x191 'NtUserGetAsyncKeyState', # 0x192 'NtUserGetAtomName', # 0x193 'NtUserGetCaretBlinkTime', # 0x194 'NtUserGetCaretPos', # 0x195 'NtUserGetClassInfoEx', # 0x196 'NtUserGetClassName', # 0x197 'NtUserGetClipboardData', # 0x198 'NtUserGetClipboardFormatName', # 0x199 'NtUserGetClipboardOwner', # 0x19a 'NtUserGetClipboardSequenceNumber', # 0x19b 'NtUserGetClipboardViewer', # 0x19c 'NtUserGetClipCursor', # 0x19d 'NtUserGetComboBoxInfo', # 0x19e 'NtUserGetControlBrush', # 0x19f 'NtUserGetControlColor', # 0x1a0 'NtUserGetCPD', # 0x1a1 'NtUserGetCursorFrameInfo', # 0x1a2 'NtUserGetCursorInfo', # 0x1a3 'NtUserGetDC', # 0x1a4 'NtUserGetDCEx', # 0x1a5 'NtUserGetDoubleClickTime', # 0x1a6 'NtUserGetForegroundWindow', # 0x1a7 'NtUserGetGuiResources', # 0x1a8 'NtUserGetGUIThreadInfo', # 0x1a9 'NtUserGetIconInfo', # 0x1aa 'NtUserGetIconSize', # 0x1ab 'NtUserGetImeHotKey', # 0x1ac 'NtUserGetImeInfoEx', # 0x1ad 'NtUserGetInputLocaleInfo', # 0x1ae 'NtUserGetInternalWindowPos', # 0x1af 'NtUserGetKeyboardLayoutList', # 0x1b0 'NtUserGetKeyboardLayoutName', # 0x1b1 'NtUserGetKeyboardState', # 0x1b2 'NtUserGetKeyNameText', # 0x1b3 'NtUserGetKeyState', # 0x1b4 'NtUserGetListBoxInfo', # 0x1b5 'NtUserGetMenuBarInfo', # 0x1b6 'NtUserGetMenuIndex', # 0x1b7 'NtUserGetMenuItemRect', # 0x1b8 'NtUserGetMessage', # 0x1b9 'NtUserGetMouseMovePointsEx', # 0x1ba 'NtUserGetObjectInformation', # 0x1bb 'NtUserGetOpenClipboardWindow', # 0x1bc 'NtUserGetPriorityClipboardFormat', # 0x1bd 'NtUserGetProcessWindowStation', # 0x1be 'NtUserGetRawInputBuffer', # 0x1bf 'NtUserGetRawInputData', # 0x1c0 'NtUserGetRawInputDeviceInfo', # 0x1c1 'NtUserGetRawInputDeviceList', # 0x1c2 'NtUserGetRegisteredRawInputDevices', # 0x1c3 'NtUserGetScrollBarInfo', # 0x1c4 'NtUserGetSystemMenu', # 0x1c5 'NtUserGetThreadDesktop', # 0x1c6 'NtUserGetThreadState', # 0x1c7 'NtUserGetTitleBarInfo', # 0x1c8 'NtUserGetTopLevelWindow', # 0x1c9 'NtUserGetUpdatedClipboardFormats', # 0x1ca 'NtUserGetUpdateRect', # 0x1cb 'NtUserGetUpdateRgn', # 0x1cc 'NtUserGetWindowCompositionInfo', # 0x1cd 'NtUserGetWindowCompositionAttribute', # 0x1ce 'NtUserGetWindowDC', # 0x1cf 'NtUserGetWindowDisplayAffinity', # 0x1d0 'NtUserGetWindowPlacement', # 0x1d1 'NtUserGetWOWClass', # 0x1d2 'NtUserGhostWindowFromHungWindow', # 0x1d3 'NtUserHardErrorControl', # 0x1d4 'NtUserHideCaret', # 0x1d5 'NtUserHiliteMenuItem', # 0x1d6 'NtUserHungWindowFromGhostWindow', # 0x1d7 'NtUserImpersonateDdeClientWindow', # 0x1d8 'NtUserInitialize', # 0x1d9 'NtUserInitializeClientPfnArrays', # 0x1da 'NtUserInitTask', # 0x1db 'NtUserInternalGetWindowText', # 0x1dc 'NtUserInternalGetWindowIcon', # 0x1dd 'NtUserInvalidateRect', # 0x1de 'NtUserInvalidateRgn', # 0x1df 'NtUserIsClipboardFormatAvailable', # 0x1e0 'NtUserIsTopLevelWindow', # 0x1e1 'NtUserKillTimer', # 0x1e2 'NtUserLoadKeyboardLayoutEx', # 0x1e3 'NtUserLockWindowStation', # 0x1e4 'NtUserLockWindowUpdate', # 0x1e5 'NtUserLockWorkStation', # 0x1e6 'NtUserLogicalToPhysicalPoint', # 0x1e7 'NtUserMapVirtualKeyEx', # 0x1e8 'NtUserMenuItemFromPoint', # 0x1e9 'NtUserMessageCall', # 0x1ea 'NtUserMinMaximize', # 0x1eb 'NtUserMNDragLeave', # 0x1ec 'NtUserMNDragOver', # 0x1ed 'NtUserModifyUserStartupInfoFlags', # 0x1ee 'NtUserMoveWindow', # 0x1ef 'NtUserNotifyIMEStatus', # 0x1f0 'NtUserNotifyProcessCreate', # 0x1f1 'NtUserNotifyWinEvent', # 0x1f2 'NtUserOpenClipboard', # 0x1f3 'NtUserOpenDesktop', # 0x1f4 'NtUserOpenInputDesktop', # 0x1f5 'NtUserOpenThreadDesktop', # 0x1f6 'NtUserOpenWindowStation', # 0x1f7 'NtUserPaintDesktop', # 0x1f8 'NtUserPaintMonitor', # 0x1f9 'NtUserPeekMessage', # 0x1fa 'NtUserPhysicalToLogicalPoint', # 0x1fb 'NtUserPostMessage', # 0x1fc 'NtUserPostThreadMessage', # 0x1fd 'NtUserPrintWindow', # 0x1fe 'NtUserProcessConnect', # 0x1ff 'NtUserQueryInformationThread', # 0x200 'NtUserQueryInputContext', # 0x201 'NtUserQuerySendMessage', # 0x202 'NtUserQueryWindow', # 0x203 'NtUserRealChildWindowFromPoint', # 0x204 'NtUserRealInternalGetMessage', # 0x205 'NtUserRealWaitMessageEx', # 0x206 'NtUserRedrawWindow', # 0x207 'NtUserRegisterClassExWOW', # 0x208 'NtUserRegisterErrorReportingDialog', # 0x209 'NtUserRegisterUserApiHook', # 0x20a 'NtUserRegisterHotKey', # 0x20b 'NtUserRegisterRawInputDevices', # 0x20c 'NtUserRegisterServicesProcess', # 0x20d 'NtUserRegisterTasklist', # 0x20e 'NtUserRegisterWindowMessage', # 0x20f 'NtUserRemoveClipboardFormatListener', # 0x210 'NtUserRemoveMenu', # 0x211 'NtUserRemoveProp', # 0x212 'NtUserResolveDesktopForWOW', # 0x213 'NtUserSBGetParms', # 0x214 'NtUserScrollDC', # 0x215 'NtUserScrollWindowEx', # 0x216 'NtUserSelectPalette', # 0x217 'NtUserSendInput', # 0x218 'NtUserSetActiveWindow', # 0x219 'NtUserSetAppImeLevel', # 0x21a 'NtUserSetCapture', # 0x21b 'NtUserSetChildWindowNoActivate', # 0x21c 'NtUserSetClassLong', # 0x21d 'NtUserSetClassWord', # 0x21e 'NtUserSetClipboardData', # 0x21f 'NtUserSetClipboardViewer', # 0x220 'NtUserSetCursor', # 0x221 'NtUserSetCursorContents', # 0x222 'NtUserSetCursorIconData', # 0x223 'NtUserSetFocus', # 0x224 'NtUserSetImeHotKey', # 0x225 'NtUserSetImeInfoEx', # 0x226 'NtUserSetImeOwnerWindow', # 0x227 'NtUserSetInformationThread', # 0x228 'NtUserSetInternalWindowPos', # 0x229 'NtUserSetKeyboardState', # 0x22a 'NtUserSetMenu', # 0x22b 'NtUserSetMenuContextHelpId', # 0x22c 'NtUserSetMenuDefaultItem', # 0x22d 'NtUserSetMenuFlagRtoL', # 0x22e 'NtUserSetObjectInformation', # 0x22f 'NtUserSetParent', # 0x230 'NtUserSetProcessWindowStation', # 0x231 'NtUserGetProp', # 0x232 'NtUserSetProp', # 0x233 'NtUserSetScrollInfo', # 0x234 'NtUserSetShellWindowEx', # 0x235 'NtUserSetSysColors', # 0x236 'NtUserSetSystemCursor', # 0x237 'NtUserSetSystemMenu', # 0x238 'NtUserSetSystemTimer', # 0x239 'NtUserSetThreadDesktop', # 0x23a 'NtUserSetThreadLayoutHandles', # 0x23b 'NtUserSetThreadState', # 0x23c 'NtUserSetTimer', # 0x23d 'NtUserSetProcessDPIAware', # 0x23e 'NtUserSetWindowCompositionAttribute', # 0x23f 'NtUserSetWindowDisplayAffinity', # 0x240 'NtUserSetWindowFNID', # 0x241 'NtUserSetWindowLong', # 0x242 'NtUserSetWindowPlacement', # 0x243 'NtUserSetWindowPos', # 0x244 'NtUserSetWindowRgn', # 0x245 'NtUserGetWindowRgnEx', # 0x246 'NtUserSetWindowRgnEx', # 0x247 'NtUserSetWindowsHookAW', # 0x248 'NtUserSetWindowsHookEx', # 0x249 'NtUserSetWindowStationUser', # 0x24a 'NtUserSetWindowWord', # 0x24b 'NtUserSetWinEventHook', # 0x24c 'NtUserShowCaret', # 0x24d 'NtUserShowScrollBar', # 0x24e 'NtUserShowWindow', # 0x24f 'NtUserShowWindowAsync', # 0x250 'NtUserSoundSentry', # 0x251 'NtUserSwitchDesktop', # 0x252 'NtUserSystemParametersInfo', # 0x253 'NtUserTestForInteractiveUser', # 0x254 'NtUserThunkedMenuInfo', # 0x255 'NtUserThunkedMenuItemInfo', # 0x256 'NtUserToUnicodeEx', # 0x257 'NtUserTrackMouseEvent', # 0x258 'NtUserTrackPopupMenuEx', # 0x259 'NtUserCalculatePopupWindowPosition', # 0x25a 'NtUserCalcMenuBar', # 0x25b 'NtUserPaintMenuBar', # 0x25c 'NtUserTranslateAccelerator', # 0x25d 'NtUserTranslateMessage', # 0x25e 'NtUserUnhookWindowsHookEx', # 0x25f 'NtUserUnhookWinEvent', # 0x260 'NtUserUnloadKeyboardLayout', # 0x261 'NtUserUnlockWindowStation', # 0x262 'NtUserUnregisterClass', # 0x263 'NtUserUnregisterUserApiHook', # 0x264 'NtUserUnregisterHotKey', # 0x265 'NtUserUpdateInputContext', # 0x266 'NtUserUpdateInstance', # 0x267 'NtUserUpdateLayeredWindow', # 0x268 'NtUserGetLayeredWindowAttributes', # 0x269 'NtUserSetLayeredWindowAttributes', # 0x26a 'NtUserUpdatePerUserSystemParameters', # 0x26b 'NtUserUserHandleGrantAccess', # 0x26c 'NtUserValidateHandleSecure', # 0x26d 'NtUserValidateRect', # 0x26e 'NtUserValidateTimerCallback', # 0x26f 'NtUserVkKeyScanEx', # 0x270 'NtUserWaitForInputIdle', # 0x271 'NtUserWaitForMsgAndEvent', # 0x272 'NtUserWaitMessage', # 0x273 'NtUserWindowFromPhysicalPoint', # 0x274 'NtUserWindowFromPoint', # 0x275 'NtUserYieldTask', # 0x276 'NtUserRemoteConnect', # 0x277 'NtUserRemoteRedrawRectangle', # 0x278 'NtUserRemoteRedrawScreen', # 0x279 'NtUserRemoteStopScreenUpdates', # 0x27a 'NtUserCtxDisplayIOCtl', # 0x27b 'NtUserRegisterSessionPort', # 0x27c 'NtUserUnregisterSessionPort', # 0x27d 'NtUserUpdateWindowTransform', # 0x27e 'NtUserDwmStartRedirection', # 0x27f 'NtUserDwmStopRedirection', # 0x280 'NtUserGetWindowMinimizeRect', # 0x281 'NtUserSfmDxBindSwapChain', # 0x282 'NtUserSfmDxOpenSwapChain', # 0x283 'NtUserSfmDxReleaseSwapChain', # 0x284 'NtUserSfmDxSetSwapChainBindingStatus', # 0x285 'NtUserSfmDxQuerySwapChainBindingStatus', # 0x286 'NtUserSfmDxReportPendingBindingsToDwm', # 0x287 'NtUserSfmDxGetSwapChainStats', # 0x288 'NtUserSfmDxSetSwapChainStats', # 0x289 'NtUserSfmGetLogicalSurfaceBinding', # 0x28a 'NtUserSfmDestroyLogicalSurfaceBinding', # 0x28b 'NtUserModifyWindowTouchCapability', # 0x28c 'NtUserIsTouchWindow', # 0x28d 'NtUserSendTouchInput', # 0x28e 'NtUserEndTouchOperation', # 0x28f 'NtUserGetTouchInputInfo', # 0x290 'NtUserChangeWindowMessageFilterEx', # 0x291 'NtUserInjectGesture', # 0x292 'NtUserGetGestureInfo', # 0x293 'NtUserGetGestureExtArgs', # 0x294 'NtUserManageGestureHandlerWindow', # 0x295 'NtUserSetGestureConfig', # 0x296 'NtUserGetGestureConfig', # 0x297 'NtGdiEngAssociateSurface', # 0x298 'NtGdiEngCreateBitmap', # 0x299 'NtGdiEngCreateDeviceSurface', # 0x29a 'NtGdiEngCreateDeviceBitmap', # 0x29b 'NtGdiEngCreatePalette', # 0x29c 'NtGdiEngComputeGlyphSet', # 0x29d 'NtGdiEngCopyBits', # 0x29e 'NtGdiEngDeletePalette', # 0x29f 'NtGdiEngDeleteSurface', # 0x2a0 'NtGdiEngEraseSurface', # 0x2a1 'NtGdiEngUnlockSurface', # 0x2a2 'NtGdiEngLockSurface', # 0x2a3 'NtGdiEngBitBlt', # 0x2a4 'NtGdiEngStretchBlt', # 0x2a5 'NtGdiEngPlgBlt', # 0x2a6 'NtGdiEngMarkBandingSurface', # 0x2a7 'NtGdiEngStrokePath', # 0x2a8 'NtGdiEngFillPath', # 0x2a9 'NtGdiEngStrokeAndFillPath', # 0x2aa 'NtGdiEngPaint', # 0x2ab 'NtGdiEngLineTo', # 0x2ac 'NtGdiEngAlphaBlend', # 0x2ad 'NtGdiEngGradientFill', # 0x2ae 'NtGdiEngTransparentBlt', # 0x2af 'NtGdiEngTextOut', # 0x2b0 'NtGdiEngStretchBltROP', # 0x2b1 'NtGdiXLATEOBJ_cGetPalette', # 0x2b2 'NtGdiXLATEOBJ_iXlate', # 0x2b3 'NtGdiXLATEOBJ_hGetColorTransform', # 0x2b4 'NtGdiCLIPOBJ_bEnum', # 0x2b5 'NtGdiCLIPOBJ_cEnumStart', # 0x2b6 'NtGdiCLIPOBJ_ppoGetPath', # 0x2b7 'NtGdiEngDeletePath', # 0x2b8 'NtGdiEngCreateClip', # 0x2b9 'NtGdiEngDeleteClip', # 0x2ba 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x2bb 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x2bc 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x2bd 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x2be 'NtGdiXFORMOBJ_bApplyXform', # 0x2bf 'NtGdiXFORMOBJ_iGetXform', # 0x2c0 'NtGdiFONTOBJ_vGetInfo', # 0x2c1 'NtGdiFONTOBJ_pxoGetXform', # 0x2c2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2c3 'NtGdiFONTOBJ_pifi', # 0x2c4 'NtGdiFONTOBJ_pfdg', # 0x2c5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2c6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2c7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2c8 'NtGdiSTROBJ_bEnum', # 0x2c9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2ca 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2cb 'NtGdiSTROBJ_vEnumStart', # 0x2cc 'NtGdiSTROBJ_dwGetCodePage', # 0x2cd 'NtGdiPATHOBJ_vGetBounds', # 0x2ce 'NtGdiPATHOBJ_bEnum', # 0x2cf 'NtGdiPATHOBJ_vEnumStart', # 0x2d0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2d1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2d2 'NtGdiGetDhpdev', # 0x2d3 'NtGdiEngCheckAbort', # 0x2d4 'NtGdiHT_Get8BPPFormatPalette', # 0x2d5 'NtGdiHT_Get8BPPMaskPalette', # 0x2d6 'NtGdiUpdateTransform', # 0x2d7 'NtGdiSetPUMPDOBJ', # 0x2d8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2d9 'NtGdiUMPDEngFreeUserMem', # 0x2da 'NtGdiDrawStream', # 0x2db 'NtGdiSfmGetNotificationTokens', # 0x2dc 'NtGdiHLSurfGetInformation', # 0x2dd 'NtGdiHLSurfSetInformation', # 0x2de 'NtGdiDdDDICreateAllocation', # 0x2df 'NtGdiDdDDIQueryResourceInfo', # 0x2e0 'NtGdiDdDDIOpenResource', # 0x2e1 'NtGdiDdDDIDestroyAllocation', # 0x2e2 'NtGdiDdDDISetAllocationPriority', # 0x2e3 'NtGdiDdDDIQueryAllocationResidency', # 0x2e4 'NtGdiDdDDICreateDevice', # 0x2e5 'NtGdiDdDDIDestroyDevice', # 0x2e6 'NtGdiDdDDICreateContext', # 0x2e7 'NtGdiDdDDIDestroyContext', # 0x2e8 'NtGdiDdDDICreateSynchronizationObject', # 0x2e9 'NtGdiDdDDIOpenSynchronizationObject', # 0x2ea 'NtGdiDdDDIDestroySynchronizationObject', # 0x2eb 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ec 'NtGdiDdDDISignalSynchronizationObject', # 0x2ed 'NtGdiDdDDIGetRuntimeData', # 0x2ee 'NtGdiDdDDIQueryAdapterInfo', # 0x2ef 'NtGdiDdDDILock', # 0x2f0 'NtGdiDdDDIUnlock', # 0x2f1 'NtGdiDdDDIGetDisplayModeList', # 0x2f2 'NtGdiDdDDISetDisplayMode', # 0x2f3 'NtGdiDdDDIGetMultisampleMethodList', # 0x2f4 'NtGdiDdDDIPresent', # 0x2f5 'NtGdiDdDDIRender', # 0x2f6 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2f7 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2f8 'NtGdiDdDDICloseAdapter', # 0x2f9 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2fa 'NtGdiDdDDIEscape', # 0x2fb 'NtGdiDdDDIQueryStatistics', # 0x2fc 'NtGdiDdDDISetVidPnSourceOwner', # 0x2fd 'NtGdiDdDDIGetPresentHistory', # 0x2fe 'NtGdiDdDDIGetPresentQueueEvent', # 0x2ff 'NtGdiDdDDICreateOverlay', # 0x300 'NtGdiDdDDIUpdateOverlay', # 0x301 'NtGdiDdDDIFlipOverlay', # 0x302 'NtGdiDdDDIDestroyOverlay', # 0x303 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x304 'NtGdiDdDDISetGammaRamp', # 0x305 'NtGdiDdDDIGetDeviceState', # 0x306 'NtGdiDdDDICreateDCFromMemory', # 0x307 'NtGdiDdDDIDestroyDCFromMemory', # 0x308 'NtGdiDdDDISetContextSchedulingPriority', # 0x309 'NtGdiDdDDIGetContextSchedulingPriority', # 0x30a 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x30b 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x30c 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x30d 'NtGdiDdDDIGetScanLine', # 0x30e 'NtGdiDdDDISetQueuedLimit', # 0x30f 'NtGdiDdDDIPollDisplayChildren', # 0x310 'NtGdiDdDDIInvalidateActiveVidPn', # 0x311 'NtGdiDdDDICheckOcclusion', # 0x312 'NtGdiDdDDIWaitForIdle', # 0x313 'NtGdiDdDDICheckMonitorPowerState', # 0x314 'NtGdiDdDDICheckExclusiveOwnership', # 0x315 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x316 'NtGdiDdDDISharedPrimaryLockNotification', # 0x317 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x318 'NtGdiDdDDICreateKeyedMutex', # 0x319 'NtGdiDdDDIOpenKeyedMutex', # 0x31a 'NtGdiDdDDIDestroyKeyedMutex', # 0x31b 'NtGdiDdDDIAcquireKeyedMutex', # 0x31c 'NtGdiDdDDIReleaseKeyedMutex', # 0x31d 'NtGdiDdDDIConfigureSharedResource', # 0x31e 'NtGdiDdDDIGetOverlayState', # 0x31f 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x320 'NtGdiDdDDICheckSharedResourceAccess', # 0x321 'DxgStubEnableDirectDrawRedirection', # 0x322 'DxgStubDeleteDirectDrawObject', # 0x323 'NtGdiGetNumberOfPhysicalMonitors', # 0x324 'NtGdiGetPhysicalMonitors', # 0x325 'NtGdiGetPhysicalMonitorDescription', # 0x326 'NtGdiDestroyPhysicalMonitor', # 0x327 'NtGdiDDCCIGetVCPFeature', # 0x328 'NtGdiDDCCISetVCPFeature', # 0x329 'NtGdiDDCCISaveCurrentSettings', # 0x32a 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x32b 'NtGdiDDCCIGetCapabilitiesString', # 0x32c 'NtGdiDDCCIGetTimingReport', # 0x32d 'NtGdiDdCreateFullscreenSprite', # 0x32e 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x32f 'NtGdiDdDestroyFullscreenSprite', # 0x330 'NtGdiDdQueryVisRgnUniqueness', # 0x331 'NtUserSetMirrorRendering', # 0x332 'NtUserShowSystemCursor', # 0x333 'NtUserMagControl', # 0x334 'NtUserMagSetContextInformation', # 0x335 'NtUserMagGetContextInformation', # 0x336 'NtUserHwndQueryRedirectionInfo', # 0x337 'NtUserHwndSetRedirectionInfo', # 0x338 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/xp_sp3_x86_vtypes.py0000644000175000017500000107211611732225561026751 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '__unnamed_1016' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1016']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_101b' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101b']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Spare0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_KPRCB' : [ 0xc50, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'Reserved' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'PrcbPad0' : [ 0x3bc, ['array', 92, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 16, ['_KSPIN_LOCK_QUEUE']]], 'PrcbPad1' : [ 0x498, ['array', 8, ['unsigned char']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DebugDpcTime' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'SkipTick' : [ 0x4c4, ['unsigned long']], 'MultiThreadSetBusy' : [ 0x4c8, ['unsigned char']], 'Spare2' : [ 0x4c9, ['array', 3, ['unsigned char']]], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x4d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x4d4, ['pointer', ['_KPRCB']]], 'ThreadStartCount' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x4f8, ['unsigned long']], 'KeContextSwitches' : [ 0x4fc, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x500, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x504, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x508, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x50c, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x510, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x514, ['unsigned long']], 'KeSystemCalls' : [ 0x518, ['unsigned long']], 'SpareCounter0' : [ 0x51c, ['array', 1, ['unsigned long']]], 'PPLookasideList' : [ 0x520, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x5a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0x6a0, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0x7a0, ['unsigned long']], 'ReverseStall' : [ 0x7a4, ['unsigned long']], 'IpiFrame' : [ 0x7a8, ['pointer', ['void']]], 'PrcbPad2' : [ 0x7ac, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x7e0, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x7ec, ['unsigned long']], 'WorkerRoutine' : [ 0x7f0, ['pointer', ['void']]], 'IpiFrozen' : [ 0x7f4, ['unsigned long']], 'PrcbPad3' : [ 0x7f8, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x820, ['unsigned long']], 'SignalDone' : [ 0x824, ['pointer', ['_KPRCB']]], 'PrcbPad4' : [ 0x828, ['array', 56, ['unsigned char']]], 'DpcListHead' : [ 0x860, ['_LIST_ENTRY']], 'DpcStack' : [ 0x868, ['pointer', ['void']]], 'DpcCount' : [ 0x86c, ['unsigned long']], 'DpcQueueDepth' : [ 0x870, ['unsigned long']], 'DpcRoutineActive' : [ 0x874, ['unsigned long']], 'DpcInterruptRequested' : [ 0x878, ['unsigned long']], 'DpcLastCount' : [ 0x87c, ['unsigned long']], 'DpcRequestRate' : [ 0x880, ['unsigned long']], 'MaximumDpcQueueDepth' : [ 0x884, ['unsigned long']], 'MinimumDpcRate' : [ 0x888, ['unsigned long']], 'QuantumEnd' : [ 0x88c, ['unsigned long']], 'PrcbPad5' : [ 0x890, ['array', 16, ['unsigned char']]], 'DpcLock' : [ 0x8a0, ['unsigned long']], 'PrcbPad6' : [ 0x8a4, ['array', 28, ['unsigned char']]], 'CallDpc' : [ 0x8c0, ['_KDPC']], 'ChainedInterruptList' : [ 0x8e0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x8e4, ['long']], 'SpareFields0' : [ 0x8e8, ['array', 6, ['unsigned long']]], 'VendorString' : [ 0x900, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x90d, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x90e, ['unsigned char']], 'MHz' : [ 0x910, ['unsigned long']], 'FeatureBits' : [ 0x914, ['unsigned long']], 'UpdateSignature' : [ 0x918, ['_LARGE_INTEGER']], 'NpxSaveArea' : [ 0x920, ['_FX_SAVE_AREA']], 'PowerState' : [ 0xb30, ['_PROCESSOR_POWER_STATE']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x100, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Exclusive' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x1c, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x14, ['unsigned long']], 'Exclusive' : [ 0x18, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x258, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1c0, ['_LARGE_INTEGER']], 'NestedFaultCount' : [ 0x1c0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'ApcNeeded' : [ 0x1c0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitTime' : [ 0x1c8, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x1c8, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x1c8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1d0, ['long']], 'OfsChain' : [ 0x1d0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1d4, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x1dc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1dc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1dc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x1e0, ['unsigned long']], 'ActiveTimerListHead' : [ 0x1e4, ['_LIST_ENTRY']], 'Cid' : [ 0x1ec, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x1f4, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x208, ['pointer', ['void']]], 'LpcWaitingOnPort' : [ 0x208, ['pointer', ['void']]], 'ImpersonationInfo' : [ 0x20c, ['pointer', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x210, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x218, ['unsigned long']], 'DeviceToVerify' : [ 0x21c, ['pointer', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x220, ['pointer', ['_EPROCESS']]], 'StartAddress' : [ 0x224, ['pointer', ['void']]], 'Win32StartAddress' : [ 0x228, ['pointer', ['void']]], 'LpcReceivedMessageId' : [ 0x228, ['unsigned long']], 'ThreadListEntry' : [ 0x22c, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x234, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x238, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x23c, ['unsigned long']], 'ReadClusterSize' : [ 0x240, ['unsigned long']], 'GrantedAccess' : [ 0x244, ['unsigned long']], 'CrossThreadFlags' : [ 0x248, ['unsigned long']], 'Terminated' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x24c, ['unsigned long']], 'ActiveExWorker' : [ 0x24c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x24c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x24c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x250, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x250, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x250, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x250, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x254, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x255, ['unsigned char']], } ], '_EPROCESS' : [ 0x260, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x6c, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x70, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x78, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x80, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x84, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0x88, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0x90, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0x9c, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xa8, ['unsigned long']], 'PeakVirtualSize' : [ 0xac, ['unsigned long']], 'VirtualSize' : [ 0xb0, ['unsigned long']], 'SessionProcessLinks' : [ 0xb4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xbc, ['pointer', ['void']]], 'ExceptionPort' : [ 0xc0, ['pointer', ['void']]], 'ObjectTable' : [ 0xc4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xc8, ['_EX_FAST_REF']], 'WorkingSetLock' : [ 0xcc, ['_FAST_MUTEX']], 'WorkingSetPage' : [ 0xec, ['unsigned long']], 'AddressCreationLock' : [ 0xf0, ['_FAST_MUTEX']], 'HyperSpaceLock' : [ 0x110, ['unsigned long']], 'ForkInProgress' : [ 0x114, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x118, ['unsigned long']], 'VadRoot' : [ 0x11c, ['pointer', ['void']]], 'VadHint' : [ 0x120, ['pointer', ['void']]], 'CloneRoot' : [ 0x124, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x128, ['unsigned long']], 'NumberOfLockedPages' : [ 0x12c, ['unsigned long']], 'Win32Process' : [ 0x130, ['pointer', ['void']]], 'Job' : [ 0x134, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x138, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x13c, ['pointer', ['void']]], 'QuotaBlock' : [ 0x140, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x144, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x148, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x14c, ['pointer', ['void']]], 'LdtInformation' : [ 0x150, ['pointer', ['void']]], 'VadFreeHint' : [ 0x154, ['pointer', ['void']]], 'VdmObjects' : [ 0x158, ['pointer', ['void']]], 'DeviceMap' : [ 0x15c, ['pointer', ['void']]], 'PhysicalVadList' : [ 0x160, ['_LIST_ENTRY']], 'PageDirectoryPte' : [ 0x168, ['_HARDWARE_PTE']], 'Filler' : [ 0x168, ['unsigned long long']], 'Session' : [ 0x170, ['pointer', ['void']]], 'ImageFileName' : [ 0x174, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x184, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x18c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x190, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x198, ['pointer', ['void']]], 'PaeTop' : [ 0x19c, ['pointer', ['void']]], 'ActiveThreads' : [ 0x1a0, ['unsigned long']], 'GrantedAccess' : [ 0x1a4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1ac, ['long']], 'Peb' : [ 0x1b0, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1b4, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1e0, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e8, ['unsigned long']], 'CommitChargePeak' : [ 0x1ec, ['unsigned long']], 'AweInfo' : [ 0x1f0, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1f4, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f8, ['_MMSUPPORT']], 'LastFaultCount' : [ 0x238, ['unsigned long']], 'ModifiedPageCount' : [ 0x23c, ['unsigned long']], 'NumberOfVads' : [ 0x240, ['unsigned long']], 'JobStatus' : [ 0x244, ['unsigned long']], 'Flags' : [ 0x248, ['unsigned long']], 'CreateReported' : [ 0x248, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x248, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x248, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x248, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x248, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x248, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x248, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x248, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x248, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'HasPhysicalVad' : [ 0x248, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x248, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x248, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x248, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x248, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x248, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x248, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x248, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x248, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x248, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x248, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Unused3' : [ 0x248, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Unused4' : [ 0x248, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x248, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'Unused' : [ 0x248, ['BitField', dict(start_bit = 25, end_bit = 30, native_type='unsigned long')]], 'Unused1' : [ 0x248, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Unused2' : [ 0x248, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x24c, ['long']], 'NextPageColor' : [ 0x250, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x252, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x253, ['unsigned char']], 'SubSystemVersion' : [ 0x252, ['unsigned short']], 'PriorityClass' : [ 0x254, ['unsigned char']], 'WorkingSetAcquiredUnsafe' : [ 0x255, ['unsigned char']], 'Cookie' : [ 0x258, ['unsigned long']], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_TYPE' : [ 0x190, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x38, ['_LIST_ENTRY']], 'Name' : [ 0x40, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x48, ['pointer', ['void']]], 'Index' : [ 0x4c, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x50, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x54, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x58, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x5c, ['unsigned long']], 'TypeInfo' : [ 0x60, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0xac, ['unsigned long']], 'ObjectLocks' : [ 0xb0, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_KTHREAD' : [ 0x1c0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x10, ['_LIST_ENTRY']], 'InitialStack' : [ 0x18, ['pointer', ['void']]], 'StackLimit' : [ 0x1c, ['pointer', ['void']]], 'Teb' : [ 0x20, ['pointer', ['void']]], 'TlsArray' : [ 0x24, ['pointer', ['void']]], 'KernelStack' : [ 0x28, ['pointer', ['void']]], 'DebugActive' : [ 0x2c, ['unsigned char']], 'State' : [ 0x2d, ['unsigned char']], 'Alerted' : [ 0x2e, ['array', 2, ['unsigned char']]], 'Iopl' : [ 0x30, ['unsigned char']], 'NpxState' : [ 0x31, ['unsigned char']], 'Saturation' : [ 0x32, ['unsigned char']], 'Priority' : [ 0x33, ['unsigned char']], 'ApcState' : [ 0x34, ['_KAPC_STATE']], 'ContextSwitches' : [ 0x4c, ['unsigned long']], 'IdleSwapBlock' : [ 0x50, ['unsigned char']], 'Spare0' : [ 0x51, ['array', 3, ['unsigned char']]], 'WaitStatus' : [ 0x54, ['long']], 'WaitIrql' : [ 0x58, ['unsigned char']], 'WaitMode' : [ 0x59, ['unsigned char']], 'WaitNext' : [ 0x5a, ['unsigned char']], 'WaitReason' : [ 0x5b, ['unsigned char']], 'WaitBlockList' : [ 0x5c, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x60, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'WaitTime' : [ 0x68, ['unsigned long']], 'BasePriority' : [ 0x6c, ['unsigned char']], 'DecrementCount' : [ 0x6d, ['unsigned char']], 'PriorityDecrement' : [ 0x6e, ['unsigned char']], 'Quantum' : [ 0x6f, ['unsigned char']], 'WaitBlock' : [ 0x70, ['array', 4, ['_KWAIT_BLOCK']]], 'LegoData' : [ 0xd0, ['pointer', ['void']]], 'KernelApcDisable' : [ 0xd4, ['unsigned long']], 'UserAffinity' : [ 0xd8, ['unsigned long']], 'SystemAffinityActive' : [ 0xdc, ['unsigned char']], 'PowerState' : [ 0xdd, ['unsigned char']], 'NpxIrql' : [ 0xde, ['unsigned char']], 'InitialNode' : [ 0xdf, ['unsigned char']], 'ServiceTable' : [ 0xe0, ['pointer', ['void']]], 'Queue' : [ 0xe4, ['pointer', ['_KQUEUE']]], 'ApcQueueLock' : [ 0xe8, ['unsigned long']], 'Timer' : [ 0xf0, ['_KTIMER']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'SoftAffinity' : [ 0x120, ['unsigned long']], 'Affinity' : [ 0x124, ['unsigned long']], 'Preempted' : [ 0x128, ['unsigned char']], 'ProcessReadyQueue' : [ 0x129, ['unsigned char']], 'KernelStackResident' : [ 0x12a, ['unsigned char']], 'NextProcessor' : [ 0x12b, ['unsigned char']], 'CallbackStack' : [ 0x12c, ['pointer', ['void']]], 'Win32Thread' : [ 0x130, ['pointer', ['void']]], 'TrapFrame' : [ 0x134, ['pointer', ['_KTRAP_FRAME']]], 'ApcStatePointer' : [ 0x138, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'PreviousMode' : [ 0x140, ['unsigned char']], 'EnableStackSwap' : [ 0x141, ['unsigned char']], 'LargeStack' : [ 0x142, ['unsigned char']], 'ResourceIndex' : [ 0x143, ['unsigned char']], 'KernelTime' : [ 0x144, ['unsigned long']], 'UserTime' : [ 0x148, ['unsigned long']], 'SavedApcState' : [ 0x14c, ['_KAPC_STATE']], 'Alertable' : [ 0x164, ['unsigned char']], 'ApcStateIndex' : [ 0x165, ['unsigned char']], 'ApcQueueable' : [ 0x166, ['unsigned char']], 'AutoAlignment' : [ 0x167, ['unsigned char']], 'StackBase' : [ 0x168, ['pointer', ['void']]], 'SuspendApc' : [ 0x16c, ['_KAPC']], 'SuspendSemaphore' : [ 0x19c, ['_KSEMAPHORE']], 'ThreadListEntry' : [ 0x1b0, ['_LIST_ENTRY']], 'FreezeCount' : [ 0x1b8, ['unsigned char']], 'SuspendCount' : [ 0x1b9, ['unsigned char']], 'IdealProcessor' : [ 0x1ba, ['unsigned char']], 'DisableBoost' : [ 0x1bb, ['unsigned char']], } ], '__unnamed_10f2' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_10f2']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '__unnamed_10fe' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_10fe']], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_116f' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_116f']], } ], '__unnamed_1176' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1176']], } ], '__unnamed_117f' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x18, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_117f']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], } ], '_SHARED_CACHE_MAP' : [ 0x130, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObject' : [ 0x44, ['pointer', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'VacbPushLock' : [ 0xd0, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], } ], '__unnamed_11a9' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_11ab' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0x588, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'ForceFlags' : [ 0x10, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x14, ['unsigned long']], 'SegmentReserve' : [ 0x18, ['unsigned long']], 'SegmentCommit' : [ 0x1c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x20, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x24, ['unsigned long']], 'TotalFreeSize' : [ 0x28, ['unsigned long']], 'MaximumAllocationSize' : [ 0x2c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x30, ['unsigned short']], 'HeaderValidateLength' : [ 0x32, ['unsigned short']], 'HeaderValidateCopy' : [ 0x34, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x38, ['unsigned short']], 'MaximumTagIndex' : [ 0x3a, ['unsigned short']], 'TagEntries' : [ 0x3c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x40, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x44, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x48, ['unsigned long']], 'AlignMask' : [ 0x4c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0x50, ['_LIST_ENTRY']], 'Segments' : [ 0x58, ['array', 64, ['pointer', ['_HEAP_SEGMENT']]]], 'u' : [ 0x158, ['__unnamed_11a9']], 'u2' : [ 0x168, ['__unnamed_11ab']], 'AllocatorBackTraceIndex' : [ 0x16a, ['unsigned short']], 'NonDedicatedListLength' : [ 0x16c, ['unsigned long']], 'LargeBlocksIndex' : [ 0x170, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0x174, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x178, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0x578, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x57c, ['pointer', ['void']]], 'FrontEndHeap' : [ 0x580, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0x584, ['unsigned short']], 'FrontEndHeapType' : [ 0x586, ['unsigned char']], 'LastSegmentIndex' : [ 0x587, ['unsigned char']], } ], '_HEAP_SEGMENT' : [ 0x3c, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Heap' : [ 0x10, ['pointer', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x14, ['unsigned long']], 'BaseAddress' : [ 0x18, ['pointer', ['void']]], 'NumberOfPages' : [ 0x1c, ['unsigned long']], 'FirstEntry' : [ 0x20, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x28, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x2c, ['unsigned long']], 'UnCommittedRanges' : [ 0x30, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'LastEntryInSegment' : [ 0x38, ['pointer', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'Bucket' : [ 0x0, ['pointer', ['void']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'FreeThreshold' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_HEAP_UCR_SEGMENT' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x4, ['unsigned long']], 'CommittedSize' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x50, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['void']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'filler' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x110, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long']], 'ResourceDatabase' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x30, ['pointer', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x34, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x38, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x3c, ['unsigned long']], 'NodesSearched' : [ 0x40, ['unsigned long']], 'MaxNodesSearched' : [ 0x44, ['unsigned long']], 'SequenceNumber' : [ 0x48, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4c, ['unsigned long']], 'SearchedNodesLimit' : [ 0x50, ['unsigned long']], 'DepthLimitHits' : [ 0x54, ['unsigned long']], 'SearchLimitHits' : [ 0x58, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x5c, ['unsigned long']], 'FreeResourceList' : [ 0x60, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x68, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0x70, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0x78, ['unsigned long']], 'FreeThreadCount' : [ 0x7c, ['unsigned long']], 'FreeNodeCount' : [ 0x80, ['unsigned long']], 'Instigator' : [ 0x84, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x88, ['unsigned long']], 'Participant' : [ 0x8c, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x10c, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WMI_LOGGER_CONTEXT' : [ 0x1c8, { 'BufferSpinLock' : [ 0x0, ['unsigned long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer', ['void']]], 'LoggerSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x28, ['pointer', ['_ETHREAD']]], 'LoggerEvent' : [ 0x2c, ['_KEVENT']], 'FlushEvent' : [ 0x3c, ['_KEVENT']], 'LoggerStatus' : [ 0x4c, ['long']], 'LoggerId' : [ 0x50, ['unsigned long']], 'BuffersAvailable' : [ 0x54, ['long']], 'UsePerfClock' : [ 0x58, ['unsigned long']], 'WriteFailureLimit' : [ 0x5c, ['unsigned long']], 'BuffersDirty' : [ 0x60, ['unsigned long']], 'BuffersInUse' : [ 0x64, ['unsigned long']], 'SwitchingInProgress' : [ 0x68, ['unsigned long']], 'FreeList' : [ 0x70, ['_SLIST_HEADER']], 'FlushList' : [ 0x78, ['_SLIST_HEADER']], 'GlobalList' : [ 0x80, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0x88, ['pointer', ['_SLIST_HEADER']]], 'LoggerName' : [ 0x8c, ['_UNICODE_STRING']], 'LogFileName' : [ 0x94, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x9c, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa4, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0xac, ['pointer', ['unsigned char']]], 'CollectionOn' : [ 0xb0, ['long']], 'KernelTraceOn' : [ 0xb4, ['unsigned long']], 'PerfLogInTransition' : [ 0xb8, ['long']], 'RequestFlag' : [ 0xbc, ['unsigned long']], 'EnableFlags' : [ 0xc0, ['unsigned long']], 'MaximumFileSize' : [ 0xc4, ['unsigned long']], 'LoggerMode' : [ 0xc8, ['unsigned long']], 'LoggerModeFlags' : [ 0xc8, ['_WMI_LOGGER_MODE']], 'LastFlushedBuffer' : [ 0xcc, ['unsigned long']], 'RefCount' : [ 0xd0, ['unsigned long']], 'FlushTimer' : [ 0xd4, ['unsigned long']], 'FirstBufferOffset' : [ 0xd8, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0xe0, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0xe8, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0xf0, ['unsigned long']], 'MinimumBuffers' : [ 0xf4, ['unsigned long']], 'EventsLost' : [ 0xf8, ['unsigned long']], 'BuffersWritten' : [ 0xfc, ['unsigned long']], 'LogBuffersLost' : [ 0x100, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x104, ['unsigned long']], 'BufferSize' : [ 0x108, ['unsigned long']], 'NumberOfBuffers' : [ 0x10c, ['long']], 'SequencePtr' : [ 0x110, ['pointer', ['long']]], 'InstanceGuid' : [ 0x114, ['_GUID']], 'LoggerHeader' : [ 0x124, ['pointer', ['void']]], 'GetCpuClock' : [ 0x128, ['pointer', ['void']]], 'ClientSecurityContext' : [ 0x12c, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x168, ['pointer', ['void']]], 'ReleaseQueue' : [ 0x16c, ['long']], 'EnableFlagExtension' : [ 0x170, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x174, ['unsigned long']], 'MaximumIrql' : [ 0x178, ['unsigned long']], 'EnableFlagArray' : [ 0x17c, ['pointer', ['unsigned long']]], 'LoggerMutex' : [ 0x180, ['_KMUTANT']], 'MutexCount' : [ 0x1a0, ['long']], 'FileCounter' : [ 0x1a4, ['unsigned long']], 'BufferCallback' : [ 0x1a8, ['pointer', ['void']]], 'CallbackContext' : [ 0x1ac, ['pointer', ['void']]], 'PoolType' : [ 0x1b0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x1b8, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x1c0, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x20, ['pointer', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x24, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x28, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_123f' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x30, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_123f']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], } ], '_HANDLE_TABLE' : [ 0x44, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleTableLock' : [ 0xc, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x1c, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x24, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x28, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x2c, ['long']], 'FirstFree' : [ 0x30, ['unsigned long']], 'LastFree' : [ 0x34, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x38, ['unsigned long']], 'HandleCount' : [ 0x3c, ['long']], 'Flags' : [ 0x40, ['unsigned long']], 'StrictFIFO' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'ProcessBilled' : [ 0x4, ['pointer', ['_EPROCESS']]], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned short']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_MMSUPPORT' : [ 0x40, { 'LastTrimTime' : [ 0x0, ['_LARGE_INTEGER']], 'Flags' : [ 0x8, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0xc, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x10, ['unsigned long']], 'WorkingSetSize' : [ 0x14, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x18, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'VmWorkingSetList' : [ 0x20, ['pointer', ['_MMWSL']]], 'WorkingSetExpansionLinks' : [ 0x24, ['_LIST_ENTRY']], 'Claim' : [ 0x2c, ['unsigned long']], 'NextEstimationSlot' : [ 0x30, ['unsigned long']], 'NextAgingSlot' : [ 0x34, ['unsigned long']], 'EstimatedAvailable' : [ 0x38, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x3c, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['unsigned short']]], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x40, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x30, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x38, ['unsigned long']], 'ProcessCount' : [ 0x3c, ['unsigned long']], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_EVENT_COUNTER' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'RefCount' : [ 0x4, ['unsigned long']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_EJOB' : [ 0x180, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'UIRestrictionsClass' : [ 0xb0, ['unsigned long']], 'SecurityLimitFlags' : [ 0xb4, ['unsigned long']], 'Token' : [ 0xb8, ['pointer', ['void']]], 'Filter' : [ 0xbc, ['pointer', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'IoInfo' : [ 0x108, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x138, ['unsigned long']], 'JobMemoryLimit' : [ 0x13c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x140, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x144, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x148, ['unsigned long']], 'MemoryLimitsLock' : [ 0x14c, ['_FAST_MUTEX']], 'JobSetLinks' : [ 0x16c, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x174, ['unsigned long']], 'JobFlags' : [ 0x178, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x40, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfSubsections' : [ 0x18, ['unsigned short']], 'FlushInProgressCount' : [ 0x1a, ['unsigned short']], 'NumberOfUserReferences' : [ 0x1c, ['unsigned long']], 'u' : [ 0x20, ['__unnamed_123f']], 'FilePointer' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x28, ['pointer', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x2c, ['unsigned short']], 'NumberOfSystemCacheViews' : [ 0x2e, ['unsigned short']], 'StartingFrame' : [ 0x30, ['unsigned long']], 'UserGlobalList' : [ 0x34, ['_LIST_ENTRY']], 'SessionId' : [ 0x3c, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x24, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x8, ['unsigned long']], 'CapturedGroupCount' : [ 0xc, ['unsigned long']], 'CapturedGroups' : [ 0x10, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x14, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x18, ['unsigned long']], 'CapturedPrivileges' : [ 0x1c, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x20, ['unsigned long']], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x70, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'Reserved' : [ 0x68, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_FILE_OBJECT' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'HadUserReference' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x18, { 'Name' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'CmHive' : [ 0x8, ['pointer', ['_CMHIVE']]], 'Flags' : [ 0xc, ['unsigned long']], 'CmHive2' : [ 0x10, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x14, ['unsigned char']], 'ThreadStarted' : [ 0x15, ['unsigned char']], 'Allocate' : [ 0x16, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0xc, { 'Token' : [ 0x0, ['pointer', ['void']]], 'CopyOnOpen' : [ 0x4, ['unsigned char']], 'EffectiveOnly' : [ 0x5, ['unsigned char']], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_12ed' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], } ], '__unnamed_12ef' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_12f3' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x118, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'PreviousState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]], 'StateHistory' : [ 0x20, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted'})]]], 'StateHistoryEntry' : [ 0x70, ['unsigned long']], 'CompletionStatus' : [ 0x74, ['long']], 'PendingIrp' : [ 0x78, ['pointer', ['_IRP']]], 'Flags' : [ 0x7c, ['unsigned long']], 'UserFlags' : [ 0x80, ['unsigned long']], 'Problem' : [ 0x84, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x88, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x8c, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x90, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x94, ['_UNICODE_STRING']], 'ServiceName' : [ 0x9c, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xa4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xa8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xac, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xb0, ['unsigned long']], 'ChildInterfaceType' : [ 0xb4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xb8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xbc, ['unsigned short']], 'RemovalPolicy' : [ 0xbe, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xbf, ['unsigned char']], 'TargetDeviceNotify' : [ 0xc0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xc8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0xd0, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0xd8, ['unsigned short']], 'QueryTranslatorMask' : [ 0xda, ['unsigned short']], 'NoArbiterMask' : [ 0xdc, ['unsigned short']], 'QueryArbiterMask' : [ 0xde, ['unsigned short']], 'OverUsed1' : [ 0xe0, ['__unnamed_12ed']], 'OverUsed2' : [ 0xe4, ['__unnamed_12ef']], 'BootResources' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0xec, ['unsigned long']], 'DockInfo' : [ 0xf0, ['__unnamed_12f3']], 'DisableableDepends' : [ 0x100, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x104, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x10c, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x114, ['unsigned long']], } ], '__unnamed_12f8' : [ 0x38, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x38, { 'Lock' : [ 0x0, ['__unnamed_12f8']], } ], '_KPCR' : [ 0xd70, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'DebugActive' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0xc, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '__unnamed_1317' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1319' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_131c' : [ 0x4, { 'ShortFlags' : [ 0x0, ['unsigned short']], 'ReferenceCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_131e' : [ 0x4, { 'e1' : [ 0x0, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_131c']], } ], '__unnamed_1325' : [ 0x4, { 'EntireFrame' : [ 0x0, ['unsigned long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 26, native_type='unsigned long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'KernelStack' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1317']], 'PteAddress' : [ 0x4, ['pointer', ['_MMPTE']]], 'u2' : [ 0x8, ['__unnamed_1319']], 'u3' : [ 0xc, ['__unnamed_131e']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'u4' : [ 0x14, ['__unnamed_1325']], } ], '__unnamed_132b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1278, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_132b']], 'SessionId' : [ 0x8, ['unsigned long']], 'SessionPageDirectoryIndex' : [ 0xc, ['unsigned long']], 'GlobalVirtualAddress' : [ 0x10, ['pointer', ['_MM_SESSION_SPACE']]], 'ProcessList' : [ 0x14, ['_LIST_ENTRY']], 'NonPagedPoolBytes' : [ 0x1c, ['unsigned long']], 'PagedPoolBytes' : [ 0x20, ['unsigned long']], 'NonPagedPoolAllocations' : [ 0x24, ['unsigned long']], 'PagedPoolAllocations' : [ 0x28, ['unsigned long']], 'NonPagablePages' : [ 0x2c, ['unsigned long']], 'CommittedPages' : [ 0x30, ['unsigned long']], 'LastProcessSwappedOutTime' : [ 0x38, ['_LARGE_INTEGER']], 'PageTables' : [ 0x40, ['pointer', ['_MMPTE']]], 'PagedPoolMutex' : [ 0x44, ['_FAST_MUTEX']], 'PagedPoolStart' : [ 0x64, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x68, ['pointer', ['void']]], 'PagedPoolBasePde' : [ 0x6c, ['pointer', ['_MMPTE']]], 'PagedPoolInfo' : [ 0x70, ['_MM_PAGED_POOL_INFO']], 'Color' : [ 0x94, ['unsigned long']], 'ProcessOutSwapCount' : [ 0x98, ['unsigned long']], 'ImageList' : [ 0x9c, ['_LIST_ENTRY']], 'GlobalPteEntry' : [ 0xa4, ['pointer', ['_MMPTE']]], 'CopyOnWriteCount' : [ 0xa8, ['unsigned long']], 'SessionPoolAllocationFailures' : [ 0xac, ['array', 4, ['unsigned long']]], 'AttachCount' : [ 0xbc, ['unsigned long']], 'AttachEvent' : [ 0xc0, ['_KEVENT']], 'LastProcess' : [ 0xd0, ['pointer', ['_EPROCESS']]], 'Vm' : [ 0xd8, ['_MMSUPPORT']], 'Wsle' : [ 0x118, ['pointer', ['_MMWSLE']]], 'WsLock' : [ 0x11c, ['_ERESOURCE']], 'WsListEntry' : [ 0x154, ['_LIST_ENTRY']], 'Session' : [ 0x15c, ['_MMSESSION']], 'Win32KDriverObject' : [ 0x198, ['_DRIVER_OBJECT']], 'WorkingSetLockOwner' : [ 0x240, ['pointer', ['_ETHREAD']]], 'PagedPool' : [ 0x244, ['_POOL_DESCRIPTOR']], 'ProcessReferenceToSession' : [ 0x126c, ['long']], 'LocaleId' : [ 0x1270, ['unsigned long']], } ], '_PEB' : [ 0x210, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'SpareBool' : [ 0x3, ['unsigned char']], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'FastPebLockRoutine' : [ 0x20, ['pointer', ['void']]], 'FastPebUnlockRoutine' : [ 0x24, ['pointer', ['void']]], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['pointer', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['void']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['void']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['void']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['void']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['void']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'PreviousSize' : [ 0x2, ['unsigned short']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'SmallTagIndex' : [ 0x4, ['unsigned char']], 'Flags' : [ 0x5, ['unsigned char']], 'UnusedBytes' : [ 0x6, ['unsigned char']], 'SegmentIndex' : [ 0x7, ['unsigned char']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerThreads' : [ 0x18, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x28, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x2c, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x2e, ['unsigned short']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x10, { 'Usage' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], 'Peak' : [ 0x8, ['unsigned long']], 'Return' : [ 0xc, ['unsigned long']], } ], '__unnamed_1362' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1362']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer', ['void']]], 'SlistEntry' : [ 0x1c, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'EventsLost' : [ 0x34, ['unsigned long']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x120, { 'IdleFunction' : [ 0x0, ['pointer', ['void']]], 'Idle0KernelTimeLimit' : [ 0x4, ['unsigned long']], 'Idle0LastTime' : [ 0x8, ['unsigned long']], 'IdleHandlers' : [ 0xc, ['pointer', ['void']]], 'IdleState' : [ 0x10, ['pointer', ['void']]], 'IdleHandlersCount' : [ 0x14, ['unsigned long']], 'LastCheck' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x40, ['unsigned long']], 'PromotionCheck' : [ 0x44, ['unsigned long']], 'IdleTime2' : [ 0x48, ['unsigned long']], 'CurrentThrottle' : [ 0x4c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x4d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x4e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x4f, ['unsigned char']], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x54, ['unsigned long']], 'PackageIdleStartTime' : [ 0x58, ['unsigned long']], 'PackageIdleTime' : [ 0x5c, ['unsigned long']], 'DebugCount' : [ 0x60, ['unsigned long']], 'LastSysTime' : [ 0x64, ['unsigned long']], 'TotalIdleStateTime' : [ 0x68, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x80, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0x90, ['unsigned long long']], 'KneeThrottleIndex' : [ 0x98, ['unsigned char']], 'ThrottleLimitIndex' : [ 0x99, ['unsigned char']], 'PerfStatesCount' : [ 0x9a, ['unsigned char']], 'ProcessorMinThrottle' : [ 0x9b, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x9c, ['unsigned char']], 'EnableIdleAccounting' : [ 0x9d, ['unsigned char']], 'LastC3Percentage' : [ 0x9e, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0x9f, ['unsigned char']], 'PromotionCount' : [ 0xa0, ['unsigned long']], 'DemotionCount' : [ 0xa4, ['unsigned long']], 'ErrorCount' : [ 0xa8, ['unsigned long']], 'RetryCount' : [ 0xac, ['unsigned long']], 'Flags' : [ 0xb0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xb8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xc0, ['unsigned long']], 'PerfTimer' : [ 0xc8, ['_KTIMER']], 'PerfDpc' : [ 0xf0, ['_KDPC']], 'PerfStates' : [ 0x110, ['pointer', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x114, ['pointer', ['void']]], 'LastC3KernelUserTime' : [ 0x118, ['unsigned long']], 'LastPackageIdleTime' : [ 0x11c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x4, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 7, native_type='unsigned long')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned long')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'LockCharged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x4c, { 'IdleCount' : [ 0x0, ['unsigned long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x10, ['_LIST_ENTRY']], 'DeviceType' : [ 0x18, ['unsigned char']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x20, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x28, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x30, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x44, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'AddressSpaceBeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned long')]], 'AllowWorkingSetAdjustment' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'MemoryPriority' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POP_THERMAL_ZONE' : [ 0xd0, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x7c, ['pointer', ['_IRP']]], 'Info' : [ 0x80, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CMHIVE' : [ 0x49c, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x210, ['array', 3, ['pointer', ['void']]]], 'NotifyList' : [ 0x21c, ['_LIST_ENTRY']], 'HiveList' : [ 0x224, ['_LIST_ENTRY']], 'HiveLock' : [ 0x22c, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x230, ['pointer', ['_FAST_MUTEX']]], 'LRUViewListHead' : [ 0x234, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x23c, ['_LIST_ENTRY']], 'FileObject' : [ 0x244, ['pointer', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x248, ['_UNICODE_STRING']], 'FileUserName' : [ 0x250, ['_UNICODE_STRING']], 'MappedViews' : [ 0x258, ['unsigned short']], 'PinnedViews' : [ 0x25a, ['unsigned short']], 'UseCount' : [ 0x25c, ['unsigned long']], 'SecurityCount' : [ 0x260, ['unsigned long']], 'SecurityCacheSize' : [ 0x264, ['unsigned long']], 'SecurityHitHint' : [ 0x268, ['long']], 'SecurityCache' : [ 0x26c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x270, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0x470, ['pointer', ['_KEVENT']]], 'RootKcb' : [ 0x474, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x478, ['unsigned char']], 'UnloadWorkItem' : [ 0x47c, ['pointer', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0x480, ['unsigned char']], 'GrowOffset' : [ 0x484, ['unsigned long']], 'KcbConvertListHead' : [ 0x488, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x490, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x498, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x50004, { 'CurrentStackIndex' : [ 0x0, ['unsigned long']], 'TraceDb' : [ 0x4, ['array', 4096, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_HHIVE' : [ 0x210, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'RealWrites' : [ 0x38, ['unsigned char']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'Log' : [ 0x42, ['unsigned char']], 'HiveFlags' : [ 0x44, ['unsigned long']], 'LogSize' : [ 0x48, ['unsigned long']], 'RefreshCount' : [ 0x4c, ['unsigned long']], 'StorageTypeCount' : [ 0x50, ['unsigned long']], 'Version' : [ 0x54, ['unsigned long']], 'Storage' : [ 0x58, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x18, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['pointer', ['void']]], 'WatchInfo' : [ 0x10, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Filler0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long')]], 'HasWsLock' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x14, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], 'Owner' : [ 0x10, ['pointer', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_143b' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_143b']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x24, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x8, ['_LIST_ENTRY']], 'FileOffset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewAddress' : [ 0x18, ['pointer', ['unsigned long']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'UseCount' : [ 0x20, ['unsigned long']], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_KUSER_SHARED_DATA' : [ 0x338, { 'TickCountLow' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'Reserved2' : [ 0x244, ['array', 8, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x4c, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x2c, ['pointer', ['void']]], 'OpenProcedure' : [ 0x30, ['pointer', ['void']]], 'CloseProcedure' : [ 0x34, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x38, ['pointer', ['void']]], 'ParseProcedure' : [ 0x3c, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x40, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x44, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x48, ['pointer', ['void']]], } ], '__unnamed_1481' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'u' : [ 0x4, ['__unnamed_1481']], 'StartingSector' : [ 0x8, ['unsigned long']], 'NumberOfFullSectors' : [ 0xc, ['unsigned long']], 'SubsectionBase' : [ 0x10, ['pointer', ['_MMPTE']]], 'UnusedPtes' : [ 0x14, ['unsigned long']], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'NextSubsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '__unnamed_1492' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1495' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '__unnamed_1498' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_149e' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x34, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1495']], 'u3' : [ 0x28, ['__unnamed_1498']], 'u4' : [ 0x30, ['__unnamed_149e']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'PhysicalMapping' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'ImageMap' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'UserPhysicalPages' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'WriteWatch' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_POOL_DESCRIPTOR' : [ 0x1028, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['void']]], 'PendingFreeDepth' : [ 0x24, ['long']], 'ListHeads' : [ 0x28, ['array', 512, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x28, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x24, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x4, ['pointer', ['_RTL_BITMAP']]], 'PagedPoolLargeSessionAllocationMap' : [ 0x8, ['pointer', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0xc, ['pointer', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x10, ['pointer', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x14, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x18, ['unsigned long']], 'PagedPoolCommit' : [ 0x1c, ['unsigned long']], 'AllocatedPagedPool' : [ 0x20, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['unsigned short']]], } ], '_MMSESSION' : [ 0x3c, { 'SystemSpaceViewLock' : [ 0x0, ['_FAST_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_FAST_MUTEX']]], 'SystemSpaceViewStart' : [ 0x24, ['pointer', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x28, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x30, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x34, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x38, ['pointer', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0xc, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long']], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x8, { 'FaultingPc' : [ 0x0, ['pointer', ['void']]], 'FaultingVa' : [ 0x4, ['pointer', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 31, native_type='unsigned long')]], 'WhichPool' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_DEADLOCK_NODE' : [ 0x68, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SequenceNumber' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x28, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x48, ['array', 8, ['pointer', ['void']]]], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0xc8, { 'Next' : [ 0x0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'Slot' : [ 0x20, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x28, ['pointer', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x2c, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x30, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x34, ['unsigned long']], 'VendorId' : [ 0x38, ['unsigned short']], 'DeviceId' : [ 0x3a, ['unsigned short']], 'SubsystemVendorId' : [ 0x3c, ['unsigned short']], 'SubsystemId' : [ 0x3e, ['unsigned short']], 'RevisionId' : [ 0x40, ['unsigned char']], 'ProgIf' : [ 0x41, ['unsigned char']], 'SubClass' : [ 0x42, ['unsigned char']], 'BaseClass' : [ 0x43, ['unsigned char']], 'AdditionalResourceCount' : [ 0x44, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x45, ['unsigned char']], 'InterruptPin' : [ 0x46, ['unsigned char']], 'RawInterruptLine' : [ 0x47, ['unsigned char']], 'CapabilitiesPtr' : [ 0x48, ['unsigned char']], 'SavedLatencyTimer' : [ 0x49, ['unsigned char']], 'SavedCacheLineSize' : [ 0x4a, ['unsigned char']], 'HeaderType' : [ 0x4b, ['unsigned char']], 'NotPresent' : [ 0x4c, ['unsigned char']], 'ReportedMissing' : [ 0x4d, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x4e, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x4f, ['unsigned char']], 'LegacyDriver' : [ 0x50, ['unsigned char']], 'UpdateHardware' : [ 0x51, ['unsigned char']], 'MovedDevice' : [ 0x52, ['unsigned char']], 'DisablePowerDown' : [ 0x53, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x54, ['unsigned char']], 'SwitchedIDEToNativeMode' : [ 0x55, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x56, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x57, ['unsigned char']], 'OnDebugPath' : [ 0x58, ['unsigned char']], 'PowerState' : [ 0x5c, ['PCI_POWER_STATE']], 'Dependent' : [ 0x9c, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xa0, ['unsigned long long']], 'Resources' : [ 0xa8, ['pointer', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xac, ['pointer', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xb0, ['pointer', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0xb4, ['pointer', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0xb8, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0xc0, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0xc2, ['unsigned char']], 'CommandEnables' : [ 0xc4, ['unsigned short']], 'InitialCommand' : [ 0xc6, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_QUAD' : [ 0x8, { 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_150f' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1511' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_150f']], 'Merged' : [ 0x10, ['__unnamed_1511']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_KPROCESS' : [ 0x6c, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['array', 2, ['unsigned long']]], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Iopl' : [ 0x32, ['unsigned char']], 'Unused' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'StackCount' : [ 0x60, ['unsigned short']], 'BasePriority' : [ 0x62, ['unsigned char']], 'ThreadQuantum' : [ 0x63, ['unsigned char']], 'AutoAlignment' : [ 0x64, ['unsigned char']], 'State' : [ 0x65, ['unsigned char']], 'ThreadSeed' : [ 0x66, ['unsigned char']], 'DisableBoost' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'DisableQuantum' : [ 0x69, ['unsigned char']], 'IdealNode' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned long']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_153a' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1541' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1543' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_153a']], 'Bits' : [ 0x0, ['__unnamed_1541']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1543']], } ], '__unnamed_154d' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0xc0, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x24, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x28, ['pointer', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x2c, ['_KEVENT']], 'ChildPdoList' : [ 0x3c, ['pointer', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x40, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x44, ['pointer', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x48, ['pointer', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x4c, ['pointer', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x50, ['unsigned char']], 'BusHandler' : [ 0x54, ['pointer', ['_BUS_HANDLER']]], 'BaseBus' : [ 0x58, ['unsigned char']], 'Fake' : [ 0x59, ['unsigned char']], 'ChildDelete' : [ 0x5a, ['unsigned char']], 'Scanned' : [ 0x5b, ['unsigned char']], 'ArbitersInitialized' : [ 0x5c, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0x5d, ['unsigned char']], 'Hibernated' : [ 0x5e, ['unsigned char']], 'PowerState' : [ 0x60, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0xa4, ['unsigned long']], 'PreservedConfig' : [ 0xa8, ['pointer', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0xac, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0xb4, ['__unnamed_154d']], 'BusHackFlags' : [ 0xbc, ['unsigned long']], } ], '__unnamed_1551' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1553' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1555' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1557' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1559' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_155b' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_155d' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1551']], 'Port' : [ 0x0, ['__unnamed_1551']], 'Interrupt' : [ 0x0, ['__unnamed_1553']], 'Memory' : [ 0x0, ['__unnamed_1551']], 'Dma' : [ 0x0, ['__unnamed_1555']], 'DevicePrivate' : [ 0x0, ['__unnamed_1557']], 'BusNumber' : [ 0x0, ['__unnamed_1559']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_155b']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_155d']], } ], '_SYSPTES_HEADER' : [ 0xc, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x50, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KcbLastWriteTime' : [ 0x38, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x40, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x42, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x44, ['unsigned long']], 'KcbUserFlags' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x48, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x48, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x48, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['short']], 'Number' : [ 0x2, ['unsigned char']], 'Importance' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'Lock' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ReadConfig' : [ 0x10, ['pointer', ['void']]], 'WriteConfig' : [ 0x14, ['pointer', ['void']]], 'PinToLine' : [ 0x18, ['pointer', ['void']]], 'LineToPin' : [ 0x1c, ['pointer', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x10, ['unsigned long']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '__unnamed_159b' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15a2' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_15a4' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_15a2']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_15a9' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_15ab' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_15a9']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_159b']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_15a4']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_15ab']], } ], '_PCI_LOCK' : [ 0x8, { 'Atom' : [ 0x0, ['unsigned long']], 'OldIrql' : [ 0x4, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '__unnamed_15b4' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_15b4']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_15ba' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0xc, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_15ba']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_161d' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_161d']], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x290, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockFastMutex', 3: 'VfDeadlockFastMutexUnsafe', 4: 'VfDeadlockSpinLock', 5: 'VfDeadlockQueuedSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x28, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0xc, ['unsigned char']], 'OrderLevel' : [ 0xd, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'Node' : [ 0x14, ['pointer', ['void']]], 'DeviceName' : [ 0x18, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x1c, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x20, ['unsigned long']], 'ActiveChild' : [ 0x24, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '__unnamed_1649' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_164b' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1649']], 'type1' : [ 0x0, ['__unnamed_164b']], 'type2' : [ 0x0, ['__unnamed_164b']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x1e4, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'ServiceContext' : [ 0x10, ['pointer', ['void']]], 'SpinLock' : [ 0x14, ['unsigned long']], 'TickCount' : [ 0x18, ['unsigned long']], 'ActualLock' : [ 0x1c, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x20, ['pointer', ['void']]], 'Vector' : [ 0x24, ['unsigned long']], 'Irql' : [ 0x28, ['unsigned char']], 'SynchronizeIrql' : [ 0x29, ['unsigned char']], 'FloatingSave' : [ 0x2a, ['unsigned char']], 'Connected' : [ 0x2b, ['unsigned char']], 'Number' : [ 0x2c, ['unsigned char']], 'ShareVector' : [ 0x2d, ['unsigned char']], 'Mode' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x34, ['unsigned long']], 'DispatchCount' : [ 0x38, ['unsigned long']], 'DispatchCode' : [ 0x3c, ['array', 106, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0xe0, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0xc, ['pointer', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x10, ['pointer', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x14, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x44, ['_ARBITER_INSTANCE']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_MMPAGING_FILE' : [ 0x44, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'CurrentUsage' : [ 0x10, ['unsigned long']], 'PeakUsage' : [ 0x14, ['unsigned long']], 'Hint' : [ 0x18, ['unsigned long']], 'HighestPage' : [ 0x1c, ['unsigned long']], 'Entry' : [ 0x20, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'Bitmap' : [ 0x28, ['pointer', ['_RTL_BITMAP']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'PageFileName' : [ 0x30, ['_UNICODE_STRING']], 'PageFileNumber' : [ 0x38, ['unsigned long']], 'Extended' : [ 0x3c, ['unsigned char']], 'HintSetToZero' : [ 0x3d, ['unsigned char']], 'BootPartition' : [ 0x3e, ['unsigned char']], 'FileHandle' : [ 0x40, ['pointer', ['void']]], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x20, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x4, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x8, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0xc, ['pointer', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x14, ['pointer', ['void']]], 'OtherIrpDispatchStyle' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x1c, ['pointer', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_OBJECT_DIRECTORY' : [ 0xa4, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'Reserved' : [ 0xa0, ['unsigned short']], 'SymbolicLinkUsageCount' : [ 0xa2, ['unsigned short']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x69c, { 'Quota' : [ 0x0, ['unsigned long']], 'FirstFree' : [ 0x4, ['unsigned long']], 'FirstDynamic' : [ 0x8, ['unsigned long']], 'LastEntry' : [ 0xc, ['unsigned long']], 'NextSlot' : [ 0x10, ['unsigned long']], 'Wsle' : [ 0x14, ['pointer', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'HashTableStart' : [ 0x2c, ['pointer', ['void']]], 'HighestPermittedHashAddress' : [ 0x30, ['pointer', ['void']]], 'NumberOfImageWaiters' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'UsedPageTableEntries' : [ 0x3c, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x63c, ['array', 24, ['unsigned long']]], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x150, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '__unnamed_16c4' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_16c8' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'NonExtendedPtes' : [ 0x8, ['unsigned long']], 'WritableUserReferences' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x18, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x1c, ['unsigned long']], 'ExtendInfo' : [ 0x20, ['pointer', ['_MMEXTEND_INFO']]], 'SystemImageBase' : [ 0x24, ['pointer', ['void']]], 'BasedAddress' : [ 0x28, ['pointer', ['void']]], 'u1' : [ 0x2c, ['__unnamed_16c4']], 'u2' : [ 0x30, ['__unnamed_16c8']], 'PrototypePte' : [ 0x34, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x38, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['void']]], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x8, ['pointer', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0xc, ['unsigned char']], 'TentativeNextState' : [ 0xd, ['unsigned char']], 'SecondaryExtLock' : [ 0x10, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x20, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x1c, ['pointer', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x2c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TOKEN' : [ 0xa8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x6c, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x70, ['pointer', ['void']]], 'Privileges' : [ 0x74, ['pointer', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x78, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0x7c, ['pointer', ['_ACL']]], 'TokenType' : [ 0x80, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x84, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0x88, ['unsigned long']], 'TokenInUse' : [ 0x8c, ['unsigned char']], 'ProxyData' : [ 0x90, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0x94, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'OriginatingLogonSession' : [ 0x98, ['_LUID']], 'VariablePart' : [ 0xa0, ['unsigned long']], } ], '_TEB' : [ 0xfb8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStack' : [ 0x1a8, ['_ACTIVATION_CONTEXT_STACK']], 'SpareBytes1' : [ 0x1bc, ['array', 24, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorsAreDisabled' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 16, ['pointer', ['void']]]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'Spare3' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'Wx86Thread' : [ 0xf88, ['_Wx86ThreadState']], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'SafeThunkCall' : [ 0xfb4, ['unsigned char']], 'BooleanSpare' : [ 0xfb5, ['array', 3, ['unsigned char']]], } ], 'PCI_SECONDARY_EXTENSION' : [ 0xc, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x8, ['pointer', ['void']]], } ], '__unnamed_170f' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_170f']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'Spare1' : [ 0x23, ['unsigned char']], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'Reserved' : [ 0x2c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_KNODE' : [ 0x30, { 'ProcessorMask' : [ 0x0, ['unsigned long']], 'Color' : [ 0x4, ['unsigned long']], 'MmShiftedColor' : [ 0x8, ['unsigned long']], 'FreeCount' : [ 0xc, ['array', 2, ['unsigned long']]], 'DeadStackList' : [ 0x18, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'PfnDeferredList' : [ 0x28, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'Seed' : [ 0x2c, ['unsigned char']], 'Flags' : [ 0x2d, ['_flags']], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned long']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x1c, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'MinSize' : [ 0x4, ['unsigned short']], 'MinVersion' : [ 0x6, ['unsigned short']], 'MaxVersion' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['long']], 'Signature' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x14, ['pointer', ['void']]], 'Initializer' : [ 0x18, ['pointer', ['void']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MMVAD' : [ 0x28, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x1c, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x20, ['pointer', ['_MMPTE']]], 'u2' : [ 0x24, ['__unnamed_1495']], } ], '__unnamed_1743' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x8, ['_LARGE_INTEGER']], 'u' : [ 0x10, ['__unnamed_1743']], 'Irp' : [ 0x18, ['pointer', ['_IRP']]], 'LastPageToWrite' : [ 0x1c, ['unsigned long']], 'PagingListHead' : [ 0x20, ['pointer', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x28, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x2c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x30, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x34, ['pointer', ['_ERESOURCE']]], 'Mdl' : [ 0x38, ['_MDL']], 'Page' : [ 0x54, ['array', 1, ['unsigned long']]], } ], '_POP_POWER_ACTION' : [ 0x40, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x24, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x28, ['pointer', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x30, ['unsigned long long']], 'SleepTime' : [ 0x38, ['unsigned long long']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x18, { 'StartingVpn' : [ 0x0, ['unsigned long']], 'EndingVpn' : [ 0x4, ['unsigned long']], 'Parent' : [ 0x8, ['pointer', ['_MMVAD']]], 'LeftChild' : [ 0xc, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer', ['_MMVAD']]], 'u' : [ 0x14, ['__unnamed_1492']], } ], '__unnamed_175f' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_175f']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_FAST_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x28, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x9c, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0xc, ['long']], 'Allocation' : [ 0x10, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x18, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x20, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x28, ['long']], 'Interface' : [ 0x2c, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x30, ['unsigned long']], 'AllocationStack' : [ 0x34, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x38, ['pointer', ['void']]], 'PackResource' : [ 0x3c, ['pointer', ['void']]], 'UnpackResource' : [ 0x40, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x44, ['pointer', ['void']]], 'TestAllocation' : [ 0x48, ['pointer', ['void']]], 'RetestAllocation' : [ 0x4c, ['pointer', ['void']]], 'CommitAllocation' : [ 0x50, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x54, ['pointer', ['void']]], 'BootAllocation' : [ 0x58, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x5c, ['pointer', ['void']]], 'QueryConflict' : [ 0x60, ['pointer', ['void']]], 'AddReserved' : [ 0x64, ['pointer', ['void']]], 'StartArbiter' : [ 0x68, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x6c, ['pointer', ['void']]], 'AllocateEntry' : [ 0x70, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x74, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x78, ['pointer', ['void']]], 'AddAllocation' : [ 0x7c, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x80, ['pointer', ['void']]], 'OverrideConflict' : [ 0x84, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x88, ['unsigned char']], 'Extension' : [ 0x8c, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x90, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x94, ['pointer', ['void']]], 'ConflictCallback' : [ 0x98, ['pointer', ['void']]], } ], '_BUS_HANDLER' : [ 0x6c, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x14, ['pointer', ['_BUS_HANDLER']]], 'BusData' : [ 0x18, ['pointer', ['void']]], 'DeviceControlExtensionSize' : [ 0x1c, ['unsigned long']], 'BusAddresses' : [ 0x20, ['pointer', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x24, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x34, ['pointer', ['void']]], 'SetBusData' : [ 0x38, ['pointer', ['void']]], 'AdjustResourceList' : [ 0x3c, ['pointer', ['void']]], 'AssignSlotResources' : [ 0x40, ['pointer', ['void']]], 'GetInterruptVector' : [ 0x44, ['pointer', ['void']]], 'TranslateBusAddress' : [ 0x48, ['pointer', ['void']]], 'Spare1' : [ 0x4c, ['pointer', ['void']]], 'Spare2' : [ 0x50, ['pointer', ['void']]], 'Spare3' : [ 0x54, ['pointer', ['void']]], 'Spare4' : [ 0x58, ['pointer', ['void']]], 'Spare5' : [ 0x5c, ['pointer', ['void']]], 'Spare6' : [ 0x60, ['pointer', ['void']]], 'Spare7' : [ 0x64, ['pointer', ['void']]], 'Spare8' : [ 0x68, ['pointer', ['void']]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x8, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x4, ['pointer', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x620, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x18, ['unsigned long']], 'Thread' : [ 0x1c, ['pointer', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x20, ['unsigned char']], 'Order' : [ 0x24, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x26c, ['long']], 'FailedDevice' : [ 0x270, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x274, ['unsigned char']], 'Cancelled' : [ 0x275, ['unsigned char']], 'IgnoreErrors' : [ 0x276, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x277, ['unsigned char']], 'WaitAny' : [ 0x278, ['unsigned char']], 'WaitAll' : [ 0x279, ['unsigned char']], 'PresentIrpQueue' : [ 0x27c, ['_LIST_ENTRY']], 'Head' : [ 0x284, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x2b0, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x14, { 'Flags' : [ 0x0, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x4, ['unsigned long']], 'ActiveFrame' : [ 0x8, ['pointer', ['void']]], 'FrameListCache' : [ 0xc, ['_LIST_ENTRY']], } ], '_MMWSLE_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['unsigned short']]], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x40, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x2c, ['pointer', ['_IRP']]], 'SavedCancelRoutine' : [ 0x30, ['pointer', ['void']]], 'Paging' : [ 0x34, ['long']], 'Hibernate' : [ 0x38, ['long']], 'CrashDump' : [ 0x3c, ['long']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1803' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1807' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_180b' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_180d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1812' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1814' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1816' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], } ], '__unnamed_1818' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_181a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_181c' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1820' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_1822' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1824' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1826' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1828' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_182a' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_182c' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1830' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1834' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1838' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_183a' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_183e' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1840' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1842' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1844' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1848' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_184c' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1850' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1852' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1856' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_185a' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_185c' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_185e' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1860' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1862' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1803']], 'CreatePipe' : [ 0x0, ['__unnamed_1807']], 'CreateMailslot' : [ 0x0, ['__unnamed_180b']], 'Read' : [ 0x0, ['__unnamed_180d']], 'Write' : [ 0x0, ['__unnamed_180d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1812']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1814']], 'QueryFile' : [ 0x0, ['__unnamed_1816']], 'SetFile' : [ 0x0, ['__unnamed_1818']], 'QueryEa' : [ 0x0, ['__unnamed_181a']], 'SetEa' : [ 0x0, ['__unnamed_181c']], 'QueryVolume' : [ 0x0, ['__unnamed_1820']], 'SetVolume' : [ 0x0, ['__unnamed_1820']], 'FileSystemControl' : [ 0x0, ['__unnamed_1822']], 'LockControl' : [ 0x0, ['__unnamed_1824']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1826']], 'QuerySecurity' : [ 0x0, ['__unnamed_1828']], 'SetSecurity' : [ 0x0, ['__unnamed_182a']], 'MountVolume' : [ 0x0, ['__unnamed_182c']], 'VerifyVolume' : [ 0x0, ['__unnamed_182c']], 'Scsi' : [ 0x0, ['__unnamed_1830']], 'QueryQuota' : [ 0x0, ['__unnamed_1834']], 'SetQuota' : [ 0x0, ['__unnamed_181c']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1838']], 'QueryInterface' : [ 0x0, ['__unnamed_183a']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_183e']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1840']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1842']], 'SetLock' : [ 0x0, ['__unnamed_1844']], 'QueryId' : [ 0x0, ['__unnamed_1848']], 'QueryDeviceText' : [ 0x0, ['__unnamed_184c']], 'UsageNotification' : [ 0x0, ['__unnamed_1850']], 'WaitWake' : [ 0x0, ['__unnamed_1852']], 'PowerSequence' : [ 0x0, ['__unnamed_1856']], 'Power' : [ 0x0, ['__unnamed_185a']], 'StartDevice' : [ 0x0, ['__unnamed_185c']], 'WMI' : [ 0x0, ['__unnamed_185e']], 'Others' : [ 0x0, ['__unnamed_1860']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1862']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1869' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_186b' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_186d' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_186f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1871' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1873' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1869']], 'Memory' : [ 0x0, ['__unnamed_1869']], 'Interrupt' : [ 0x0, ['__unnamed_186b']], 'Dma' : [ 0x0, ['__unnamed_186d']], 'Generic' : [ 0x0, ['__unnamed_1869']], 'DevicePrivate' : [ 0x0, ['__unnamed_1557']], 'BusNumber' : [ 0x0, ['__unnamed_186f']], 'ConfigData' : [ 0x0, ['__unnamed_1871']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1873']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'ListIndex' : [ 0x0, ['unsigned long']], 'Verifier' : [ 0x4, ['pointer', ['_MI_VERIFIER_DRIVER_ENTRY']]], } ], '_CM_KEY_BODY' : [ 0x44, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'Callers' : [ 0x10, ['unsigned long']], 'CallerAddress' : [ 0x14, ['array', 10, ['pointer', ['void']]]], 'KeyBodyList' : [ 0x3c, ['_LIST_ENTRY']], } ], '__unnamed_1884' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1886' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1884']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1888' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_188a' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1888']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1886']], 'u2' : [ 0x4, ['__unnamed_188a']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0xdc, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_RTL_BITMAP']]], 'FreeSummary' : [ 0xd0, ['unsigned long']], 'FreeBins' : [ 0xd4, ['_LIST_ENTRY']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0xe0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0xc, ['unsigned long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x14, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x1c, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x24, ['unsigned long']], 'NextCloneRange' : [ 0x28, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x2c, ['unsigned long']], 'LoaderMdl' : [ 0x30, ['pointer', ['_MDL']]], 'Clones' : [ 0x34, ['pointer', ['_MDL']]], 'NextClone' : [ 0x38, ['pointer', ['unsigned char']]], 'NoClones' : [ 0x3c, ['unsigned long']], 'Spares' : [ 0x40, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x48, ['unsigned long long']], 'IoPage' : [ 0x50, ['pointer', ['void']]], 'CurrentMcb' : [ 0x54, ['pointer', ['void']]], 'DumpStack' : [ 0x58, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x5c, ['pointer', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0x60, ['unsigned long']], 'HiberVa' : [ 0x64, ['unsigned long']], 'HiberPte' : [ 0x68, ['_LARGE_INTEGER']], 'Status' : [ 0x70, ['long']], 'MemoryImage' : [ 0x74, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x78, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x7c, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x80, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x84, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x88, ['pointer', ['void']]], 'DmaIO' : [ 0x8c, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x90, ['pointer', ['void']]], 'PerfInfo' : [ 0x98, ['_PO_HIBER_PERF']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x8, { 'StartVpn' : [ 0x0, ['unsigned long']], 'EndVpn' : [ 0x4, ['unsigned long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x14, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x4, ['unsigned long']], 'Parameter2' : [ 0x8, ['unsigned long']], 'Parameter3' : [ 0xc, ['unsigned long']], 'Parameter4' : [ 0x10, ['unsigned long']], } ], '__unnamed_18c9' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_18cb' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_18c9']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_18cb']], } ], '_Wx86ThreadState' : [ 0xc, { 'CallBx86Eip' : [ 0x0, ['pointer', ['unsigned long']]], 'DeallocationCpu' : [ 0x4, ['pointer', ['void']]], 'UseKnownWx86Dll' : [ 0x8, ['unsigned char']], 'OleStubInvoked' : [ 0x9, ['unsigned char']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xa0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x28, ['unsigned long']], 'Memory' : [ 0x30, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x50, ['unsigned long']], 'PrefetchMemory' : [ 0x58, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x78, ['unsigned long']], 'Dma' : [ 0x80, ['_SUPPORTED_RANGE']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_18f1' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_18f3' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '__unnamed_18f7' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_18f9' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_18fb' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_18fd' : [ 0x10, { 'TestAllocation' : [ 0x0, ['__unnamed_18f1']], 'RetestAllocation' : [ 0x0, ['__unnamed_18f1']], 'BootAllocation' : [ 0x0, ['__unnamed_18f3']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_18f7']], 'QueryConflict' : [ 0x0, ['__unnamed_18f9']], 'QueryArbitrate' : [ 0x0, ['__unnamed_18f3']], 'AddReserved' : [ 0x0, ['__unnamed_18fb']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_18fd']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'Reserved' : [ 0x28, ['unsigned long']], 'VerifierPoolLock' : [ 0x2c, ['unsigned long']], 'PoolHash' : [ 0x30, ['pointer', ['_VI_POOL_ENTRY']]], 'PoolHashSize' : [ 0x34, ['unsigned long']], 'PoolHashFree' : [ 0x38, ['unsigned long']], 'PoolHashReserved' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], 'PO_MEMORY_IMAGE' : [ 0xa8, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'ImageType' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x3c, ['unsigned long']], 'HiberPte' : [ 0x40, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x48, ['unsigned long']], 'FreeMapCheck' : [ 0x4c, ['unsigned long']], 'WakeCheck' : [ 0x50, ['unsigned long']], 'TotalPages' : [ 0x54, ['unsigned long']], 'FirstTablePage' : [ 0x58, ['unsigned long']], 'LastFilePage' : [ 0x5c, ['unsigned long']], 'PerfInfo' : [ 0x60, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Spare' : [ 0x18, ['array', 2, ['unsigned long']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '__unnamed_192c' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_192e' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1930' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1932' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1934' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1936' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1938' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_193a' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_193c' : [ 0x14, { 'DeviceClass' : [ 0x0, ['__unnamed_192c']], 'TargetDevice' : [ 0x0, ['__unnamed_192e']], 'InstallDevice' : [ 0x0, ['__unnamed_1930']], 'CustomNotification' : [ 0x0, ['__unnamed_1932']], 'ProfileNotification' : [ 0x0, ['__unnamed_1934']], 'PowerNotification' : [ 0x0, ['__unnamed_1936']], 'VetoNotification' : [ 0x0, ['__unnamed_1938']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_193a']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x38, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_193c']], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '__unnamed_1942' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '__unnamed_1944' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['__unnamed_1942']], 'Link' : [ 0x0, ['__unnamed_1944']], } ], '__unnamed_1956' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1958' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_195a' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1956']], 'Gpt' : [ 0x0, ['__unnamed_1958']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_195a']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x248, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x10, ['unsigned long']], 'ActiveCount' : [ 0x14, ['unsigned long']], 'WaitSleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x20, ['_LIST_ENTRY']], 'Pending' : [ 0x28, ['_LIST_ENTRY']], 'Complete' : [ 0x30, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x38, ['_LIST_ENTRY']], 'WaitS0' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_198f' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_198f']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x8, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'FreeListNext' : [ 0x0, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x2c, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x4, ['pointer', ['_IRP']]], 'Notify' : [ 0x8, ['pointer', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0xc, ['_LIST_ENTRY']], 'Complete' : [ 0x14, ['_LIST_ENTRY']], 'Abort' : [ 0x1c, ['_LIST_ENTRY']], 'Failed' : [ 0x24, ['_LIST_ENTRY']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x4, ['unsigned long']], 'SystemBase' : [ 0x8, ['long long']], 'Base' : [ 0x10, ['long long']], 'Limit' : [ 0x18, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x30, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x24, ['array', 3, ['unsigned long']]], } ], '__unnamed_19d2' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_19d4' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_19d8' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_19da' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_19d2']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_19d4']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_19d8']], 'Others' : [ 0x0, ['__unnamed_19da']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win2003.py0000644000175000017500000002351112227253532024511 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (Gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com This file provides support for Windows 2003. """ #pylint: disable-msg=C0111 import windows import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.obj as obj class _MM_AVL_TABLE(obj.CType): def traverse(self): """ This is a hack to get around the fact that _MM_AVL_TABLE.BalancedRoot (an _MMADDRESS_NODE) doesn't work the same way as the other _MMADDRESS_NODEs. In particular, we want _MMADDRESS_NODE to behave like _MMVAD, and all other _MMADDRESS_NODEs have a Vad, VadS, Vadl tag etc, but _MM_AVL_TABLE.BalancedRoot does not. So we can't reference self.BalancedRoot.RightChild here because self.BalancedRoot will be None due to the fact that there is not a valid VAD tag at self.BalancedRoot.obj_offset - 4 (as _MMVAD expects). We want to start traversing from self.BalancedRoot.RightChild. The self.BalancedRoot.LeftChild member will always be 0. However, we can't call get_obj_offset("_MMADDRESS_NODE", "RightChild") or it will result in a TypeError: __new__() takes exactly 5 non-keyword arguments (4 given). Therefore, we hard-code the offset to the RightChild and treat it as a pointer to the first real _MMADDRESS_NODE. Update: hard-coding the offset to RightChild breaks x64 (since the offset is 8 on x86 and 16 on x64). Thus to fix the vad plugins for x64 we assume that the offset of RightChild in _MMVAD_SHORT is the same as the offset of RightChild in _MMADDRESS_NODE. We can call get_obj_offset on _MMVAD_SHORT since it isn't in the _MMVAD factory like _MMADDRESS_NODE; and we won't get the above TypeError. """ right_child_offset = self.obj_vm.profile.get_obj_offset("_MMVAD_SHORT", "RightChild") rc = obj.Object("Pointer", vm = self.obj_vm, offset = self.obj_offset + right_child_offset) node = obj.Object('_MMADDRESS_NODE', vm = self.obj_vm, offset = rc.v(), parent = self.obj_parent) for c in node.traverse(): yield c class _MMVAD_SHORT(windows._MMVAD_SHORT): @property def Parent(self): """ Return the Vad's parent node, being sure to chop off the lower 3 bits, because _MMADDRESS_NODE.u1.Parent is a packed union with _MMADDRESS_NODE.u1.Balanced. We do not want the Balanced part of the value. Not chopping off these 3 bits is the reason why our vadtree plugin didn't work since introduction of profiles other than Windows XP. """ return obj.Object("_MMADDRESS_NODE", vm = self.obj_vm, offset = self.u1.Parent.v() & ~0x3, parent = self.obj_parent) class _MMVAD_LONG(_MMVAD_SHORT): pass class Win2003MMVad(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and (m.get('major') > 5 or (m.get('major') == 5 and m.get('minor') >= 2))) def modification(self, profile): profile.object_classes.update({'_MM_AVL_TABLE': _MM_AVL_TABLE, '_MMADDRESS_NODE': windows._MMVAD, '_MMVAD_SHORT': _MMVAD_SHORT, '_MMVAD_LONG': _MMVAD_LONG}) class Win2003x86Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0xff)]], }]} profile.merge_overlay(overlay) class Win2003x64Hiber(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'HibrProcPage' : [ None, ['VolatilityMagic', dict(value = 0x2)]], 'HibrEntryCount' : [ None, ['VolatilityMagic', dict(value = 0x7f)]], }]} profile.merge_overlay(overlay) class Win2003KDBG(windows.AbstractKDBGMod): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x: x == 5, 'minor': lambda x: x >= 2} kdbgsize = 0x318 class Win2003SP0x86DTB(obj.ProfileModification): # Make sure we apply after the normal Win2003 DTB before = ['WindowsOverlay', 'Win2003x86DTB'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x == 3789} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1b\x00")]]} ]} profile.merge_overlay(overlay) class Win2003x86DTB(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x1e\x00")]]} ]} profile.merge_overlay(overlay) class Win2003x64DTB(obj.ProfileModification): before = ['WindowsOverlay', 'Windows64Overlay'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): overlay = {'VOLATILITY_MAGIC': [ None, { 'DTBSignature': [ None, ['VolatilityMagic', dict(value = "\x03\x00\x2e\x00")]]} ]} profile.merge_overlay(overlay) class EThreadCreateTime(obj.ProfileModification): before = ['WindowsOverlay'] def check(self, profile): m = profile.metadata return (m.get('os', None) == 'windows' and ((m.get('major', 0) == 5 and m.get('minor', 0) >= 2) or m.get('major', 0) >= 6) and profile.__class__.__name__ != 'Win2003SP0x86') def modification(self, profile): overlay = {'_ETHREAD': [ None, { 'CreateTime' : [ None, ['WinTimeStamp', {}]]} ]} profile.merge_overlay(overlay) class Win2003SP0x86(obj.Profile): """ A Profile for Windows 2003 SP0 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 # FIXME: 2003's build numbers didn't differentiate between SP0 and SP1/2 # despite there being a large change. As such we fake a special build number # for 2003 SP0 to help us differentiate it _md_build = 3789 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp0_x86_vtypes' class Win2003SP1x86(obj.Profile): """ A Profile for Windows 2003 SP1 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 _md_build = 3790 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp1_x86_vtypes' class Win2003SP2x86(obj.Profile): """ A Profile for Windows 2003 SP2 x86 """ _md_os = 'windows' _md_major = 5 _md_minor = 2 # This is a fake build number. See the comment in Win2003SP0x86 _md_build = 3791 _md_memory_model = '32bit' _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp2_x86_vtypes' class Win2003SP1x64(obj.Profile): """ A Profile for Windows 2003 SP1 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 5 _md_minor = 2 _md_build = 3790 _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp1_x64_vtypes' class Win2003SP2x64(obj.Profile): """ A Profile for Windows 2003 SP2 x64 """ _md_memory_model = '64bit' _md_os = 'windows' _md_major = 5 _md_minor = 2 # This is a fake build number. See the comment in Win2003SP0x86 _md_build = 3791 _md_vtype_module = 'volatility.plugins.overlays.windows.win2003_sp2_x64_vtypes' class WinXPSP1x64(Win2003SP1x64): """ A Profile for Windows XP SP1 x64 """ class WinXPSP2x64(Win2003SP2x64): """ A Profile for Windows XP SP2 x64 """ volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp12_x86_syscalls.py0000644000175000017500000011545012227253532030030 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtAlpcAcceptConnectPort', # 0x13 'NtAlpcCancelMessage', # 0x14 'NtAlpcConnectPort', # 0x15 'NtAlpcCreatePort', # 0x16 'NtAlpcCreatePortSection', # 0x17 'NtAlpcCreateResourceReserve', # 0x18 'NtAlpcCreateSectionView', # 0x19 'NtAlpcCreateSecurityContext', # 0x1a 'NtAlpcDeletePortSection', # 0x1b 'NtAlpcDeleteResourceReserve', # 0x1c 'NtAlpcDeleteSectionView', # 0x1d 'NtAlpcDeleteSecurityContext', # 0x1e 'NtAlpcDisconnectPort', # 0x1f 'NtAlpcImpersonateClientOfPort', # 0x20 'NtAlpcOpenSenderProcess', # 0x21 'NtAlpcOpenSenderThread', # 0x22 'NtAlpcQueryInformation', # 0x23 'NtAlpcQueryInformationMessage', # 0x24 'NtAlpcRevokeSecurityContext', # 0x25 'NtAlpcSendWaitReceivePort', # 0x26 'NtAlpcSetInformation', # 0x27 'NtApphelpCacheControl', # 0x28 'NtAreMappedFilesTheSame', # 0x29 'NtAssignProcessToJobObject', # 0x2a 'NtCallbackReturn', # 0x2b 'NtCancelDeviceWakeupRequest', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelTimer', # 0x2e 'NtClearEvent', # 0x2f 'NtClose', # 0x30 'NtCloseObjectAuditAlarm', # 0x31 'NtCompactKeys', # 0x32 'NtCompareTokens', # 0x33 'NtCompleteConnectPort', # 0x34 'NtCompressKey', # 0x35 'NtConnectPort', # 0x36 'NtContinue', # 0x37 'NtCreateDebugObject', # 0x38 'NtCreateDirectoryObject', # 0x39 'NtCreateEvent', # 0x3a 'NtCreateEventPair', # 0x3b 'NtCreateFile', # 0x3c 'NtCreateIoCompletion', # 0x3d 'NtCreateJobObject', # 0x3e 'NtCreateJobSet', # 0x3f 'NtCreateKey', # 0x40 'NtCreateKeyTransacted', # 0x41 'NtCreateMailslotFile', # 0x42 'NtCreateMutant', # 0x43 'NtCreateNamedPipeFile', # 0x44 'NtCreatePrivateNamespace', # 0x45 'NtCreatePagingFile', # 0x46 'NtCreatePort', # 0x47 'NtCreateProcess', # 0x48 'NtCreateProcessEx', # 0x49 'NtCreateProfile', # 0x4a 'NtCreateSection', # 0x4b 'NtCreateSemaphore', # 0x4c 'NtCreateSymbolicLinkObject', # 0x4d 'NtCreateThread', # 0x4e 'NtCreateTimer', # 0x4f 'NtCreateToken', # 0x50 'NtCreateTransaction', # 0x51 'NtOpenTransaction', # 0x52 'NtQueryInformationTransaction', # 0x53 'NtQueryInformationTransactionManager', # 0x54 'NtPrePrepareEnlistment', # 0x55 'NtPrepareEnlistment', # 0x56 'NtCommitEnlistment', # 0x57 'NtReadOnlyEnlistment', # 0x58 'NtRollbackComplete', # 0x59 'NtRollbackEnlistment', # 0x5a 'NtCommitTransaction', # 0x5b 'NtRollbackTransaction', # 0x5c 'NtPrePrepareComplete', # 0x5d 'NtPrepareComplete', # 0x5e 'NtCommitComplete', # 0x5f 'NtSinglePhaseReject', # 0x60 'NtSetInformationTransaction', # 0x61 'NtSetInformationTransactionManager', # 0x62 'NtSetInformationResourceManager', # 0x63 'NtCreateTransactionManager', # 0x64 'NtOpenTransactionManager', # 0x65 'NtRenameTransactionManager', # 0x66 'NtRollforwardTransactionManager', # 0x67 'NtRecoverEnlistment', # 0x68 'NtRecoverResourceManager', # 0x69 'NtRecoverTransactionManager', # 0x6a 'NtCreateResourceManager', # 0x6b 'NtOpenResourceManager', # 0x6c 'NtGetNotificationResourceManager', # 0x6d 'NtQueryInformationResourceManager', # 0x6e 'NtCreateEnlistment', # 0x6f 'NtOpenEnlistment', # 0x70 'NtSetInformationEnlistment', # 0x71 'NtQueryInformationEnlistment', # 0x72 'NtCreateWaitablePort', # 0x73 'NtDebugActiveProcess', # 0x74 'NtDebugContinue', # 0x75 'NtDelayExecution', # 0x76 'NtDeleteAtom', # 0x77 'NtDeleteBootEntry', # 0x78 'NtDeleteDriverEntry', # 0x79 'NtDeleteFile', # 0x7a 'NtDeleteKey', # 0x7b 'NtDeletePrivateNamespace', # 0x7c 'NtDeleteObjectAuditAlarm', # 0x7d 'NtDeleteValueKey', # 0x7e 'NtDeviceIoControlFile', # 0x7f 'NtDisplayString', # 0x80 'NtDuplicateObject', # 0x81 'NtDuplicateToken', # 0x82 'NtEnumerateBootEntries', # 0x83 'NtEnumerateDriverEntries', # 0x84 'NtEnumerateKey', # 0x85 'NtEnumerateSystemEnvironmentValuesEx', # 0x86 'NtEnumerateTransactionObject', # 0x87 'NtEnumerateValueKey', # 0x88 'NtExtendSection', # 0x89 'NtFilterToken', # 0x8a 'NtFindAtom', # 0x8b 'NtFlushBuffersFile', # 0x8c 'NtFlushInstructionCache', # 0x8d 'NtFlushKey', # 0x8e 'NtFlushProcessWriteBuffers', # 0x8f 'NtFlushVirtualMemory', # 0x90 'NtFlushWriteBuffer', # 0x91 'NtFreeUserPhysicalPages', # 0x92 'NtFreeVirtualMemory', # 0x93 'NtFreezeRegistry', # 0x94 'NtFreezeTransactions', # 0x95 'NtFsControlFile', # 0x96 'NtGetContextThread', # 0x97 'NtGetDevicePowerState', # 0x98 'NtGetNlsSectionPtr', # 0x99 'NtGetPlugPlayEvent', # 0x9a 'NtGetWriteWatch', # 0x9b 'NtImpersonateAnonymousToken', # 0x9c 'NtImpersonateClientOfPort', # 0x9d 'NtImpersonateThread', # 0x9e 'NtInitializeNlsFiles', # 0x9f 'NtInitializeRegistry', # 0xa0 'NtInitiatePowerAction', # 0xa1 'NtIsProcessInJob', # 0xa2 'NtIsSystemResumeAutomatic', # 0xa3 'NtListenPort', # 0xa4 'NtLoadDriver', # 0xa5 'NtLoadKey', # 0xa6 'NtLoadKey2', # 0xa7 'NtLoadKeyEx', # 0xa8 'NtLockFile', # 0xa9 'NtLockProductActivationKeys', # 0xaa 'NtLockRegistryKey', # 0xab 'NtLockVirtualMemory', # 0xac 'NtMakePermanentObject', # 0xad 'NtMakeTemporaryObject', # 0xae 'NtMapUserPhysicalPages', # 0xaf 'NtMapUserPhysicalPagesScatter', # 0xb0 'NtMapViewOfSection', # 0xb1 'NtModifyBootEntry', # 0xb2 'NtModifyDriverEntry', # 0xb3 'NtNotifyChangeDirectoryFile', # 0xb4 'NtNotifyChangeKey', # 0xb5 'NtNotifyChangeMultipleKeys', # 0xb6 'NtOpenDirectoryObject', # 0xb7 'NtOpenEvent', # 0xb8 'NtOpenEventPair', # 0xb9 'NtOpenFile', # 0xba 'NtOpenIoCompletion', # 0xbb 'NtOpenJobObject', # 0xbc 'NtOpenKey', # 0xbd 'NtOpenKeyTransacted', # 0xbe 'NtOpenMutant', # 0xbf 'NtOpenPrivateNamespace', # 0xc0 'NtOpenObjectAuditAlarm', # 0xc1 'NtOpenProcess', # 0xc2 'NtOpenProcessToken', # 0xc3 'NtOpenProcessTokenEx', # 0xc4 'NtOpenSection', # 0xc5 'NtOpenSemaphore', # 0xc6 'NtOpenSession', # 0xc7 'NtOpenSymbolicLinkObject', # 0xc8 'NtOpenThread', # 0xc9 'NtOpenThreadToken', # 0xca 'NtOpenThreadTokenEx', # 0xcb 'NtOpenTimer', # 0xcc 'NtPlugPlayControl', # 0xcd 'NtPowerInformation', # 0xce 'NtPrivilegeCheck', # 0xcf 'NtPrivilegeObjectAuditAlarm', # 0xd0 'NtPrivilegedServiceAuditAlarm', # 0xd1 'NtProtectVirtualMemory', # 0xd2 'NtPulseEvent', # 0xd3 'NtQueryAttributesFile', # 0xd4 'NtQueryBootEntryOrder', # 0xd5 'NtQueryBootOptions', # 0xd6 'NtQueryDebugFilterState', # 0xd7 'NtQueryDefaultLocale', # 0xd8 'NtQueryDefaultUILanguage', # 0xd9 'NtQueryDirectoryFile', # 0xda 'NtQueryDirectoryObject', # 0xdb 'NtQueryDriverEntryOrder', # 0xdc 'NtQueryEaFile', # 0xdd 'NtQueryEvent', # 0xde 'NtQueryFullAttributesFile', # 0xdf 'NtQueryInformationAtom', # 0xe0 'NtQueryInformationFile', # 0xe1 'NtQueryInformationJobObject', # 0xe2 'NtQueryInformationPort', # 0xe3 'NtQueryInformationProcess', # 0xe4 'NtQueryInformationThread', # 0xe5 'NtQueryInformationToken', # 0xe6 'NtQueryInstallUILanguage', # 0xe7 'NtQueryIntervalProfile', # 0xe8 'NtQueryIoCompletion', # 0xe9 'NtQueryKey', # 0xea 'NtQueryMultipleValueKey', # 0xeb 'NtQueryMutant', # 0xec 'NtQueryObject', # 0xed 'NtQueryOpenSubKeys', # 0xee 'NtQueryOpenSubKeysEx', # 0xef 'NtQueryPerformanceCounter', # 0xf0 'NtQueryQuotaInformationFile', # 0xf1 'NtQuerySection', # 0xf2 'NtQuerySecurityObject', # 0xf3 'NtQuerySemaphore', # 0xf4 'NtQuerySymbolicLinkObject', # 0xf5 'NtQuerySystemEnvironmentValue', # 0xf6 'NtQuerySystemEnvironmentValueEx', # 0xf7 'NtQuerySystemInformation', # 0xf8 'NtQuerySystemTime', # 0xf9 'NtQueryTimer', # 0xfa 'NtQueryTimerResolution', # 0xfb 'NtQueryValueKey', # 0xfc 'NtQueryVirtualMemory', # 0xfd 'NtQueryVolumeInformationFile', # 0xfe 'NtQueueApcThread', # 0xff 'NtRaiseException', # 0x100 'NtRaiseHardError', # 0x101 'NtReadFile', # 0x102 'NtReadFileScatter', # 0x103 'NtReadRequestData', # 0x104 'NtReadVirtualMemory', # 0x105 'NtRegisterThreadTerminatePort', # 0x106 'NtReleaseMutant', # 0x107 'NtReleaseSemaphore', # 0x108 'NtRemoveIoCompletion', # 0x109 'NtRemoveProcessDebug', # 0x10a 'NtRenameKey', # 0x10b 'NtReplaceKey', # 0x10c 'NtReplacePartitionUnit', # 0x10d 'NtReplyPort', # 0x10e 'NtReplyWaitReceivePort', # 0x10f 'NtReplyWaitReceivePortEx', # 0x110 'NtReplyWaitReplyPort', # 0x111 'NtRequestDeviceWakeup', # 0x112 'NtRequestPort', # 0x113 'NtRequestWaitReplyPort', # 0x114 'NtRequestWakeupLatency', # 0x115 'NtResetEvent', # 0x116 'NtResetWriteWatch', # 0x117 'NtRestoreKey', # 0x118 'NtResumeProcess', # 0x119 'NtResumeThread', # 0x11a 'NtSaveKey', # 0x11b 'NtSaveKeyEx', # 0x11c 'NtSaveMergedKeys', # 0x11d 'NtSecureConnectPort', # 0x11e 'NtSetBootEntryOrder', # 0x11f 'NtSetBootOptions', # 0x120 'NtSetContextThread', # 0x121 'NtSetDebugFilterState', # 0x122 'NtSetDefaultHardErrorPort', # 0x123 'NtSetDefaultLocale', # 0x124 'NtSetDefaultUILanguage', # 0x125 'NtSetDriverEntryOrder', # 0x126 'NtSetEaFile', # 0x127 'NtSetEvent', # 0x128 'NtSetEventBoostPriority', # 0x129 'NtSetHighEventPair', # 0x12a 'NtSetHighWaitLowEventPair', # 0x12b 'NtSetInformationDebugObject', # 0x12c 'NtSetInformationFile', # 0x12d 'NtSetInformationJobObject', # 0x12e 'NtSetInformationKey', # 0x12f 'NtSetInformationObject', # 0x130 'NtSetInformationProcess', # 0x131 'NtSetInformationThread', # 0x132 'NtSetInformationToken', # 0x133 'NtSetIntervalProfile', # 0x134 'NtSetIoCompletion', # 0x135 'NtSetLdtEntries', # 0x136 'NtSetLowEventPair', # 0x137 'NtSetLowWaitHighEventPair', # 0x138 'NtSetQuotaInformationFile', # 0x139 'NtSetSecurityObject', # 0x13a 'NtSetSystemEnvironmentValue', # 0x13b 'NtSetSystemEnvironmentValueEx', # 0x13c 'NtSetSystemInformation', # 0x13d 'NtSetSystemPowerState', # 0x13e 'NtSetSystemTime', # 0x13f 'NtSetThreadExecutionState', # 0x140 'NtSetTimer', # 0x141 'NtSetTimerResolution', # 0x142 'NtSetUuidSeed', # 0x143 'NtSetValueKey', # 0x144 'NtSetVolumeInformationFile', # 0x145 'NtShutdownSystem', # 0x146 'NtSignalAndWaitForSingleObject', # 0x147 'NtStartProfile', # 0x148 'NtStopProfile', # 0x149 'NtSuspendProcess', # 0x14a 'NtSuspendThread', # 0x14b 'NtSystemDebugControl', # 0x14c 'NtTerminateJobObject', # 0x14d 'NtTerminateProcess', # 0x14e 'NtTerminateThread', # 0x14f 'NtTestAlert', # 0x150 'NtThawRegistry', # 0x151 'NtThawTransactions', # 0x152 'NtTraceEvent', # 0x153 'NtTraceControl', # 0x154 'NtTranslateFilePath', # 0x155 'NtUnloadDriver', # 0x156 'NtUnloadKey', # 0x157 'NtUnloadKey2', # 0x158 'NtUnloadKeyEx', # 0x159 'NtUnlockFile', # 0x15a 'NtUnlockVirtualMemory', # 0x15b 'NtUnmapViewOfSection', # 0x15c 'NtVdmControl', # 0x15d 'NtWaitForDebugEvent', # 0x15e 'NtWaitForMultipleObjects', # 0x15f 'NtWaitForSingleObject', # 0x160 'NtWaitHighEventPair', # 0x161 'NtWaitLowEventPair', # 0x162 'NtWriteFile', # 0x163 'NtWriteFileGather', # 0x164 'NtWriteRequestData', # 0x165 'NtWriteVirtualMemory', # 0x166 'NtYieldExecution', # 0x167 'NtCreateKeyedEvent', # 0x168 'NtOpenKeyedEvent', # 0x169 'NtReleaseKeyedEvent', # 0x16a 'NtWaitForKeyedEvent', # 0x16b 'NtQueryPortInformationProcess', # 0x16c 'NtGetCurrentProcessorNumber', # 0x16d 'NtWaitForMultipleObjects32', # 0x16e 'NtGetNextProcess', # 0x16f 'NtGetNextThread', # 0x170 'NtCancelIoFileEx', # 0x171 'NtCancelSynchronousIoFile', # 0x172 'NtRemoveIoCompletionEx', # 0x173 'NtRegisterProtocolAddressInformation', # 0x174 'NtPropagationComplete', # 0x175 'NtPropagationFailed', # 0x176 'NtCreateWorkerFactory', # 0x177 'NtReleaseWorkerFactoryWorker', # 0x178 'NtWaitForWorkViaWorkerFactory', # 0x179 'NtSetInformationWorkerFactory', # 0x17a 'NtQueryInformationWorkerFactory', # 0x17b 'NtWorkerFactoryWorkerReady', # 0x17c 'NtShutdownWorkerFactory', # 0x17d 'NtCreateThreadEx', # 0x17e 'NtCreateUserProcess', # 0x17f 'NtQueryLicenseValue', # 0x180 'NtMapCMFModule', # 0x181 'NtIsUILanguageComitted', # 0x182 'NtFlushInstallUILanguage', # 0x183 'NtGetMUIRegistryInfo', # 0x184 'NtAcquireCMFViewOwnership', # 0x185 'NtReleaseCMFViewOwnership', # 0x186 ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConfigureOPMProtectedOutput', # 0x17 'NtGdiConsoleTextOut', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateClientObj', # 0x1b 'NtGdiCreateColorSpace', # 0x1c 'NtGdiCreateColorTransform', # 0x1d 'NtGdiCreateCompatibleBitmap', # 0x1e 'NtGdiCreateCompatibleDC', # 0x1f 'NtGdiCreateDIBBrush', # 0x20 'NtGdiCreateDIBitmapInternal', # 0x21 'NtGdiCreateDIBSection', # 0x22 'NtGdiCreateEllipticRgn', # 0x23 'NtGdiCreateHalftonePalette', # 0x24 'NtGdiCreateHatchBrushInternal', # 0x25 'NtGdiCreateMetafileDC', # 0x26 'NtGdiCreateOPMProtectedOutputs', # 0x27 'NtGdiCreatePaletteInternal', # 0x28 'NtGdiCreatePatternBrushInternal', # 0x29 'NtGdiCreatePen', # 0x2a 'NtGdiCreateRectRgn', # 0x2b 'NtGdiCreateRoundRectRgn', # 0x2c 'NtGdiCreateServerMetaFile', # 0x2d 'NtGdiCreateSolidBrush', # 0x2e 'NtGdiD3dContextCreate', # 0x2f 'NtGdiD3dContextDestroy', # 0x30 'NtGdiD3dContextDestroyAll', # 0x31 'NtGdiD3dValidateTextureStageState', # 0x32 'NtGdiD3dDrawPrimitives2', # 0x33 'NtGdiDdGetDriverState', # 0x34 'NtGdiDdAddAttachedSurface', # 0x35 'NtGdiDdAlphaBlt', # 0x36 'NtGdiDdAttachSurface', # 0x37 'NtGdiDdBeginMoCompFrame', # 0x38 'NtGdiDdBlt', # 0x39 'NtGdiDdCanCreateSurface', # 0x3a 'NtGdiDdCanCreateD3DBuffer', # 0x3b 'NtGdiDdColorControl', # 0x3c 'NtGdiDdCreateDirectDrawObject', # 0x3d 'NtGdiDdCreateSurface', # 0x3e 'NtGdiDdCreateD3DBuffer', # 0x3f 'NtGdiDdCreateMoComp', # 0x40 'NtGdiDdCreateSurfaceObject', # 0x41 'NtGdiDdDeleteDirectDrawObject', # 0x42 'NtGdiDdDeleteSurfaceObject', # 0x43 'NtGdiDdDestroyMoComp', # 0x44 'NtGdiDdDestroySurface', # 0x45 'NtGdiDdDestroyD3DBuffer', # 0x46 'NtGdiDdEndMoCompFrame', # 0x47 'NtGdiDdFlip', # 0x48 'NtGdiDdFlipToGDISurface', # 0x49 'NtGdiDdGetAvailDriverMemory', # 0x4a 'NtGdiDdGetBltStatus', # 0x4b 'NtGdiDdGetDC', # 0x4c 'NtGdiDdGetDriverInfo', # 0x4d 'NtGdiDdGetDxHandle', # 0x4e 'NtGdiDdGetFlipStatus', # 0x4f 'NtGdiDdGetInternalMoCompInfo', # 0x50 'NtGdiDdGetMoCompBuffInfo', # 0x51 'NtGdiDdGetMoCompGuids', # 0x52 'NtGdiDdGetMoCompFormats', # 0x53 'NtGdiDdGetScanLine', # 0x54 'NtGdiDdLock', # 0x55 'NtGdiDdLockD3D', # 0x56 'NtGdiDdQueryDirectDrawObject', # 0x57 'NtGdiDdQueryMoCompStatus', # 0x58 'NtGdiDdReenableDirectDrawObject', # 0x59 'NtGdiDdReleaseDC', # 0x5a 'NtGdiDdRenderMoComp', # 0x5b 'NtGdiDdResetVisrgn', # 0x5c 'NtGdiDdSetColorKey', # 0x5d 'NtGdiDdSetExclusiveMode', # 0x5e 'NtGdiDdSetGammaRamp', # 0x5f 'NtGdiDdCreateSurfaceEx', # 0x60 'NtGdiDdSetOverlayPosition', # 0x61 'NtGdiDdUnattachSurface', # 0x62 'NtGdiDdUnlock', # 0x63 'NtGdiDdUnlockD3D', # 0x64 'NtGdiDdUpdateOverlay', # 0x65 'NtGdiDdWaitForVerticalBlank', # 0x66 'NtGdiDvpCanCreateVideoPort', # 0x67 'NtGdiDvpColorControl', # 0x68 'NtGdiDvpCreateVideoPort', # 0x69 'NtGdiDvpDestroyVideoPort', # 0x6a 'NtGdiDvpFlipVideoPort', # 0x6b 'NtGdiDvpGetVideoPortBandwidth', # 0x6c 'NtGdiDvpGetVideoPortField', # 0x6d 'NtGdiDvpGetVideoPortFlipStatus', # 0x6e 'NtGdiDvpGetVideoPortInputFormats', # 0x6f 'NtGdiDvpGetVideoPortLine', # 0x70 'NtGdiDvpGetVideoPortOutputFormats', # 0x71 'NtGdiDvpGetVideoPortConnectInfo', # 0x72 'NtGdiDvpGetVideoSignalStatus', # 0x73 'NtGdiDvpUpdateVideoPort', # 0x74 'NtGdiDvpWaitForVideoPortSync', # 0x75 'NtGdiDvpAcquireNotification', # 0x76 'NtGdiDvpReleaseNotification', # 0x77 'NtGdiDxgGenericThunk', # 0x78 'NtGdiDeleteClientObj', # 0x79 'NtGdiDeleteColorSpace', # 0x7a 'NtGdiDeleteColorTransform', # 0x7b 'NtGdiDeleteObjectApp', # 0x7c 'NtGdiDescribePixelFormat', # 0x7d 'NtGdiDestroyOPMProtectedOutput', # 0x7e 'NtGdiGetPerBandInfo', # 0x7f 'NtGdiDoBanding', # 0x80 'NtGdiDoPalette', # 0x81 'NtGdiDrawEscape', # 0x82 'NtGdiEllipse', # 0x83 'NtGdiEnableEudc', # 0x84 'NtGdiEndDoc', # 0x85 'NtGdiEndPage', # 0x86 'NtGdiEndPath', # 0x87 'NtGdiEnumFontChunk', # 0x88 'NtGdiEnumFontClose', # 0x89 'NtGdiEnumFontOpen', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontResourceInfoInternalW', # 0xb7 'NtGdiGetGlyphIndicesW', # 0xb8 'NtGdiGetGlyphIndicesWInternal', # 0xb9 'NtGdiGetGlyphOutline', # 0xba 'NtGdiGetOPMInformation', # 0xbb 'NtGdiGetKerningPairs', # 0xbc 'NtGdiGetLinkedUFIs', # 0xbd 'NtGdiGetMiterLimit', # 0xbe 'NtGdiGetMonitorID', # 0xbf 'NtGdiGetNearestColor', # 0xc0 'NtGdiGetNearestPaletteIndex', # 0xc1 'NtGdiGetObjectBitmapHandle', # 0xc2 'NtGdiGetOPMRandomNumber', # 0xc3 'NtGdiGetOutlineTextMetricsInternalW', # 0xc4 'NtGdiGetPath', # 0xc5 'NtGdiGetPixel', # 0xc6 'NtGdiGetRandomRgn', # 0xc7 'NtGdiGetRasterizerCaps', # 0xc8 'NtGdiGetRealizationInfo', # 0xc9 'NtGdiGetRegionData', # 0xca 'NtGdiGetRgnBox', # 0xcb 'NtGdiGetServerMetaFileBits', # 0xcc 'NtGdiGetSpoolMessage', # 0xcd 'NtGdiGetStats', # 0xce 'NtGdiGetStockObject', # 0xcf 'NtGdiGetStringBitmapW', # 0xd0 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd1 'NtGdiGetSystemPaletteUse', # 0xd2 'NtGdiGetTextCharsetInfo', # 0xd3 'NtGdiGetTextExtent', # 0xd4 'NtGdiGetTextExtentExW', # 0xd5 'NtGdiGetTextFaceW', # 0xd6 'NtGdiGetTextMetricsW', # 0xd7 'NtGdiGetTransform', # 0xd8 'NtGdiGetUFI', # 0xd9 'NtGdiGetEmbUFI', # 0xda 'NtGdiGetUFIPathname', # 0xdb 'NtGdiGetEmbedFonts', # 0xdc 'NtGdiChangeGhostFont', # 0xdd 'NtGdiAddEmbFontToDC', # 0xde 'NtGdiGetFontUnicodeRanges', # 0xdf 'NtGdiGetWidthTable', # 0xe0 'NtGdiGradientFill', # 0xe1 'NtGdiHfontCreate', # 0xe2 'NtGdiIcmBrushInfo', # 0xe3 'NtGdiInit', # 0xe4 'NtGdiInitSpool', # 0xe5 'NtGdiIntersectClipRect', # 0xe6 'NtGdiInvertRgn', # 0xe7 'NtGdiLineTo', # 0xe8 'NtGdiMakeFontDir', # 0xe9 'NtGdiMakeInfoDC', # 0xea 'NtGdiMaskBlt', # 0xeb 'NtGdiModifyWorldTransform', # 0xec 'NtGdiMonoBitmap', # 0xed 'NtGdiMoveTo', # 0xee 'NtGdiOffsetClipRgn', # 0xef 'NtGdiOffsetRgn', # 0xf0 'NtGdiOpenDCW', # 0xf1 'NtGdiPatBlt', # 0xf2 'NtGdiPolyPatBlt', # 0xf3 'NtGdiPathToRegion', # 0xf4 'NtGdiPlgBlt', # 0xf5 'NtGdiPolyDraw', # 0xf6 'NtGdiPolyPolyDraw', # 0xf7 'NtGdiPolyTextOutW', # 0xf8 'NtGdiPtInRegion', # 0xf9 'NtGdiPtVisible', # 0xfa 'NtGdiQueryFonts', # 0xfb 'NtGdiQueryFontAssocInfo', # 0xfc 'NtGdiRectangle', # 0xfd 'NtGdiRectInRegion', # 0xfe 'NtGdiRectVisible', # 0xff 'NtGdiRemoveFontResourceW', # 0x100 'NtGdiRemoveFontMemResourceEx', # 0x101 'NtGdiResetDC', # 0x102 'NtGdiResizePalette', # 0x103 'NtGdiRestoreDC', # 0x104 'NtGdiRoundRect', # 0x105 'NtGdiSaveDC', # 0x106 'NtGdiScaleViewportExtEx', # 0x107 'NtGdiScaleWindowExtEx', # 0x108 'NtGdiSelectBitmap', # 0x109 'NtGdiSelectBrush', # 0x10a 'NtGdiSelectClipPath', # 0x10b 'NtGdiSelectFont', # 0x10c 'NtGdiSelectPen', # 0x10d 'NtGdiSetBitmapAttributes', # 0x10e 'NtGdiSetBitmapBits', # 0x10f 'NtGdiSetBitmapDimension', # 0x110 'NtGdiSetBoundsRect', # 0x111 'NtGdiSetBrushAttributes', # 0x112 'NtGdiSetBrushOrg', # 0x113 'NtGdiSetColorAdjustment', # 0x114 'NtGdiSetColorSpace', # 0x115 'NtGdiSetDeviceGammaRamp', # 0x116 'NtGdiSetDIBitsToDeviceInternal', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtGdiSetFontXform', # 0x119 'NtGdiSetIcmMode', # 0x11a 'NtGdiSetLinkedUFIs', # 0x11b 'NtGdiSetMagicColors', # 0x11c 'NtGdiSetMetaRgn', # 0x11d 'NtGdiSetMiterLimit', # 0x11e 'NtGdiGetDeviceWidth', # 0x11f 'NtGdiMirrorWindowOrg', # 0x120 'NtGdiSetLayout', # 0x121 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x122 'NtGdiSetPixel', # 0x123 'NtGdiSetPixelFormat', # 0x124 'NtGdiSetRectRgn', # 0x125 'NtGdiSetSystemPaletteUse', # 0x126 'NtGdiSetTextJustification', # 0x127 'NtGdiSetupPublicCFONT', # 0x128 'NtGdiSetVirtualResolution', # 0x129 'NtGdiSetSizeDevice', # 0x12a 'NtGdiStartDoc', # 0x12b 'NtGdiStartPage', # 0x12c 'NtGdiStretchBlt', # 0x12d 'NtGdiStretchDIBitsInternal', # 0x12e 'NtGdiStrokeAndFillPath', # 0x12f 'NtGdiStrokePath', # 0x130 'NtGdiSwapBuffers', # 0x131 'NtGdiTransformPoints', # 0x132 'NtGdiTransparentBlt', # 0x133 'NtGdiUnloadPrinterDriver', # 0x134 'NtGdiUnmapMemFont', # 0x135 'NtGdiUnrealizeObject', # 0x136 'NtGdiUpdateColors', # 0x137 'NtGdiWidenPath', # 0x138 'NtUserActivateKeyboardLayout', # 0x139 'NtUserAddClipboardFormatListener', # 0x13a 'NtUserAlterWindowStyle', # 0x13b 'NtUserAssociateInputContext', # 0x13c 'NtUserAttachThreadInput', # 0x13d 'NtUserBeginPaint', # 0x13e 'NtUserBitBltSysBmp', # 0x13f 'NtUserBlockInput', # 0x140 'NtUserBuildHimcList', # 0x141 'NtUserBuildHwndList', # 0x142 'NtUserBuildNameList', # 0x143 'NtUserBuildPropList', # 0x144 'NtUserCallHwnd', # 0x145 'NtUserCallHwndLock', # 0x146 'NtUserCallHwndOpt', # 0x147 'NtUserCallHwndParam', # 0x148 'NtUserCallHwndParamLock', # 0x149 'NtUserCallMsgFilter', # 0x14a 'NtUserCallNextHookEx', # 0x14b 'NtUserCallNoParam', # 0x14c 'NtUserCallOneParam', # 0x14d 'NtUserCallTwoParam', # 0x14e 'NtUserChangeClipboardChain', # 0x14f 'NtUserChangeDisplaySettings', # 0x150 'NtUserCheckAccessForIntegrityLevel', # 0x151 'NtUserCheckDesktopByThreadId', # 0x152 'NtUserCheckWindowThreadDesktop', # 0x153 'NtUserCheckImeHotKey', # 0x154 'NtUserCheckMenuItem', # 0x155 'NtUserChildWindowFromPointEx', # 0x156 'NtUserClipCursor', # 0x157 'NtUserCloseClipboard', # 0x158 'NtUserCloseDesktop', # 0x159 'NtUserCloseWindowStation', # 0x15a 'NtUserConsoleControl', # 0x15b 'NtUserConvertMemHandle', # 0x15c 'NtUserCopyAcceleratorTable', # 0x15d 'NtUserCountClipboardFormats', # 0x15e 'NtUserCreateAcceleratorTable', # 0x15f 'NtUserCreateCaret', # 0x160 'NtUserCreateDesktopEx', # 0x161 'NtUserCreateInputContext', # 0x162 'NtUserCreateLocalMemHandle', # 0x163 'NtUserCreateWindowEx', # 0x164 'NtUserCreateWindowStation', # 0x165 'NtUserDdeInitialize', # 0x166 'NtUserDeferWindowPos', # 0x167 'NtUserDefSetText', # 0x168 'NtUserDeleteMenu', # 0x169 'NtUserDestroyAcceleratorTable', # 0x16a 'NtUserDestroyCursor', # 0x16b 'NtUserDestroyInputContext', # 0x16c 'NtUserDestroyMenu', # 0x16d 'NtUserDestroyWindow', # 0x16e 'NtUserDisableThreadIme', # 0x16f 'NtUserDispatchMessage', # 0x170 'NtUserDoSoundConnect', # 0x171 'NtUserDoSoundDisconnect', # 0x172 'NtUserDragDetect', # 0x173 'NtUserDragObject', # 0x174 'NtUserDrawAnimatedRects', # 0x175 'NtUserDrawCaption', # 0x176 'NtUserDrawCaptionTemp', # 0x177 'NtUserDrawIconEx', # 0x178 'NtUserDrawMenuBarTemp', # 0x179 'NtUserEmptyClipboard', # 0x17a 'NtUserEnableMenuItem', # 0x17b 'NtUserEnableScrollBar', # 0x17c 'NtUserEndDeferWindowPosEx', # 0x17d 'NtUserEndMenu', # 0x17e 'NtUserEndPaint', # 0x17f 'NtUserEnumDisplayDevices', # 0x180 'NtUserEnumDisplayMonitors', # 0x181 'NtUserEnumDisplaySettings', # 0x182 'NtUserEvent', # 0x183 'NtUserExcludeUpdateRgn', # 0x184 'NtUserFillWindow', # 0x185 'NtUserFindExistingCursorIcon', # 0x186 'NtUserFindWindowEx', # 0x187 'NtUserFlashWindowEx', # 0x188 'NtUserFrostCrashedWindow', # 0x189 'NtUserGetAltTabInfo', # 0x18a 'NtUserGetAncestor', # 0x18b 'NtUserGetAppImeLevel', # 0x18c 'NtUserGetAsyncKeyState', # 0x18d 'NtUserGetAtomName', # 0x18e 'NtUserGetCaretBlinkTime', # 0x18f 'NtUserGetCaretPos', # 0x190 'NtUserGetClassInfoEx', # 0x191 'NtUserGetClassName', # 0x192 'NtUserGetClipboardData', # 0x193 'NtUserGetClipboardFormatName', # 0x194 'NtUserGetClipboardOwner', # 0x195 'NtUserGetClipboardSequenceNumber', # 0x196 'NtUserGetClipboardViewer', # 0x197 'NtUserGetClipCursor', # 0x198 'NtUserGetComboBoxInfo', # 0x199 'NtUserGetControlBrush', # 0x19a 'NtUserGetControlColor', # 0x19b 'NtUserGetCPD', # 0x19c 'NtUserGetCursorFrameInfo', # 0x19d 'NtUserGetCursorInfo', # 0x19e 'NtUserGetDC', # 0x19f 'NtUserGetDCEx', # 0x1a0 'NtUserGetDoubleClickTime', # 0x1a1 'NtUserGetForegroundWindow', # 0x1a2 'NtUserGetGuiResources', # 0x1a3 'NtUserGetGUIThreadInfo', # 0x1a4 'NtUserGetIconInfo', # 0x1a5 'NtUserGetIconSize', # 0x1a6 'NtUserGetImeHotKey', # 0x1a7 'NtUserGetImeInfoEx', # 0x1a8 'NtUserGetInternalWindowPos', # 0x1a9 'NtUserGetKeyboardLayoutList', # 0x1aa 'NtUserGetKeyboardLayoutName', # 0x1ab 'NtUserGetKeyboardState', # 0x1ac 'NtUserGetKeyNameText', # 0x1ad 'NtUserGetKeyState', # 0x1ae 'NtUserGetListBoxInfo', # 0x1af 'NtUserGetMenuBarInfo', # 0x1b0 'NtUserGetMenuIndex', # 0x1b1 'NtUserGetMenuItemRect', # 0x1b2 'NtUserGetMessage', # 0x1b3 'NtUserGetMouseMovePointsEx', # 0x1b4 'NtUserGetObjectInformation', # 0x1b5 'NtUserGetOpenClipboardWindow', # 0x1b6 'NtUserGetPriorityClipboardFormat', # 0x1b7 'NtUserGetProcessWindowStation', # 0x1b8 'NtUserGetRawInputBuffer', # 0x1b9 'NtUserGetRawInputData', # 0x1ba 'NtUserGetRawInputDeviceInfo', # 0x1bb 'NtUserGetRawInputDeviceList', # 0x1bc 'NtUserGetRegisteredRawInputDevices', # 0x1bd 'NtUserGetScrollBarInfo', # 0x1be 'NtUserGetSystemMenu', # 0x1bf 'NtUserGetThreadDesktop', # 0x1c0 'NtUserGetThreadState', # 0x1c1 'NtUserGetTitleBarInfo', # 0x1c2 'NtUserGetUpdatedClipboardFormats', # 0x1c3 'NtUserGetUpdateRect', # 0x1c4 'NtUserGetUpdateRgn', # 0x1c5 'NtUserGetWindowDC', # 0x1c6 'NtUserGetWindowPlacement', # 0x1c7 'NtUserGetWOWClass', # 0x1c8 'NtUserGhostWindowFromHungWindow', # 0x1c9 'NtUserHardErrorControl', # 0x1ca 'NtUserHideCaret', # 0x1cb 'NtUserHiliteMenuItem', # 0x1cc 'NtUserHungWindowFromGhostWindow', # 0x1cd 'NtUserImpersonateDdeClientWindow', # 0x1ce 'NtUserInitialize', # 0x1cf 'NtUserInitializeClientPfnArrays', # 0x1d0 'NtUserInitTask', # 0x1d1 'NtUserInternalGetWindowText', # 0x1d2 'NtUserInternalGetWindowIcon', # 0x1d3 'NtUserInvalidateRect', # 0x1d4 'NtUserInvalidateRgn', # 0x1d5 'NtUserIsClipboardFormatAvailable', # 0x1d6 'NtUserKillTimer', # 0x1d7 'NtUserLoadKeyboardLayoutEx', # 0x1d8 'NtUserLockWindowStation', # 0x1d9 'NtUserLockWindowUpdate', # 0x1da 'NtUserLockWorkStation', # 0x1db 'NtUserLogicalToPhysicalPoint', # 0x1dc 'NtUserMapVirtualKeyEx', # 0x1dd 'NtUserMenuItemFromPoint', # 0x1de 'NtUserMessageCall', # 0x1df 'NtUserMinMaximize', # 0x1e0 'NtUserMNDragLeave', # 0x1e1 'NtUserMNDragOver', # 0x1e2 'NtUserModifyUserStartupInfoFlags', # 0x1e3 'NtUserMoveWindow', # 0x1e4 'NtUserNotifyIMEStatus', # 0x1e5 'NtUserNotifyProcessCreate', # 0x1e6 'NtUserNotifyWinEvent', # 0x1e7 'NtUserOpenClipboard', # 0x1e8 'NtUserOpenDesktop', # 0x1e9 'NtUserOpenInputDesktop', # 0x1ea 'NtUserOpenThreadDesktop', # 0x1eb 'NtUserOpenWindowStation', # 0x1ec 'NtUserPaintDesktop', # 0x1ed 'NtUserPaintMonitor', # 0x1ee 'NtUserPeekMessage', # 0x1ef 'NtUserPhysicalToLogicalPoint', # 0x1f0 'NtUserPostMessage', # 0x1f1 'NtUserPostThreadMessage', # 0x1f2 'NtUserPrintWindow', # 0x1f3 'NtUserProcessConnect', # 0x1f4 'NtUserQueryInformationThread', # 0x1f5 'NtUserQueryInputContext', # 0x1f6 'NtUserQuerySendMessage', # 0x1f7 'NtUserQueryWindow', # 0x1f8 'NtUserRealChildWindowFromPoint', # 0x1f9 'NtUserRealInternalGetMessage', # 0x1fa 'NtUserRealWaitMessageEx', # 0x1fb 'NtUserRedrawWindow', # 0x1fc 'NtUserRegisterClassExWOW', # 0x1fd 'NtUserRegisterErrorReportingDialog', # 0x1fe 'NtUserRegisterUserApiHook', # 0x1ff 'NtUserRegisterHotKey', # 0x200 'NtUserRegisterRawInputDevices', # 0x201 'NtUserRegisterTasklist', # 0x202 'NtUserRegisterWindowMessage', # 0x203 'NtUserRemoveClipboardFormatListener', # 0x204 'NtUserRemoveMenu', # 0x205 'NtUserRemoveProp', # 0x206 'NtUserResolveDesktop', # 0x207 'NtUserResolveDesktopForWOW', # 0x208 'NtUserSBGetParms', # 0x209 'NtUserScrollDC', # 0x20a 'NtUserScrollWindowEx', # 0x20b 'NtUserSelectPalette', # 0x20c 'NtUserSendInput', # 0x20d 'NtUserSetActiveWindow', # 0x20e 'NtUserSetAppImeLevel', # 0x20f 'NtUserSetCapture', # 0x210 'NtUserSetClassLong', # 0x211 'NtUserSetClassWord', # 0x212 'NtUserSetClipboardData', # 0x213 'NtUserSetClipboardViewer', # 0x214 'NtUserSetConsoleReserveKeys', # 0x215 'NtUserSetCursor', # 0x216 'NtUserSetCursorContents', # 0x217 'NtUserSetCursorIconData', # 0x218 'NtUserSetFocus', # 0x219 'NtUserSetImeHotKey', # 0x21a 'NtUserSetImeInfoEx', # 0x21b 'NtUserSetImeOwnerWindow', # 0x21c 'NtUserSetInformationProcess', # 0x21d 'NtUserSetInformationThread', # 0x21e 'NtUserSetInternalWindowPos', # 0x21f 'NtUserSetKeyboardState', # 0x220 'NtUserSetMenu', # 0x221 'NtUserSetMenuContextHelpId', # 0x222 'NtUserSetMenuDefaultItem', # 0x223 'NtUserSetMenuFlagRtoL', # 0x224 'NtUserSetObjectInformation', # 0x225 'NtUserSetParent', # 0x226 'NtUserSetProcessWindowStation', # 0x227 'NtUserGetProp', # 0x228 'NtUserSetProp', # 0x229 'NtUserSetScrollInfo', # 0x22a 'NtUserSetShellWindowEx', # 0x22b 'NtUserSetSysColors', # 0x22c 'NtUserSetSystemCursor', # 0x22d 'NtUserSetSystemMenu', # 0x22e 'NtUserSetSystemTimer', # 0x22f 'NtUserSetThreadDesktop', # 0x230 'NtUserSetThreadLayoutHandles', # 0x231 'NtUserSetThreadState', # 0x232 'NtUserSetTimer', # 0x233 'NtUserSetProcessDPIAware', # 0x234 'NtUserSetWindowFNID', # 0x235 'NtUserSetWindowLong', # 0x236 'NtUserSetWindowPlacement', # 0x237 'NtUserSetWindowPos', # 0x238 'NtUserSetWindowRgn', # 0x239 'NtUserGetWindowRgnEx', # 0x23a 'NtUserSetWindowRgnEx', # 0x23b 'NtUserSetWindowsHookAW', # 0x23c 'NtUserSetWindowsHookEx', # 0x23d 'NtUserSetWindowStationUser', # 0x23e 'NtUserSetWindowWord', # 0x23f 'NtUserSetWinEventHook', # 0x240 'NtUserShowCaret', # 0x241 'NtUserShowScrollBar', # 0x242 'NtUserShowWindow', # 0x243 'NtUserShowWindowAsync', # 0x244 'NtUserSoundSentry', # 0x245 'NtUserSwitchDesktop', # 0x246 'NtUserSystemParametersInfo', # 0x247 'NtUserTestForInteractiveUser', # 0x248 'NtUserThunkedMenuInfo', # 0x249 'NtUserThunkedMenuItemInfo', # 0x24a 'NtUserToUnicodeEx', # 0x24b 'NtUserTrackMouseEvent', # 0x24c 'NtUserTrackPopupMenuEx', # 0x24d 'NtUserCalcMenuBar', # 0x24e 'NtUserPaintMenuBar', # 0x24f 'NtUserTranslateAccelerator', # 0x250 'NtUserTranslateMessage', # 0x251 'NtUserUnhookWindowsHookEx', # 0x252 'NtUserUnhookWinEvent', # 0x253 'NtUserUnloadKeyboardLayout', # 0x254 'NtUserUnlockWindowStation', # 0x255 'NtUserUnregisterClass', # 0x256 'NtUserUnregisterUserApiHook', # 0x257 'NtUserUnregisterHotKey', # 0x258 'NtUserUpdateInputContext', # 0x259 'NtUserUpdateInstance', # 0x25a 'NtUserUpdateLayeredWindow', # 0x25b 'NtUserGetLayeredWindowAttributes', # 0x25c 'NtUserSetLayeredWindowAttributes', # 0x25d 'NtUserUpdatePerUserSystemParameters', # 0x25e 'NtUserUserHandleGrantAccess', # 0x25f 'NtUserValidateHandleSecure', # 0x260 'NtUserValidateRect', # 0x261 'NtUserValidateTimerCallback', # 0x262 'NtUserVkKeyScanEx', # 0x263 'NtUserWaitForInputIdle', # 0x264 'NtUserWaitForMsgAndEvent', # 0x265 'NtUserWaitMessage', # 0x266 'NtUserWin32PoolAllocationStats', # 0x267 'NtUserWindowFromPhysicalPoint', # 0x268 'NtUserWindowFromPoint', # 0x269 'NtUserYieldTask', # 0x26a 'NtUserRemoteConnect', # 0x26b 'NtUserRemoteRedrawRectangle', # 0x26c 'NtUserRemoteRedrawScreen', # 0x26d 'NtUserRemoteStopScreenUpdates', # 0x26e 'NtUserCtxDisplayIOCtl', # 0x26f 'NtUserRegisterSessionPort', # 0x270 'NtUserUnregisterSessionPort', # 0x271 'NtUserUpdateWindowTransform', # 0x272 'NtUserDwmStartRedirection', # 0x273 'NtUserDwmStopRedirection', # 0x274 'NtUserDwmHintDxUpdate', # 0x275 'NtUserDwmGetDxRgn', # 0x276 'NtUserGetWindowMinimizeRect', # 0x277 'NtGdiEngAssociateSurface', # 0x278 'NtGdiEngCreateBitmap', # 0x279 'NtGdiEngCreateDeviceSurface', # 0x27a 'NtGdiEngCreateDeviceBitmap', # 0x27b 'NtGdiEngCreatePalette', # 0x27c 'NtGdiEngComputeGlyphSet', # 0x27d 'NtGdiEngCopyBits', # 0x27e 'NtGdiEngDeletePalette', # 0x27f 'NtGdiEngDeleteSurface', # 0x280 'NtGdiEngEraseSurface', # 0x281 'NtGdiEngUnlockSurface', # 0x282 'NtGdiEngLockSurface', # 0x283 'NtGdiEngBitBlt', # 0x284 'NtGdiEngStretchBlt', # 0x285 'NtGdiEngPlgBlt', # 0x286 'NtGdiEngMarkBandingSurface', # 0x287 'NtGdiEngStrokePath', # 0x288 'NtGdiEngFillPath', # 0x289 'NtGdiEngStrokeAndFillPath', # 0x28a 'NtGdiEngPaint', # 0x28b 'NtGdiEngLineTo', # 0x28c 'NtGdiEngAlphaBlend', # 0x28d 'NtGdiEngGradientFill', # 0x28e 'NtGdiEngTransparentBlt', # 0x28f 'NtGdiEngTextOut', # 0x290 'NtGdiEngStretchBltROP', # 0x291 'NtGdiXLATEOBJ_cGetPalette', # 0x292 'NtGdiXLATEOBJ_iXlate', # 0x293 'NtGdiXLATEOBJ_hGetColorTransform', # 0x294 'NtGdiCLIPOBJ_bEnum', # 0x295 'NtGdiCLIPOBJ_cEnumStart', # 0x296 'NtGdiCLIPOBJ_ppoGetPath', # 0x297 'NtGdiEngDeletePath', # 0x298 'NtGdiEngCreateClip', # 0x299 'NtGdiEngDeleteClip', # 0x29a 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x29b 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x29c 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x29d 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x29e 'NtGdiXFORMOBJ_bApplyXform', # 0x29f 'NtGdiXFORMOBJ_iGetXform', # 0x2a0 'NtGdiFONTOBJ_vGetInfo', # 0x2a1 'NtGdiFONTOBJ_pxoGetXform', # 0x2a2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2a3 'NtGdiFONTOBJ_pifi', # 0x2a4 'NtGdiFONTOBJ_pfdg', # 0x2a5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2a6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2a7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2a8 'NtGdiSTROBJ_bEnum', # 0x2a9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2aa 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2ab 'NtGdiSTROBJ_vEnumStart', # 0x2ac 'NtGdiSTROBJ_dwGetCodePage', # 0x2ad 'NtGdiPATHOBJ_vGetBounds', # 0x2ae 'NtGdiPATHOBJ_bEnum', # 0x2af 'NtGdiPATHOBJ_vEnumStart', # 0x2b0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2b1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2b2 'NtGdiGetDhpdev', # 0x2b3 'NtGdiEngCheckAbort', # 0x2b4 'NtGdiHT_Get8BPPFormatPalette', # 0x2b5 'NtGdiHT_Get8BPPMaskPalette', # 0x2b6 'NtGdiUpdateTransform', # 0x2b7 'NtGdiSetPUMPDOBJ', # 0x2b8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2b9 'NtGdiUMPDEngFreeUserMem', # 0x2ba 'NtGdiDrawStream', # 0x2bb 'NtGdiDwmGetDirtyRgn', # 0x2bc 'NtGdiDwmGetSurfaceData', # 0x2bd 'NtGdiDdDDICreateAllocation', # 0x2be 'NtGdiDdDDIQueryResourceInfo', # 0x2bf 'NtGdiDdDDIOpenResource', # 0x2c0 'NtGdiDdDDIDestroyAllocation', # 0x2c1 'NtGdiDdDDISetAllocationPriority', # 0x2c2 'NtGdiDdDDIQueryAllocationResidency', # 0x2c3 'NtGdiDdDDICreateDevice', # 0x2c4 'NtGdiDdDDIDestroyDevice', # 0x2c5 'NtGdiDdDDICreateContext', # 0x2c6 'NtGdiDdDDIDestroyContext', # 0x2c7 'NtGdiDdDDICreateSynchronizationObject', # 0x2c8 'NtGdiDdDDIDestroySynchronizationObject', # 0x2c9 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ca 'NtGdiDdDDISignalSynchronizationObject', # 0x2cb 'NtGdiDdDDIGetRuntimeData', # 0x2cc 'NtGdiDdDDIQueryAdapterInfo', # 0x2cd 'NtGdiDdDDILock', # 0x2ce 'NtGdiDdDDIUnlock', # 0x2cf 'NtGdiDdDDIGetDisplayModeList', # 0x2d0 'NtGdiDdDDISetDisplayMode', # 0x2d1 'NtGdiDdDDIGetMultisampleMethodList', # 0x2d2 'NtGdiDdDDIPresent', # 0x2d3 'NtGdiDdDDIRender', # 0x2d4 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2d5 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2d6 'NtGdiDdDDICloseAdapter', # 0x2d7 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2d8 'NtGdiDdDDIEscape', # 0x2d9 'NtGdiDdDDIQueryStatistics', # 0x2da 'NtGdiDdDDISetVidPnSourceOwner', # 0x2db 'NtGdiDdDDIGetPresentHistory', # 0x2dc 'NtGdiDdDDICreateOverlay', # 0x2dd 'NtGdiDdDDIUpdateOverlay', # 0x2de 'NtGdiDdDDIFlipOverlay', # 0x2df 'NtGdiDdDDIDestroyOverlay', # 0x2e0 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x2e1 'NtGdiDdDDISetGammaRamp', # 0x2e2 'NtGdiDdDDIGetDeviceState', # 0x2e3 'NtGdiDdDDICreateDCFromMemory', # 0x2e4 'NtGdiDdDDIDestroyDCFromMemory', # 0x2e5 'NtGdiDdDDISetContextSchedulingPriority', # 0x2e6 'NtGdiDdDDIGetContextSchedulingPriority', # 0x2e7 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x2e8 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x2e9 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x2ea 'NtGdiDdDDIGetScanLine', # 0x2eb 'NtGdiDdDDISetQueuedLimit', # 0x2ec 'NtGdiDdDDIPollDisplayChildren', # 0x2ed 'NtGdiDdDDIInvalidateActiveVidPn', # 0x2ee 'NtGdiDdDDICheckOcclusion', # 0x2ef 'NtGdiDdDDIWaitForIdle', # 0x2f0 'NtGdiDdDDICheckMonitorPowerState', # 0x2f1 'NtGdiDdDDICheckExclusiveOwnership', # 0x2f2 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x2f3 'NtGdiDdDDISharedPrimaryLockNotification', # 0x2f4 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x2f5 'DxgStubEnableDirectDrawRedirection', # 0x2f6 'DxgStubDeleteDirectDrawObject', # 0x2f7 'NtGdiGetNumberOfPhysicalMonitors', # 0x2f8 'NtGdiGetPhysicalMonitors', # 0x2f9 'NtGdiGetPhysicalMonitorDescription', # 0x2fa 'NtGdiDestroyPhysicalMonitor', # 0x2fb 'NtGdiDDCCIGetVCPFeature', # 0x2fc 'NtGdiDDCCISetVCPFeature', # 0x2fd 'NtGdiDDCCISaveCurrentSettings', # 0x2fe 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x2ff 'NtGdiDDCCIGetCapabilitiesString', # 0x300 'NtGdiDDCCIGetTimingReport', # 0x301 'NtUserSetMirrorRendering', # 0x302 'NtUserShowSystemCursor', # 0x303 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp1_x64_vtypes.py0000644000175000017500000172707411732225561027212 0ustar mikemike00000000000000ntkrnlmp_types = { '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x40, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x10, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'DriveMap' : [ 0x1c, ['unsigned long']], 'DriveType' : [ 0x20, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x68, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'Context' : [ 0x18, ['pointer64', ['void']]], 'CompletionState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x24, ['unsigned long']], 'Status' : [ 0x28, ['long']], 'Information' : [ 0x30, ['pointer64', ['void']]], 'WorkItem' : [ 0x38, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x58, ['pointer64', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x60, ['long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0x18, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x10, ['unsigned long long']], } ], '__unnamed_205c' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0xb0, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_205c']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x58, ['pointer64', ['void']]], 'PStateContext' : [ 0x60, ['unsigned long long']], 'TStateHandler' : [ 0x68, ['pointer64', ['void']]], 'TStateContext' : [ 0x70, ['unsigned long long']], 'FeedbackHandler' : [ 0x78, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x80, ['pointer64', ['void']]], 'State' : [ 0x88, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Processor' : [ 0x38, ['unsigned long']], 'Period' : [ 0x3c, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xc0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x40, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x48, ['unsigned long long']], 'SleepTime' : [ 0x50, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x58, ['unsigned long long']], 'WakeOnRTC' : [ 0x60, ['unsigned char']], 'WakeTimerInfo' : [ 0x68, ['pointer64', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x70, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x10, ['_LIST_ENTRY']], 'PowerParents' : [ 0x20, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x38, ['unsigned char']], 'DeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x48, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x50, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x58, ['unsigned long']], 'ActiveChild' : [ 0x5c, ['unsigned long']], 'ParentCount' : [ 0x60, ['unsigned long']], 'ActiveParent' : [ 0x64, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_209e' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_20a0' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_209e']], 'Button' : [ 0x10, ['__unnamed_20a0']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x148, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x18, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x28, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x30, ['unsigned long long']], 'HeadlessLoaderBlock' : [ 0x38, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x40, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x48, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x50, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x58, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x60, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x70, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x78, ['unsigned long']], 'LastBootSucceeded' : [ 0x7c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x7c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x7c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x7c, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x80, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x88, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x98, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa0, ['_GUID']], 'ResumePages' : [ 0xb0, ['unsigned long']], 'DumpHeader' : [ 0xb8, ['pointer64', ['void']]], 'BgContext' : [ 0xc0, ['pointer64', ['void']]], 'NumaLocalityInfo' : [ 0xc8, ['pointer64', ['void']]], 'NumaGroupAssignment' : [ 0xd0, ['pointer64', ['void']]], 'AttachedHives' : [ 0xd8, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0xe8, ['unsigned long']], 'MemoryCachingRequirements' : [ 0xf0, ['pointer64', ['void']]], 'TpmBootEntropyResult' : [ 0xf8, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0x140, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_KUMS_CONTEXT_HEADER' : [ 0x70, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'StackTop' : [ 0x20, ['pointer64', ['void']]], 'StackSize' : [ 0x28, ['unsigned long long']], 'RspOffset' : [ 0x30, ['unsigned long long']], 'Rip' : [ 0x38, ['unsigned long long']], 'FltSave' : [ 0x40, ['pointer64', ['_XSAVE_FORMAT']]], 'Volatile' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 64, native_type='unsigned long long')]], 'Flags' : [ 0x48, ['unsigned long long']], 'TrapFrame' : [ 0x50, ['pointer64', ['_KTRAP_FRAME']]], 'ExceptionFrame' : [ 0x58, ['pointer64', ['_KEXCEPTION_FRAME']]], 'SourceThread' : [ 0x60, ['pointer64', ['_KTHREAD']]], 'Return' : [ 0x68, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x400, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], 'EnvironmentVersion' : [ 0x3f8, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_RTL_SRWLOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x30, { 'Mdl' : [ 0x0, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x8, ['pointer64', ['void']]], 'UserLimit' : [ 0x10, ['pointer64', ['void']]], 'SystemVa' : [ 0x18, ['pointer64', ['void']]], 'SystemLimit' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], 'pContextData' : [ 0x368, ['unsigned long long']], 'pImageHeaderHash' : [ 0x370, ['unsigned long long']], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_2145' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1f80, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_2145']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'SessionPoolAllocationFailures' : [ 0x64, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachGate' : [ 0x90, ['_KGATE']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc88, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc90, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc0, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1e00, ['_MMPTE']], 'SessionVaLock' : [ 0x1e08, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1e40, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1e50, ['unsigned long']], 'SpecialPool' : [ 0x1e58, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1ea0, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1ed8, ['long']], 'PagedPoolPdeCount' : [ 0x1edc, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1ee0, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1ee4, ['unsigned long']], 'SystemPteInfo' : [ 0x1ee8, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1f30, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1f38, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1f40, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1f48, ['unsigned long long']], 'IoState' : [ 0x1f50, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1f54, ['unsigned long']], 'IoNotificationEvent' : [ 0x1f58, ['_KEVENT']], 'CpuQuotaBlock' : [ 0x1f70, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0xb8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x10, ['pointer64', ['_KPRCB']]], 'Members' : [ 0x18, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x40, ['pointer64', ['void']]], 'GetFFHThrottleState' : [ 0x48, ['pointer64', ['void']]], 'BoostPolicyHandler' : [ 0x50, ['pointer64', ['void']]], 'PerfSelectionHandler' : [ 0x58, ['pointer64', ['void']]], 'PerfHandler' : [ 0x60, ['pointer64', ['void']]], 'Processors' : [ 0x68, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x70, ['unsigned long long']], 'ProcessorCount' : [ 0x78, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x7c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x80, ['unsigned long']], 'PreviousFrequency' : [ 0x84, ['unsigned long']], 'CurrentFrequency' : [ 0x88, ['unsigned long']], 'CurrentPerfContext' : [ 0x8c, ['unsigned long']], 'DesiredFrequency' : [ 0x90, ['unsigned long']], 'MaxFrequency' : [ 0x94, ['unsigned long']], 'MinPerfPercent' : [ 0x98, ['unsigned long']], 'MinThrottlePercent' : [ 0x9c, ['unsigned long']], 'MaxPercent' : [ 0xa0, ['unsigned long']], 'MinPercent' : [ 0xa4, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0xa8, ['unsigned long']], 'ConstrainedMinPercent' : [ 0xac, ['unsigned long']], 'Coordination' : [ 0xb0, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0xb4, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x20, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0x110, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x38, ['array', 216, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x18, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer64', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x48, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'Lock' : [ 0x8, ['unsigned long long']], 'Paged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x20, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x30, ['long long']], 'SpecialPoolPdes' : [ 0x38, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '__unnamed_21be' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_21c2' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_21be']], 'Bits' : [ 0x4, ['__unnamed_21c2']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_21de' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_21e0' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_21de']], 'Merged' : [ 0x10, ['__unnamed_21e0']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0x18, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x8, ['pointer64', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x10, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_21e8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_21e8']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f31']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1fd3']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x70, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], 'UpdateCapsule' : [ 0x58, ['unsigned long long']], 'QueryCapsuleCapabilities' : [ 0x60, ['unsigned long long']], 'QueryVariableInfo' : [ 0x68, ['unsigned long long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x10, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_21fe' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_2202' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x50, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'u1' : [ 0x30, ['__unnamed_21fe']], 'u2' : [ 0x38, ['__unnamed_2202']], 'PrototypePte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x48, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x20, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0x18, ['unsigned long long']], } ], '__unnamed_220b' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_220d' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_220b']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x100, { 'SuspectDriverEntry' : [ 0x0, ['pointer64', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x8, ['pointer64', ['void']]], 'EtwHandlesListHead' : [ 0x10, ['_LIST_ENTRY']], 'u1' : [ 0x20, ['__unnamed_220d']], 'Signature' : [ 0x28, ['unsigned long long']], 'PoolPageHeaders' : [ 0x30, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x40, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x50, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x54, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x58, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x5c, ['unsigned long']], 'PagedBytes' : [ 0x60, ['unsigned long long']], 'NonPagedBytes' : [ 0x68, ['unsigned long long']], 'PeakPagedBytes' : [ 0x70, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x78, ['unsigned long long']], 'RaiseIrqls' : [ 0x80, ['unsigned long']], 'AcquireSpinLocks' : [ 0x84, ['unsigned long']], 'SynchronizeExecutions' : [ 0x88, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x8c, ['unsigned long']], 'AllocationsFailed' : [ 0x90, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x94, ['unsigned long']], 'LockedBytes' : [ 0x98, ['unsigned long long']], 'PeakLockedBytes' : [ 0xa0, ['unsigned long long']], 'MappedLockedBytes' : [ 0xa8, ['unsigned long long']], 'PeakMappedLockedBytes' : [ 0xb0, ['unsigned long long']], 'MappedIoSpaceBytes' : [ 0xb8, ['unsigned long long']], 'PeakMappedIoSpaceBytes' : [ 0xc0, ['unsigned long long']], 'PagesForMdlBytes' : [ 0xc8, ['unsigned long long']], 'PeakPagesForMdlBytes' : [ 0xd0, ['unsigned long long']], 'ContiguousMemoryBytes' : [ 0xd8, ['unsigned long long']], 'PeakContiguousMemoryBytes' : [ 0xe0, ['unsigned long long']], 'ContiguousMemoryListHead' : [ 0xe8, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x68, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x60, ['pointer64', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x58, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x10, ['pointer64', ['_MDL']]], 'Count' : [ 0x18, ['unsigned long long']], 'SystemVa' : [ 0x20, ['pointer64', ['void']]], 'StartVa' : [ 0x28, ['pointer64', ['void']]], 'Offset' : [ 0x30, ['unsigned long']], 'Length' : [ 0x34, ['unsigned long']], 'Page' : [ 0x38, ['unsigned long long']], 'IoMapping' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x40, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x40, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x48, ['pointer64', ['void']]], 'CallersCaller' : [ 0x50, ['pointer64', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer64', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0x10, ['unsigned long']], 'ContextSwitches' : [ 0x14, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x1c, ['unsigned char']], 'RequestArgument' : [ 0x20, ['unsigned long long']], 'CompletionEvent' : [ 0x28, ['pointer64', ['_KEVENT']]], 'CompletionStatus' : [ 0x30, ['pointer64', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'SessionId' : [ 0x20, ['unsigned long']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2f8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x2d0, ['_LIST_ENTRY']], 'Status' : [ 0x2e0, ['long']], 'FailedDevice' : [ 0x2e8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2f0, ['unsigned char']], 'Cancelled' : [ 0x2f1, ['unsigned char']], 'IgnoreErrors' : [ 0x2f2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2f3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2f4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x40, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x28, { 'Size' : [ 0x0, ['unsigned long long']], 'CallerType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x10, ['unsigned long long']], 'ProcessId' : [ 0x18, ['unsigned long']], 'ServiceTag' : [ 0x1c, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x10, ['unsigned long long']], 'DevicePathOffset' : [ 0x18, ['unsigned long long']], 'ReasonOffset' : [ 0x20, ['unsigned long long']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], 'ThreadUsesEresources' : [ 0x30, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x60, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0x28, ['pointer64', ['void']]], 'IdleHandler' : [ 0x30, ['pointer64', ['void']]], 'HvConfig' : [ 0x38, ['unsigned long long']], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Latency' : [ 0x48, ['unsigned long']], 'Power' : [ 0x4c, ['unsigned long']], 'TimeCheck' : [ 0x50, ['unsigned long']], 'StateFlags' : [ 0x54, ['unsigned long']], 'PromotePercent' : [ 0x58, ['unsigned char']], 'DemotePercent' : [ 0x59, ['unsigned char']], 'PromotePercentBase' : [ 0x5a, ['unsigned char']], 'DemotePercentBase' : [ 0x5b, ['unsigned char']], 'StateType' : [ 0x5c, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2292' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x8, ['pointer64', ['void']]], 'NodeRangeSize' : [ 0x10, ['unsigned long long']], 'NodeCount' : [ 0x18, ['unsigned long long']], 'Tables' : [ 0x20, ['pointer64', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x28, ['unsigned long']], 'u1' : [ 0x2c, ['__unnamed_2292']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x8160, ['long']], } ], '_KTM' : [ 0x3c0, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x298, ['_CLS_LSN']], 'TmRmHandle' : [ 0x2a0, ['pointer64', ['void']]], 'TmRm' : [ 0x2a8, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2b0, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2f0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x310, ['_ERESOURCE']], 'LogFlags' : [ 0x378, ['unsigned long']], 'LogFullStatus' : [ 0x37c, ['long']], 'RecoveryStatus' : [ 0x380, ['long']], 'LastCheckBaseLsn' : [ 0x388, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x390, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x3a0, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x2d8, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], 'DTCPrivateInformation' : [ 0x268, ['pointer64', ['void']]], 'DTCPrivateInformationLength' : [ 0x270, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x278, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x2b0, ['pointer64', ['void']]], 'PendingPromotionCount' : [ 0x2b8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x2c0, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_VF_WATCHDOG_IRP' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x10, ['pointer64', ['_IRP']]], 'DueTickCount' : [ 0x18, ['unsigned long']], 'Inserted' : [ 0x1c, ['unsigned char']], 'TrackedStackLocation' : [ 0x1d, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x1e, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_22df' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_22e1' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_22df']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_22e1']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_22f4' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_22f4']], 'ChildrenCount' : [ 0x4c, ['long']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x18, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_STACK_TABLE' : [ 0x8088, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x8, ['array', 16, ['pointer64', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x88, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x48, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x70, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x68, ['pointer64', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_234a' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_234c' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_2350' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2354' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_2356' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_234a']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_234c']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2350']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2354']], 'Others' : [ 0x0, ['__unnamed_2356']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x110, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x28, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x38, ['unsigned long']], 'NextCloneRange' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x48, ['unsigned long long']], 'LoaderMdl' : [ 0x50, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x60, ['unsigned long long']], 'IoPages' : [ 0x68, ['pointer64', ['void']]], 'IoPagesCount' : [ 0x70, ['unsigned long']], 'CurrentMcb' : [ 0x78, ['pointer64', ['void']]], 'DumpStack' : [ 0x80, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x88, ['pointer64', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x90, ['unsigned long']], 'IoProgress' : [ 0x94, ['unsigned long']], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0xb8, ['pointer64', ['void']]], 'CompressedWriteBuffer' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0xc8, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0xcc, ['unsigned long']], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'BootLoaderLogMdl' : [ 0xf0, ['pointer64', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf8, ['pointer64', ['_MDL']]], 'ResumeContext' : [ 0x100, ['pointer64', ['void']]], 'ResumeContextPages' : [ 0x108, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x80, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer64', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x40, { 'ThreadHandle' : [ 0x0, ['pointer64', ['void']]], 'ThreadId' : [ 0x8, ['pointer64', ['void']]], 'ProcessId' : [ 0x10, ['pointer64', ['void']]], 'Code' : [ 0x18, ['unsigned long']], 'Parameter1' : [ 0x20, ['unsigned long long']], 'Parameter2' : [ 0x28, ['unsigned long long']], 'Parameter3' : [ 0x30, ['unsigned long long']], 'Parameter4' : [ 0x38, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x28, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'InstanceId' : [ 0x10, ['unsigned long']], 'CollectMultiple' : [ 0x14, ['unsigned char']], 'Buffer' : [ 0x18, ['pointer64', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x20, ['pointer64', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_237c' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_237c']], } ], '__unnamed_2380' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2380']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'FirstTablePage' : [ 0x60, ['unsigned long long']], 'PerfInfo' : [ 0x68, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xc0, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xc8, ['array', 1, ['unsigned long long']]], 'NoBootLoaderLogPages' : [ 0xd0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xd8, ['array', 8, ['unsigned long long']]], 'NotUsed' : [ 0x118, ['unsigned long']], 'ResumeContextCheck' : [ 0x11c, ['unsigned long']], 'ResumeContextPages' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x30, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x20, ['pointer64', ['void']]], 'SessionId' : [ 0x28, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '__unnamed_23aa' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_23ac' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_23ae' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_23aa']], 'Gpt' : [ 0x0, ['__unnamed_23ac']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_23ae']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x48, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x10, ['unsigned long']], 'Hint' : [ 0x14, ['unsigned long']], 'BasePte' : [ 0x18, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x20, ['pointer64', ['unsigned long']]], 'Vm' : [ 0x28, ['pointer64', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x30, ['long']], 'TotalFreeSystemPtes' : [ 0x34, ['long']], 'CachedPteCount' : [ 0x38, ['long']], 'PteFailures' : [ 0x3c, ['unsigned long']], 'SpinLock' : [ 0x40, ['unsigned long long']], 'GlobalMutex' : [ 0x40, ['pointer64', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x298, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1043' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1043']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1047' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1047']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105f' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1061' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105f']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x48, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_1061']], 'CallbackPriority' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x40, ['unsigned long']], } ], '_TP_TASK' : [ 0x38, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], 'PostGuard' : [ 0x10, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x30, ['pointer64', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_DIRECT' : [ 0x10, { 'Callback' : [ 0x0, ['pointer64', ['void']]], 'NumaNode' : [ 0x8, ['unsigned long']], 'IdealProcessor' : [ 0xc, ['unsigned char']], } ], '_TEB' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0x18, { 'ChainHead' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x28, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0x18, ['pointer64', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x20, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x28, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer64', ['void']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x4e80, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KPRCB' : [ 0x4d00, { 'MxCsr' : [ 0x0, ['unsigned long']], 'LegacyNumber' : [ 0x4, ['unsigned char']], 'ReservedMustBeZero' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'PrcbPad00' : [ 0x21, ['array', 3, ['unsigned char']]], 'Number' : [ 0x24, ['unsigned long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'PrcbPad01' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'Group' : [ 0x658, ['unsigned short']], 'GroupSetMember' : [ 0x660, ['unsigned long long']], 'GroupIndex' : [ 0x668, ['unsigned char']], 'LockQueue' : [ 0x670, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x780, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x880, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1480, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2080, ['long']], 'DeferredReadyListHead' : [ 0x2088, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2090, ['long']], 'MmCopyOnWriteCount' : [ 0x2094, ['long']], 'MmTransitionCount' : [ 0x2098, ['long']], 'MmDemandZeroCount' : [ 0x209c, ['long']], 'MmPageReadCount' : [ 0x20a0, ['long']], 'MmPageReadIoCount' : [ 0x20a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x20a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x20ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x20b0, ['long']], 'MmMappedWriteIoCount' : [ 0x20b4, ['long']], 'KeSystemCalls' : [ 0x20b8, ['unsigned long']], 'KeContextSwitches' : [ 0x20bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x20c0, ['unsigned long']], 'CcFastReadWait' : [ 0x20c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x20c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x20cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x20d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x20d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x20d8, ['long']], 'IoReadOperationCount' : [ 0x20dc, ['long']], 'IoWriteOperationCount' : [ 0x20e0, ['long']], 'IoOtherOperationCount' : [ 0x20e4, ['long']], 'IoReadTransferCount' : [ 0x20e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x20f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x20f8, ['_LARGE_INTEGER']], 'TargetCount' : [ 0x2100, ['long']], 'IpiFrozen' : [ 0x2104, ['unsigned long']], 'DpcData' : [ 0x2180, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x21c0, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x21c8, ['long']], 'DpcRequestRate' : [ 0x21cc, ['unsigned long']], 'MinimumDpcRate' : [ 0x21d0, ['unsigned long']], 'DpcLastCount' : [ 0x21d4, ['unsigned long']], 'ThreadDpcEnable' : [ 0x21d8, ['unsigned char']], 'QuantumEnd' : [ 0x21d9, ['unsigned char']], 'DpcRoutineActive' : [ 0x21da, ['unsigned char']], 'IdleSchedule' : [ 0x21db, ['unsigned char']], 'DpcRequestSummary' : [ 0x21dc, ['long']], 'DpcRequestSlot' : [ 0x21dc, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x21dc, ['short']], 'DpcThreadActive' : [ 0x21de, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x21de, ['short']], 'TimerHand' : [ 0x21e0, ['unsigned long']], 'MasterOffset' : [ 0x21e4, ['long']], 'LastTick' : [ 0x21e8, ['unsigned long']], 'UnusedPad' : [ 0x21ec, ['unsigned long']], 'PrcbPad50' : [ 0x21f0, ['array', 2, ['unsigned long long']]], 'TimerTable' : [ 0x2200, ['_KTIMER_TABLE']], 'DpcGate' : [ 0x4400, ['_KGATE']], 'PrcbPad52' : [ 0x4418, ['pointer64', ['void']]], 'CallDpc' : [ 0x4420, ['_KDPC']], 'ClockKeepAlive' : [ 0x4460, ['long']], 'ClockCheckSlot' : [ 0x4464, ['unsigned char']], 'ClockPollCycle' : [ 0x4465, ['unsigned char']], 'NmiActive' : [ 0x4466, ['unsigned short']], 'DpcWatchdogPeriod' : [ 0x4468, ['long']], 'DpcWatchdogCount' : [ 0x446c, ['long']], 'TickOffset' : [ 0x4470, ['unsigned long long']], 'KeSpinLockOrdering' : [ 0x4478, ['long']], 'PrcbPad70' : [ 0x447c, ['unsigned long']], 'WaitListHead' : [ 0x4480, ['_LIST_ENTRY']], 'WaitLock' : [ 0x4490, ['unsigned long long']], 'ReadySummary' : [ 0x4498, ['unsigned long']], 'QueueIndex' : [ 0x449c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x44a0, ['_KDPC']], 'PrcbPad72' : [ 0x44e0, ['array', 4, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x4500, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x4700, ['unsigned long']], 'KernelTime' : [ 0x4704, ['unsigned long']], 'UserTime' : [ 0x4708, ['unsigned long']], 'DpcTime' : [ 0x470c, ['unsigned long']], 'InterruptTime' : [ 0x4710, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4714, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4718, ['unsigned char']], 'PrcbPad80' : [ 0x4719, ['array', 7, ['unsigned char']]], 'DpcTimeCount' : [ 0x4720, ['unsigned long']], 'DpcTimeLimit' : [ 0x4724, ['unsigned long']], 'PeriodicCount' : [ 0x4728, ['unsigned long']], 'PeriodicBias' : [ 0x472c, ['unsigned long']], 'AvailableTime' : [ 0x4730, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x4734, ['unsigned long']], 'ParentNode' : [ 0x4738, ['pointer64', ['_KNODE']]], 'StartCycles' : [ 0x4740, ['unsigned long long']], 'PrcbPad82' : [ 0x4748, ['array', 3, ['unsigned long long']]], 'MmSpinLockOrdering' : [ 0x4760, ['long']], 'PageColor' : [ 0x4764, ['unsigned long']], 'NodeColor' : [ 0x4768, ['unsigned long']], 'NodeShiftedColor' : [ 0x476c, ['unsigned long']], 'SecondaryColorMask' : [ 0x4770, ['unsigned long']], 'PrcbPad83' : [ 0x4774, ['unsigned long']], 'CycleTime' : [ 0x4778, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x4780, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x4784, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x4788, ['unsigned long']], 'CcMapDataNoWait' : [ 0x478c, ['unsigned long']], 'CcMapDataWait' : [ 0x4790, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x4794, ['unsigned long']], 'CcPinReadNoWait' : [ 0x4798, ['unsigned long']], 'CcPinReadWait' : [ 0x479c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x47a0, ['unsigned long']], 'CcMdlReadWait' : [ 0x47a4, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x47a8, ['unsigned long']], 'CcLazyWriteIos' : [ 0x47ac, ['unsigned long']], 'CcLazyWritePages' : [ 0x47b0, ['unsigned long']], 'CcDataFlushes' : [ 0x47b4, ['unsigned long']], 'CcDataPages' : [ 0x47b8, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x47bc, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x47c0, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x47c4, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x47c8, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x47cc, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x47d0, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x47d4, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x47d8, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x47dc, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x47e0, ['unsigned long']], 'CcReadAheadIos' : [ 0x47e4, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x47e8, ['long']], 'MmCacheReadCount' : [ 0x47ec, ['long']], 'MmCacheIoCount' : [ 0x47f0, ['long']], 'PrcbPad91' : [ 0x47f4, ['array', 1, ['unsigned long']]], 'RuntimeAccumulation' : [ 0x47f8, ['unsigned long long']], 'PowerState' : [ 0x4800, ['_PROCESSOR_POWER_STATE']], 'PrcbPad92' : [ 0x4900, ['array', 16, ['unsigned char']]], 'KeAlignmentFixupCount' : [ 0x4910, ['unsigned long']], 'DpcWatchdogDpc' : [ 0x4918, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x4958, ['_KTIMER']], 'Cache' : [ 0x4998, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x49d4, ['unsigned long']], 'CachedCommit' : [ 0x49d8, ['unsigned long']], 'CachedResidentAvailable' : [ 0x49dc, ['unsigned long']], 'HyperPte' : [ 0x49e0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x49e8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x49f0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x4a00, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x4a10, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x4a20, ['pointer64', ['void']]], 'VirtualApicAssist' : [ 0x4a28, ['pointer64', ['void']]], 'StatisticsPage' : [ 0x4a30, ['pointer64', ['unsigned long long']]], 'RateControl' : [ 0x4a38, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x4a40, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x4a68, ['_KAFFINITY_EX']], 'CoreProcessorSet' : [ 0x4a90, ['unsigned long long']], 'PebsIndexAddress' : [ 0x4a98, ['pointer64', ['void']]], 'PrcbPad93' : [ 0x4aa0, ['array', 12, ['unsigned long long']]], 'SpinLockAcquireCount' : [ 0x4b00, ['unsigned long']], 'SpinLockContentionCount' : [ 0x4b04, ['unsigned long']], 'SpinLockSpinCount' : [ 0x4b08, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x4b0c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x4b10, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x4b14, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x4b18, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x4b1c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x4b20, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x4b24, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x4b28, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x4b2c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x4b30, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x4b34, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x4b38, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x4b3c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x4b40, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x4b44, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x4b48, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x4b4c, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x4b50, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x4b54, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x4b58, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x4b5c, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x4b60, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x4b64, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x4b68, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x4b6c, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x4b70, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x4b74, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x4b78, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x4b7c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x4b80, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x4b84, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x4b88, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x4b8c, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x4b90, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x4b94, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x4b98, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x4b9c, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x4ba0, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x4ba4, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x4ba8, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x4bac, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x4bb0, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x4bb4, ['unsigned long']], 'VendorString' : [ 0x4bb8, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x4bc5, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x4bc8, ['unsigned long']], 'UpdateSignature' : [ 0x4bd0, ['_LARGE_INTEGER']], 'Context' : [ 0x4bd8, ['pointer64', ['_CONTEXT']]], 'ContextFlags' : [ 0x4be0, ['unsigned long']], 'ExtendedState' : [ 0x4be8, ['pointer64', ['_XSAVE_AREA']]], 'Mailbox' : [ 0x4c00, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestMailbox' : [ 0x4c80, ['array', 1, ['_REQUEST_MAILBOX']]], } ], '_SINGLE_LIST_ENTRY32' : [ 0x4, { 'Next' : [ 0x0, ['unsigned long']], } ], '_KTHREAD' : [ 0x360, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'WaitRegister' : [ 0x48, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x49, ['unsigned char']], 'Alerted' : [ 0x4a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x4c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x4c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x4c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x4c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x4c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x4c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x4c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x4c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x4c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x4c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x4c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x4c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x4c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x4c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x4c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x4c, ['long']], 'ApcState' : [ 0x50, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x50, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x7b, ['unsigned char']], 'NextProcessor' : [ 0x7c, ['unsigned long']], 'DeferredProcessor' : [ 0x80, ['unsigned long']], 'ApcQueueLock' : [ 0x88, ['unsigned long long']], 'WaitStatus' : [ 0x90, ['long long']], 'WaitBlockList' : [ 0x98, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0xa0, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0xa0, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xb0, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb8, ['pointer64', ['void']]], 'Timer' : [ 0xc0, ['_KTIMER']], 'AutoAlignment' : [ 0x100, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0x100, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0x100, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0x100, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0x100, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0x100, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0x100, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0x100, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0x100, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0x100, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0x100, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0x100, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0x100, ['long']], 'Spare0' : [ 0x104, ['unsigned long']], 'WaitBlock' : [ 0x108, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill4' : [ 0x108, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x134, ['unsigned long']], 'WaitBlockFill5' : [ 0x108, ['array', 92, ['unsigned char']]], 'State' : [ 0x164, ['unsigned char']], 'NpxState' : [ 0x165, ['unsigned char']], 'WaitIrql' : [ 0x166, ['unsigned char']], 'WaitMode' : [ 0x167, ['unsigned char']], 'WaitBlockFill6' : [ 0x108, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x194, ['unsigned long']], 'WaitBlockFill7' : [ 0x108, ['array', 168, ['unsigned char']]], 'TebMappedLowVa' : [ 0x1b0, ['pointer64', ['void']]], 'Ucb' : [ 0x1b8, ['pointer64', ['_UMS_CONTROL_BLOCK']]], 'WaitBlockFill8' : [ 0x108, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1c4, ['short']], 'SpecialApcDisable' : [ 0x1c6, ['short']], 'CombinedApcDisable' : [ 0x1c4, ['unsigned long']], 'QueueListEntry' : [ 0x1c8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1d8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1e0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1e8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1e8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1f0, ['unsigned char']], 'BasePriority' : [ 0x1f1, ['unsigned char']], 'PriorityDecrement' : [ 0x1f2, ['unsigned char']], 'ForegroundBoost' : [ 0x1f2, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x1f2, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x1f3, ['unsigned char']], 'AdjustReason' : [ 0x1f4, ['unsigned char']], 'AdjustIncrement' : [ 0x1f5, ['unsigned char']], 'PreviousMode' : [ 0x1f6, ['unsigned char']], 'Saturation' : [ 0x1f7, ['unsigned char']], 'SystemCallNumber' : [ 0x1f8, ['unsigned long']], 'FreezeCount' : [ 0x1fc, ['unsigned long']], 'UserAffinity' : [ 0x200, ['_GROUP_AFFINITY']], 'Process' : [ 0x210, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x218, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x228, ['unsigned long']], 'UserIdealProcessor' : [ 0x22c, ['unsigned long']], 'ApcStatePointer' : [ 0x230, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x240, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x240, ['array', 43, ['unsigned char']]], 'WaitReason' : [ 0x26b, ['unsigned char']], 'SuspendCount' : [ 0x26c, ['unsigned char']], 'Spare1' : [ 0x26d, ['unsigned char']], 'CodePatchInProgress' : [ 0x26e, ['unsigned char']], 'Win32Thread' : [ 0x270, ['pointer64', ['void']]], 'StackBase' : [ 0x278, ['pointer64', ['void']]], 'SuspendApc' : [ 0x280, ['_KAPC']], 'SuspendApcFill0' : [ 0x280, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x281, ['unsigned char']], 'SuspendApcFill1' : [ 0x280, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x283, ['unsigned char']], 'SuspendApcFill2' : [ 0x280, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x284, ['unsigned long']], 'SuspendApcFill3' : [ 0x280, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x2c0, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x280, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2c8, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x280, ['array', 83, ['unsigned char']]], 'LargeStack' : [ 0x2d3, ['unsigned char']], 'UserTime' : [ 0x2d4, ['unsigned long']], 'SuspendSemaphore' : [ 0x2d8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2d8, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2f4, ['unsigned long']], 'ThreadListEntry' : [ 0x2f8, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x308, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x318, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x320, ['long long']], 'WriteOperationCount' : [ 0x328, ['long long']], 'OtherOperationCount' : [ 0x330, ['long long']], 'ReadTransferCount' : [ 0x338, ['long long']], 'WriteTransferCount' : [ 0x340, ['long long']], 'OtherTransferCount' : [ 0x348, ['long long']], 'ThreadCounters' : [ 0x350, ['pointer64', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x358, ['pointer64', ['_XSTATE_SAVE']]], } ], '_KSTACK_AREA' : [ 0x250, { 'StackControl' : [ 0x0, ['_KERNEL_STACK_CONTROL']], 'NpxFrame' : [ 0x50, ['_XSAVE_FORMAT']], } ], '_KERNEL_STACK_CONTROL' : [ 0x50, { 'Current' : [ 0x0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x28, ['_KERNEL_STACK_SEGMENT']], } ], '_UMS_CONTROL_BLOCK' : [ 0x98, { 'UmsContext' : [ 0x0, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'CompletionListEntry' : [ 0x8, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'CompletionListEvent' : [ 0x10, ['pointer64', ['_KEVENT']]], 'ServiceSequenceNumber' : [ 0x18, ['unsigned long']], 'UmsQueue' : [ 0x20, ['_KQUEUE']], 'QueueEntry' : [ 0x60, ['_LIST_ENTRY']], 'YieldingUmsContext' : [ 0x70, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'YieldingParam' : [ 0x78, ['pointer64', ['void']]], 'UmsTeb' : [ 0x80, ['pointer64', ['void']]], 'PrimaryFlags' : [ 0x88, ['unsigned long']], 'UmsContextHeaderReady' : [ 0x88, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueue' : [ 0x20, ['pointer64', ['_KQUEUE']]], 'UmsQueueListEntry' : [ 0x28, ['pointer64', ['_LIST_ENTRY']]], 'UmsContextHeader' : [ 0x30, ['pointer64', ['_KUMS_CONTEXT_HEADER']]], 'UmsWaitGate' : [ 0x38, ['_KGATE']], 'StagingArea' : [ 0x50, ['pointer64', ['void']]], 'Flags' : [ 0x58, ['long']], 'UmsForceQueueTermination' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'UmsAssociatedQueueUsed' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'UmsThreadParked' : [ 0x58, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'UmsPrimaryDeliveredContext' : [ 0x58, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'UmsPerformingSingleStep' : [ 0x58, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'TebSelector' : [ 0x90, ['unsigned short']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '__unnamed_11cd' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d2' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_11d5' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_11cd']], 'Header16' : [ 0x0, ['__unnamed_11d2']], 'HeaderX64' : [ 0x0, ['__unnamed_11d5']], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_IO_STATUS_BLOCK32' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x498, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x360, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x368, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x368, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x378, ['long']], 'PostBlockList' : [ 0x380, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x380, ['pointer64', ['void']]], 'StartAddress' : [ 0x388, ['pointer64', ['void']]], 'TerminationPort' : [ 0x390, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x390, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x390, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x398, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x3a0, ['_LIST_ENTRY']], 'Cid' : [ 0x3b0, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x3c0, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3e0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3e8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3f8, ['unsigned long long']], 'DeviceToVerify' : [ 0x400, ['pointer64', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x408, ['pointer64', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x410, ['pointer64', ['void']]], 'LegacyPowerObject' : [ 0x418, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x420, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x430, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x438, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x440, ['unsigned long']], 'MmLockOrdering' : [ 0x444, ['long']], 'CrossThreadFlags' : [ 0x448, ['unsigned long']], 'Terminated' : [ 0x448, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x448, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x448, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x448, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x448, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x448, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x448, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x448, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x448, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x448, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x448, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x448, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x448, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x448, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x44c, ['unsigned long']], 'ActiveExWorker' : [ 0x44c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x44c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x44c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x44c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x44c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x44c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x44c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x450, ['unsigned long']], 'Spare' : [ 0x450, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x450, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x450, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x450, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x450, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x451, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x451, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x451, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x451, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x451, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x451, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x451, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x451, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x452, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x452, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x452, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x452, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x453, ['unsigned char']], 'CacheManagerActive' : [ 0x454, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x455, ['unsigned char']], 'ActiveFaultCount' : [ 0x456, ['unsigned char']], 'LockOrderState' : [ 0x457, ['unsigned char']], 'AlpcMessageId' : [ 0x458, ['unsigned long long']], 'AlpcMessage' : [ 0x460, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x460, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x468, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x478, ['unsigned long']], 'IoBoostCount' : [ 0x47c, ['unsigned long']], 'IrpListLock' : [ 0x480, ['unsigned long long']], 'ReservedForSynchTracking' : [ 0x488, ['pointer64', ['void']]], 'CmCallbackListHead' : [ 0x490, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x4d0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x160, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x168, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x170, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x178, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x180, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0x188, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0x198, ['array', 2, ['unsigned long long']]], 'ProcessQuotaPeak' : [ 0x1a8, ['array', 2, ['unsigned long long']]], 'CommitCharge' : [ 0x1b8, ['unsigned long long']], 'QuotaBlock' : [ 0x1c0, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0x1c8, ['pointer64', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0x1d0, ['unsigned long long']], 'VirtualSize' : [ 0x1d8, ['unsigned long long']], 'SessionProcessLinks' : [ 0x1e0, ['_LIST_ENTRY']], 'DebugPort' : [ 0x1f0, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x1f8, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x1f8, ['unsigned long long']], 'ExceptionPortState' : [ 0x1f8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x200, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x208, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x210, ['unsigned long long']], 'AddressCreationLock' : [ 0x218, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x220, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x228, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x230, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x238, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x240, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x248, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x250, ['unsigned long long']], 'Win32Process' : [ 0x258, ['pointer64', ['void']]], 'Job' : [ 0x260, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x268, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x270, ['pointer64', ['void']]], 'Cookie' : [ 0x278, ['unsigned long']], 'UmsScheduledThreads' : [ 0x27c, ['unsigned long']], 'WorkingSetWatch' : [ 0x280, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x288, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x290, ['pointer64', ['void']]], 'LdtInformation' : [ 0x298, ['pointer64', ['void']]], 'Spare' : [ 0x2a0, ['pointer64', ['void']]], 'ConsoleHostProcess' : [ 0x2a8, ['unsigned long long']], 'DeviceMap' : [ 0x2b0, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x2b8, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x2c0, ['pointer64', ['void']]], 'FreeUmsTebHint' : [ 0x2c8, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x2d0, ['_HARDWARE_PTE']], 'Filler' : [ 0x2d0, ['unsigned long long']], 'Session' : [ 0x2d8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x2e0, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x2ef, ['unsigned char']], 'JobLinks' : [ 0x2f0, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x300, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x308, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x318, ['pointer64', ['void']]], 'Wow64Process' : [ 0x320, ['pointer64', ['void']]], 'ActiveThreads' : [ 0x328, ['unsigned long']], 'ImagePathHash' : [ 0x32c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x330, ['unsigned long']], 'LastThreadExitStatus' : [ 0x334, ['long']], 'Peb' : [ 0x338, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x340, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x348, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x350, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x358, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x360, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x368, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x370, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x378, ['unsigned long long']], 'CommitChargePeak' : [ 0x380, ['unsigned long long']], 'AweInfo' : [ 0x388, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x390, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x398, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x420, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x430, ['pointer64', ['void']]], 'ModifiedPageCount' : [ 0x438, ['unsigned long']], 'Flags2' : [ 0x43c, ['unsigned long']], 'JobNotReallyActive' : [ 0x43c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x43c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x43c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x43c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x43c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x43c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x43c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x43c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x43c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x43c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x43c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x43c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x43c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x43c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x43c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x43c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x43c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x43c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x43c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x440, ['unsigned long']], 'CreateReported' : [ 0x440, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x440, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x440, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x440, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x440, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x440, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x440, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x440, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x440, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x440, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x440, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x440, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x440, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x440, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x440, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x440, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x440, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x440, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x440, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x440, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x440, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x440, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x440, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x440, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x440, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x440, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x440, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x440, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x444, ['long']], 'VadRoot' : [ 0x448, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x488, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x4a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x4b8, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x4bc, ['unsigned long']], 'SmallestTimerResolution' : [ 0x4c0, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x4c8, ['pointer64', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x160, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x40, ['unsigned long long']], 'Affinity' : [ 0x48, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x80, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x88, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0xb0, ['long']], 'BasePriority' : [ 0xb4, ['unsigned char']], 'QuantumReset' : [ 0xb5, ['unsigned char']], 'Visited' : [ 0xb6, ['unsigned char']], 'Unused3' : [ 0xb7, ['unsigned char']], 'ThreadSeed' : [ 0xb8, ['array', 4, ['unsigned long']]], 'IdealNode' : [ 0xc8, ['array', 4, ['unsigned short']]], 'IdealGlobalNode' : [ 0xd0, ['unsigned short']], 'Flags' : [ 0xd2, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0xd3, ['unsigned char']], 'Unused2' : [ 0xd4, ['unsigned long']], 'Unused4' : [ 0xd8, ['unsigned long']], 'StackCount' : [ 0xdc, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0xe0, ['_LIST_ENTRY']], 'CycleTime' : [ 0xf0, ['unsigned long long']], 'KernelTime' : [ 0xf8, ['unsigned long']], 'UserTime' : [ 0xfc, ['unsigned long']], 'InstrumentationCallback' : [ 0x100, ['pointer64', ['void']]], 'LdtSystemDescriptor' : [ 0x108, ['_KGDTENTRY64']], 'LdtBaseAddress' : [ 0x118, ['pointer64', ['void']]], 'LdtProcessLock' : [ 0x120, ['_KGUARDED_MUTEX']], 'LdtFreeSelectorHint' : [ 0x158, ['unsigned short']], 'LdtTableLength' : [ 0x15a, ['unsigned short']], } ], '__unnamed_12d9' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_12d9']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xd8, { 'PrivilegesUsed' : [ 0x0, ['pointer64', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x18, ['unsigned long']], 'MaximumAuditMask' : [ 0x1c, ['unsigned long']], 'TransactionId' : [ 0x20, ['_GUID']], 'NewSecurityDescriptor' : [ 0x30, ['pointer64', ['void']]], 'ExistingSecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'ParentSecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'DeRefSecurityDescriptor' : [ 0x48, ['pointer64', ['void']]], 'SDLock' : [ 0x50, ['pointer64', ['void']]], 'AccessReasons' : [ 0x58, ['_ACCESS_REASONS']], } ], '__unnamed_12e8' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_12ed' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_12ef' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12ed']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12fa' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_12fc' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_12fa']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_12e8']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_12ef']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_12fc']], } ], '__unnamed_1303' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1307' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_130b' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_130d' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1311' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1313' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1315' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_1317' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1319' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_131b' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_131f' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_1321' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1323' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1325' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1327' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1329' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_132d' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1331' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1335' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1339' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_133f' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1343' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1347' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1349' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_134b' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_134f' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_1353' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1357' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_135b' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_135f' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1367' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_136b' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_136d' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_136f' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1371' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1303']], 'CreatePipe' : [ 0x0, ['__unnamed_1307']], 'CreateMailslot' : [ 0x0, ['__unnamed_130b']], 'Read' : [ 0x0, ['__unnamed_130d']], 'Write' : [ 0x0, ['__unnamed_130d']], 'QueryDirectory' : [ 0x0, ['__unnamed_1311']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1313']], 'QueryFile' : [ 0x0, ['__unnamed_1315']], 'SetFile' : [ 0x0, ['__unnamed_1317']], 'QueryEa' : [ 0x0, ['__unnamed_1319']], 'SetEa' : [ 0x0, ['__unnamed_131b']], 'QueryVolume' : [ 0x0, ['__unnamed_131f']], 'SetVolume' : [ 0x0, ['__unnamed_131f']], 'FileSystemControl' : [ 0x0, ['__unnamed_1321']], 'LockControl' : [ 0x0, ['__unnamed_1323']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1325']], 'QuerySecurity' : [ 0x0, ['__unnamed_1327']], 'SetSecurity' : [ 0x0, ['__unnamed_1329']], 'MountVolume' : [ 0x0, ['__unnamed_132d']], 'VerifyVolume' : [ 0x0, ['__unnamed_132d']], 'Scsi' : [ 0x0, ['__unnamed_1331']], 'QueryQuota' : [ 0x0, ['__unnamed_1335']], 'SetQuota' : [ 0x0, ['__unnamed_131b']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1339']], 'QueryInterface' : [ 0x0, ['__unnamed_133f']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1343']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1347']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1349']], 'SetLock' : [ 0x0, ['__unnamed_134b']], 'QueryId' : [ 0x0, ['__unnamed_134f']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1353']], 'UsageNotification' : [ 0x0, ['__unnamed_1357']], 'WaitWake' : [ 0x0, ['__unnamed_135b']], 'PowerSequence' : [ 0x0, ['__unnamed_135f']], 'Power' : [ 0x0, ['__unnamed_1367']], 'StartDevice' : [ 0x0, ['__unnamed_136b']], 'WMI' : [ 0x0, ['__unnamed_136d']], 'Others' : [ 0x0, ['__unnamed_136f']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_1371']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1387' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_1387']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer64', ['_ERESOURCE']]], 'PagingIoResource' : [ 0x10, ['pointer64', ['_ERESOURCE']]], 'AllocationSize' : [ 0x18, ['_LARGE_INTEGER']], 'FileSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x30, ['pointer64', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x38, ['_LIST_ENTRY']], 'PushLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x50, ['pointer64', ['pointer64', ['void']]]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '__unnamed_14ef' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_14ef']], } ], '__unnamed_1500' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xf0, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x20, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x30, ['_LIST_ENTRY']], 'KernelStack' : [ 0x40, ['unsigned long long']], 'Prcb' : [ 0x48, ['unsigned long long']], 'Process' : [ 0x50, ['unsigned long long']], 'Thread' : [ 0x58, ['unsigned long long']], 'RegistryLength' : [ 0x60, ['unsigned long']], 'RegistryBase' : [ 0x68, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x70, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x78, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x80, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x88, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x90, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x98, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0xa0, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0xa8, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xb0, ['pointer64', ['void']]], 'Extension' : [ 0xb8, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xc0, ['__unnamed_1500']], 'FirmwareInformation' : [ 0xd0, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x28, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], 'Lock' : [ 0x20, ['unsigned long long']], } ], '__unnamed_152f' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1531' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1534' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1536' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1534']], } ], '__unnamed_153e' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_152f']], 'u2' : [ 0x8, ['__unnamed_1531']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['long']], 'PteLong' : [ 0x10, ['unsigned long long']], 'u3' : [ 0x18, ['__unnamed_1536']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_153e']], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x88, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x8, ['pointer64', ['_KGATE']]], 'AccessLog' : [ 0x10, ['pointer64', ['void']]], 'WorkingSetExpansionLinks' : [ 0x18, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x28, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x4c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x50, ['unsigned long']], 'ChargedWslePages' : [ 0x54, ['unsigned long']], 'ActualWslePages' : [ 0x58, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x5c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x60, ['unsigned long']], 'HardFaultCount' : [ 0x64, ['unsigned long']], 'VmWorkingSetList' : [ 0x68, ['pointer64', ['_MMWSL']]], 'NextPageColor' : [ 0x70, ['unsigned short']], 'LastTrimStamp' : [ 0x72, ['unsigned short']], 'PageFaultCount' : [ 0x74, ['unsigned long']], 'RepurposeCount' : [ 0x78, ['unsigned long']], 'Spare' : [ 0x7c, ['array', 2, ['unsigned long']]], 'Flags' : [ 0x84, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextAgingSlot' : [ 0x24, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x28, ['unsigned long']], 'VadBitMapHint' : [ 0x2c, ['unsigned long']], 'NonDirectCount' : [ 0x30, ['unsigned long']], 'LastVadBit' : [ 0x34, ['unsigned long']], 'MaximumLastVadBit' : [ 0x38, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x3c, ['unsigned long']], 'LastAllocationSize' : [ 0x40, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x58, ['pointer64', ['_MMWSLE_HASH']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '__unnamed_156c' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_156c']], } ], '__unnamed_157b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1585' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1587' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_1585']], } ], '_CONTROL_AREA' : [ 0x80, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long long']], 'NumberOfPfnReferences' : [ 0x20, ['unsigned long long']], 'NumberOfMappedViews' : [ 0x28, ['unsigned long long']], 'NumberOfUserReferences' : [ 0x30, ['unsigned long long']], 'u' : [ 0x38, ['__unnamed_157b']], 'FlushInProgressCount' : [ 0x3c, ['unsigned long']], 'FilePointer' : [ 0x40, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x48, ['long']], 'ModifiedWriteCount' : [ 0x4c, ['unsigned long']], 'StartingFrame' : [ 0x4c, ['unsigned long']], 'WaitingForDeletion' : [ 0x50, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x58, ['__unnamed_1587']], 'LockedPages' : [ 0x68, ['long long']], 'ViewList' : [ 0x70, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x8, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 60, native_type='unsigned long long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 64, native_type='unsigned long long')]], 'EntireKey' : [ 0x0, ['unsigned long long']], } ], '_MMPAGING_FILE' : [ 0x90, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x68, ['unsigned long']], 'LastAllocationSize' : [ 0x6c, ['unsigned long']], 'ToBeEvictedCount' : [ 0x70, ['unsigned long']], 'PageFileNumber' : [ 0x74, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x74, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x74, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x76, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x76, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['unsigned long long']], 'LockOwner' : [ 0x88, ['pointer64', ['_ETHREAD']]], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_15bf' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_15c2' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_15c5' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], } ], '__unnamed_15cd' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_15cd']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_15d2' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_15dd' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_15dd']], } ], '__unnamed_15e3' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15e5' : [ 0x8, { 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_15e3']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_15e5']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x598, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'HiveLoadFailure' : [ 0x48, ['pointer64', ['void']]], 'BaseBlock' : [ 0x50, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x58, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x68, ['unsigned long']], 'DirtyAlloc' : [ 0x6c, ['unsigned long']], 'BaseBlockAlloc' : [ 0x70, ['unsigned long']], 'Cluster' : [ 0x74, ['unsigned long']], 'Flat' : [ 0x78, ['unsigned char']], 'ReadOnly' : [ 0x79, ['unsigned char']], 'DirtyFlag' : [ 0x7a, ['unsigned char']], 'HvBinHeadersUse' : [ 0x7c, ['unsigned long']], 'HvFreeCellsUse' : [ 0x80, ['unsigned long']], 'HvUsedCellsUse' : [ 0x84, ['unsigned long']], 'CmUsedCellsUse' : [ 0x88, ['unsigned long']], 'HiveFlags' : [ 0x8c, ['unsigned long']], 'CurrentLog' : [ 0x90, ['unsigned long']], 'LogSize' : [ 0x94, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x9c, ['unsigned long']], 'StorageTypeCount' : [ 0xa0, ['unsigned long']], 'Version' : [ 0xa4, ['unsigned long']], 'Storage' : [ 0xa8, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_CMHIVE' : [ 0xbe8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x598, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c8, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d8, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x5e8, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x5f8, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x600, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x610, ['pointer64', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x618, ['unsigned long']], 'Identity' : [ 0x61c, ['unsigned long']], 'HiveLock' : [ 0x620, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x628, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x630, ['pointer64', ['_KTHREAD']]], 'ViewLockLast' : [ 0x638, ['unsigned long']], 'ViewUnLockLast' : [ 0x63c, ['unsigned long']], 'WriterLock' : [ 0x640, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x648, ['pointer64', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x650, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x660, ['pointer64', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x668, ['unsigned long']], 'FlushHiveTruncated' : [ 0x66c, ['unsigned long']], 'FlushLock2' : [ 0x670, ['pointer64', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x678, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x680, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x690, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x6a0, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x6b0, ['unsigned short']], 'PinnedViewCount' : [ 0x6b2, ['unsigned short']], 'UseCount' : [ 0x6b4, ['unsigned long']], 'ViewsPerHive' : [ 0x6b8, ['unsigned long']], 'FileObject' : [ 0x6c0, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x6c8, ['unsigned long']], 'ActualFileSize' : [ 0x6d0, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x6d8, ['_UNICODE_STRING']], 'FileUserName' : [ 0x6e8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x6f8, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x708, ['unsigned long']], 'SecurityCacheSize' : [ 0x70c, ['unsigned long']], 'SecurityHitHint' : [ 0x710, ['long']], 'SecurityCache' : [ 0x718, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x720, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xb20, ['unsigned long']], 'UnloadEventArray' : [ 0xb28, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xb30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xb38, ['unsigned char']], 'UnloadWorkItem' : [ 0xb40, ['pointer64', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0xb48, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0xb70, ['unsigned char']], 'GrowOffset' : [ 0xb74, ['unsigned long']], 'KcbConvertListHead' : [ 0xb78, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xb88, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xb98, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xba0, ['unsigned long']], 'TrustClassEntry' : [ 0xba8, ['_LIST_ENTRY']], 'FlushCount' : [ 0xbb8, ['unsigned long']], 'CmRm' : [ 0xbc0, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xbc8, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xbcc, ['long']], 'CreatorOwner' : [ 0xbd0, ['pointer64', ['_KTHREAD']]], 'RundownThread' : [ 0xbd8, ['pointer64', ['_KTHREAD']]], 'LastWriteTime' : [ 0xbe0, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x128, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0x10, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x10, ['unsigned long']], 'NextHash' : [ 0x18, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x20, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x28, ['unsigned long']], 'KcbPushlock' : [ 0x30, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x38, ['pointer64', ['_KTHREAD']]], 'SharedCount' : [ 0x38, ['long']], 'SlotHint' : [ 0x40, ['unsigned long']], 'ParentKcb' : [ 0x48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x50, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x58, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x60, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x70, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x70, ['unsigned long']], 'SubKeyCount' : [ 0x70, ['unsigned long']], 'KeyBodyListHead' : [ 0x78, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x78, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x88, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0xa8, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0xb0, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0xb2, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0xb4, ['unsigned long']], 'KcbUserFlags' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xb8, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xc0, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xc8, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Stolen' : [ 0xd8, ['pointer64', ['unsigned char']]], 'TransKCBOwner' : [ 0xe8, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xf0, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x100, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x110, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x118, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0x120, ['pointer64', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Entry' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], } ], '__unnamed_1669' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_166c' : [ 0x18, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x8, ['pointer64', ['void']]], 'Status' : [ 0x10, ['long']], } ], '__unnamed_166e' : [ 0x8, { 'CheckStack' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1670' : [ 0x20, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x8, ['pointer64', ['_CELL_DATA']]], 'RootPoint' : [ 0x10, ['pointer64', ['void']]], 'Index' : [ 0x18, ['unsigned long']], } ], '__unnamed_1672' : [ 0x18, { 'List' : [ 0x0, ['pointer64', ['_CELL_DATA']]], 'Index' : [ 0x8, ['unsigned long']], 'Cell' : [ 0xc, ['unsigned long']], 'CellPoint' : [ 0x10, ['pointer64', ['_CELL_DATA']]], } ], '__unnamed_1676' : [ 0x10, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer64', ['_HBIN']]], } ], '__unnamed_167a' : [ 0x10, { 'Bin' : [ 0x0, ['pointer64', ['_HBIN']]], 'CellPoint' : [ 0x8, ['pointer64', ['_HCELL']]], } ], '__unnamed_167c' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x160, { 'Hive' : [ 0x0, ['pointer64', ['_HHIVE']]], 'Index' : [ 0x8, ['unsigned long']], 'RecoverableIndex' : [ 0xc, ['unsigned long']], 'Locations' : [ 0x10, ['array', 8, ['__unnamed_1669']]], 'RecoverableLocations' : [ 0x70, ['array', 8, ['__unnamed_1669']]], 'RegistryIO' : [ 0xd0, ['__unnamed_166c']], 'CheckRegistry2' : [ 0xe8, ['__unnamed_166e']], 'CheckKey' : [ 0xf0, ['__unnamed_1670']], 'CheckValueList' : [ 0x110, ['__unnamed_1672']], 'CheckHive' : [ 0x128, ['__unnamed_1676']], 'CheckHive1' : [ 0x138, ['__unnamed_1676']], 'CheckBin' : [ 0x148, ['__unnamed_167a']], 'RecoverData' : [ 0x158, ['__unnamed_167c']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x30, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x10, ['unsigned long']], 'Counters' : [ 0x18, ['pointer64', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'CallbackContext' : [ 0x28, ['pointer64', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x10, { 'Data' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER_TABLE' : [ 0x2200, { 'TimerExpiry' : [ 0x0, ['array', 64, ['pointer64', ['_KTIMER']]]], 'TimerEntries' : [ 0x200, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x20, { 'Lock' : [ 0x0, ['unsigned long long']], 'Entry' : [ 0x8, ['_LIST_ENTRY']], 'Time' : [ 0x18, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0x28, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 4, ['unsigned long long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0x18, { 'Affinity' : [ 0x0, ['pointer64', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x8, ['unsigned long long']], 'CurrentIndex' : [ 0x10, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0x10, { 'Mask' : [ 0x0, ['unsigned long long']], 'Group' : [ 0x8, ['unsigned short']], 'Reserved' : [ 0xa, ['array', 3, ['unsigned short']]], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_XSTATE_SAVE' : [ 0x38, { 'Prev' : [ 0x0, ['pointer64', ['_XSTATE_SAVE']]], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Level' : [ 0x10, ['unsigned char']], 'XStateContext' : [ 0x18, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x10, ['unsigned long']], 'CompletedList' : [ 0x18, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x28, ['_KSEMAPHORE']], 'SpinLock' : [ 0x48, ['unsigned long long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], 'DependentList' : [ 0x50, ['_LIST_ENTRY']], 'ProviderList' : [ 0x60, ['_LIST_ENTRY']], } ], '__unnamed_1763' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1765' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1769' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x268, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x28, ['_UNICODE_STRING']], 'ServiceName' : [ 0x38, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Level' : [ 0x50, ['unsigned long']], 'Notify' : [ 0x58, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0xc0, ['_PO_IRP_MANAGER']], 'State' : [ 0xe0, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0xe8, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x138, ['unsigned long']], 'CompletionStatus' : [ 0x13c, ['long']], 'Flags' : [ 0x140, ['unsigned long']], 'UserFlags' : [ 0x144, ['unsigned long']], 'Problem' : [ 0x148, ['unsigned long']], 'ResourceList' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x158, ['pointer64', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0x160, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x168, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x170, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x174, ['unsigned long']], 'ChildInterfaceType' : [ 0x178, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x17c, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x180, ['unsigned short']], 'RemovalPolicy' : [ 0x182, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x183, ['unsigned char']], 'TargetDeviceNotify' : [ 0x188, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x198, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x1a8, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x1b8, ['unsigned short']], 'QueryTranslatorMask' : [ 0x1ba, ['unsigned short']], 'NoArbiterMask' : [ 0x1bc, ['unsigned short']], 'QueryArbiterMask' : [ 0x1be, ['unsigned short']], 'OverUsed1' : [ 0x1c0, ['__unnamed_1763']], 'OverUsed2' : [ 0x1c8, ['__unnamed_1765']], 'BootResources' : [ 0x1d0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1d8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1e0, ['unsigned long']], 'DockInfo' : [ 0x1e8, ['__unnamed_1769']], 'DisableableDepends' : [ 0x208, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x210, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x220, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x230, ['unsigned long']], 'PreviousParent' : [ 0x238, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x240, ['unsigned long']], 'NumaNodeIndex' : [ 0x244, ['unsigned long']], 'ContainerID' : [ 0x248, ['_GUID']], 'OverrideFlags' : [ 0x258, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x259, ['unsigned char']], 'PendingEjectRelations' : [ 0x260, ['pointer64', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x40, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x50, ['unsigned long']], 'NodeNumber' : [ 0x54, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x56, ['unsigned short']], 'MaximumProcessors' : [ 0x58, ['unsigned char']], 'Color' : [ 0x59, ['unsigned char']], 'Flags' : [ 0x5a, ['_flags']], 'NodePad0' : [ 0x5b, ['unsigned char']], 'Seed' : [ 0x5c, ['unsigned long']], 'MmShiftedColor' : [ 0x60, ['unsigned long']], 'FreeCount' : [ 0x68, ['array', 2, ['unsigned long long']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0xa0, ['long']], 'NodePad1' : [ 0xa4, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1811' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1811']], } ], '__unnamed_1818' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1818']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_VOLUME_CACHE_MAP' : [ 0x38, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], 'DirtyPages' : [ 0x28, ['unsigned long long']], 'PagesQueuedToDisk' : [ 0x30, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1f8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'VacbLock' : [ 0x68, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x70, ['unsigned long']], 'LoggedStreamLinks' : [ 0x78, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x88, ['_LIST_ENTRY']], 'Flags' : [ 0x98, ['unsigned long']], 'Status' : [ 0x9c, ['long']], 'Mbcb' : [ 0xa0, ['pointer64', ['_MBCB']]], 'Section' : [ 0xa8, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb0, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc0, ['unsigned long']], 'BeyondLastFlush' : [ 0xc8, ['long long']], 'Callbacks' : [ 0xd0, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xd8, ['pointer64', ['void']]], 'PrivateList' : [ 0xe0, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf0, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0xf8, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x100, ['unsigned long']], 'LazyWritePassCount' : [ 0x104, ['unsigned long']], 'UninitializeEvent' : [ 0x108, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0x110, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0x148, ['_LARGE_INTEGER']], 'Event' : [ 0x150, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x168, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x170, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1d8, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1e0, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1e8, ['unsigned long']], 'WritesInProgress' : [ 0x1ec, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x1f0, ['unsigned long']], } ], '__unnamed_188a' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_188a']], 'Links' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_18a8' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_18aa' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_18ac' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_18ae' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_18b0' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_18a8']], 'Write' : [ 0x0, ['__unnamed_18aa']], 'Event' : [ 0x0, ['__unnamed_18ac']], 'Notification' : [ 0x0, ['__unnamed_18ae']], } ], '_WORK_QUEUE_ENTRY' : [ 0x20, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_18b0']], 'Function' : [ 0x18, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x20, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x10, ['pointer64', ['void']]], 'VacbLevelsAllocated' : [ 0x18, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x208, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1f8, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_1901' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1901']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x380, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x50, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x64, ['unsigned long']], 'ApiSetMap' : [ 0x68, ['pointer64', ['void']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], 'pContextData' : [ 0x368, ['pointer64', ['void']]], 'pImageHeaderHash' : [ 0x370, ['pointer64', ['void']]], 'TracingFlags' : [ 0x378, ['unsigned long']], 'HeapTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x378, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x378, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x58, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], 'ShutdownInProgress' : [ 0x48, ['unsigned char']], 'ShutdownThreadId' : [ 0x50, ['pointer64', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xe0, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ContextInformation' : [ 0xc8, ['pointer64', ['void']]], 'OriginalBase' : [ 0xd0, ['unsigned long long']], 'LoadTime' : [ 0xd8, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '__unnamed_197f' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1981' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_197f']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1983' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1985' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1983']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], } ], '_BLOB_TYPE' : [ 0x38, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x18, ['pointer64', ['void']]], 'DestroyProcedure' : [ 0x20, ['pointer64', ['void']]], 'UsualSize' : [ 0x28, ['unsigned long long']], 'LookasideIndex' : [ 0x30, ['unsigned long']], } ], '__unnamed_199e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_19a0' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_199e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x20, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_19a0']], 'ResourceId' : [ 0x11, ['unsigned char']], 'CachedReferences' : [ 0x12, ['short']], 'ReferenceCount' : [ 0x14, ['long']], 'Lock' : [ 0x18, ['_EX_PUSH_LOCK']], } ], '__unnamed_19b3' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_19b5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19b3']], } ], '_KALPC_SECTION' : [ 0x48, { 'SectionObject' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'HandleTable' : [ 0x10, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x18, ['pointer64', ['void']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x28, ['pointer64', ['_ALPC_PORT']]], 'u1' : [ 0x30, ['__unnamed_19b5']], 'NumberOfRegions' : [ 0x34, ['unsigned long']], 'RegionListHead' : [ 0x38, ['_LIST_ENTRY']], } ], '__unnamed_19bb' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_19bd' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19bb']], } ], '_KALPC_REGION' : [ 0x58, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x10, ['pointer64', ['_KALPC_SECTION']]], 'Offset' : [ 0x18, ['unsigned long long']], 'Size' : [ 0x20, ['unsigned long long']], 'ViewSize' : [ 0x28, ['unsigned long long']], 'u1' : [ 0x30, ['__unnamed_19bd']], 'NumberOfViews' : [ 0x34, ['unsigned long']], 'ViewListHead' : [ 0x38, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x48, ['pointer64', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x50, ['pointer64', ['_KALPC_VIEW']]], } ], '__unnamed_19c3' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19c5' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c3']], } ], '_KALPC_VIEW' : [ 0x60, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x10, ['pointer64', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'Address' : [ 0x28, ['pointer64', ['void']]], 'Size' : [ 0x30, ['unsigned long long']], 'SecureViewHandle' : [ 0x38, ['pointer64', ['void']]], 'WriteAccessHandle' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_19c5']], 'NumberOfOwnerMessages' : [ 0x4c, ['unsigned long']], 'ProcessViewListEntry' : [ 0x50, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x40, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x8, ['pointer64', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x10, ['pointer64', ['_ALPC_PORT']]], 'CommunicationList' : [ 0x18, ['_LIST_ENTRY']], 'HandleTable' : [ 0x28, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19e1' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19e3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19e1']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0x1a0, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'CompletionPort' : [ 0x20, ['pointer64', ['void']]], 'CompletionKey' : [ 0x28, ['pointer64', ['void']]], 'CompletionPacketLookaside' : [ 0x30, ['pointer64', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x38, ['pointer64', ['void']]], 'StaticSecurity' : [ 0x40, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x88, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x98, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0xa8, ['_LIST_ENTRY']], 'WaitQueue' : [ 0xb8, ['_LIST_ENTRY']], 'Semaphore' : [ 0xc8, ['pointer64', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0xc8, ['pointer64', ['_KEVENT']]], 'PortAttributes' : [ 0xd0, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0x118, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0x128, ['_LIST_ENTRY']], 'CompletionList' : [ 0x138, ['pointer64', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0x140, ['pointer64', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0x148, ['pointer64', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0x150, ['pointer64', ['void']]], 'CanceledQueue' : [ 0x158, ['_LIST_ENTRY']], 'SequenceNo' : [ 0x168, ['long']], 'u1' : [ 0x16c, ['__unnamed_19e3']], 'TargetQueuePort' : [ 0x170, ['pointer64', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0x178, ['pointer64', ['_ALPC_PORT']]], 'CachedMessage' : [ 0x180, ['pointer64', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0x188, ['unsigned long']], 'PendingQueueLength' : [ 0x18c, ['unsigned long']], 'LargeMessageQueueLength' : [ 0x190, ['unsigned long']], 'CanceledQueueLength' : [ 0x194, ['unsigned long']], 'WaitQueueLength' : [ 0x198, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0xd0, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x10, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x20, ['pointer64', ['void']]], 'Index' : [ 0x28, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x2c, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x30, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x34, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x38, ['unsigned long']], 'TypeInfo' : [ 0x40, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb8, ['unsigned long']], 'CallbackList' : [ 0xc0, ['_LIST_ENTRY']], } ], '_PORT_MESSAGE32' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1981']], 'u2' : [ 0x4, ['__unnamed_1985']], 'ClientId' : [ 0x8, ['_CLIENT_ID32']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '__unnamed_1a00' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_1a02' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a00']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x100, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x10, ['pointer64', ['void']]], 'ExtensionBufferSize' : [ 0x18, ['unsigned long long']], 'QuotaProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], 'QuotaBlock' : [ 0x20, ['pointer64', ['void']]], 'SequenceNo' : [ 0x28, ['long']], 'u1' : [ 0x2c, ['__unnamed_1a02']], 'CancelSequencePort' : [ 0x30, ['pointer64', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x38, ['pointer64', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x40, ['long']], 'CancelListEntry' : [ 0x48, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'Reserve' : [ 0x60, ['pointer64', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x68, ['pointer64', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x70, ['pointer64', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x78, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0xb0, ['pointer64', ['void']]], 'DataSystemVa' : [ 0xb8, ['pointer64', ['void']]], 'CommunicationInfo' : [ 0xc0, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0xc8, ['pointer64', ['_ALPC_PORT']]], 'ServerThread' : [ 0xd0, ['pointer64', ['_ETHREAD']]], 'PortMessage' : [ 0xd8, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x8, ['unsigned long long']], 'ViewBase' : [ 0x10, ['pointer64', ['void']]], } ], '_KALPC_RESERVE' : [ 0x28, { 'OwnerPort' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'HandleTable' : [ 0x8, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Message' : [ 0x18, ['pointer64', ['_KALPC_MESSAGE']]], 'Active' : [ 0x20, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer64', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x38, { 'ClientContext' : [ 0x0, ['pointer64', ['void']]], 'ServerContext' : [ 0x8, ['pointer64', ['void']]], 'PortContext' : [ 0x10, ['pointer64', ['void']]], 'CancelPortContext' : [ 0x18, ['pointer64', ['void']]], 'SecurityData' : [ 0x20, ['pointer64', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x28, ['pointer64', ['_KALPC_VIEW']]], 'HandleData' : [ 0x30, ['pointer64', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a41' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a43' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a41']], } ], '_KALPC_SECURITY_DATA' : [ 0x70, { 'HandleTable' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x8, ['pointer64', ['void']]], 'OwningProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer64', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x68, ['__unnamed_1a43']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x50, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x10, ['unsigned long']], 'KeyContext' : [ 0x18, ['pointer64', ['void']]], 'ApcContext' : [ 0x20, ['pointer64', ['void']]], 'IoStatus' : [ 0x28, ['long']], 'IoStatusInformation' : [ 0x30, ['unsigned long long']], 'MiniPacketCallback' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], 'Allocated' : [ 0x48, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x38, { 'PortObject' : [ 0x0, ['pointer64', ['_ALPC_PORT']]], 'Message' : [ 0x8, ['pointer64', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x10, ['pointer64', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'TargetPort' : [ 0x20, ['pointer64', ['_ALPC_PORT']]], 'Flags' : [ 0x28, ['unsigned long']], 'TotalLength' : [ 0x2c, ['unsigned short']], 'Type' : [ 0x2e, ['unsigned short']], 'DataInfoOffset' : [ 0x30, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x20, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer64', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0x10, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x48, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], 'FoIoPriorityHint' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x10, ['long']], 'Information' : [ 0x18, ['unsigned long long']], 'ParseCheck' : [ 0x20, ['unsigned long']], 'RelatedFileObject' : [ 0x28, ['pointer64', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x30, ['pointer64', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x38, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x40, ['unsigned long']], 'FileAttributes' : [ 0x44, ['unsigned short']], 'ShareAccess' : [ 0x46, ['unsigned short']], 'EaBuffer' : [ 0x48, ['pointer64', ['void']]], 'EaLength' : [ 0x50, ['unsigned long']], 'Options' : [ 0x54, ['unsigned long']], 'Disposition' : [ 0x58, ['unsigned long']], 'BasicInformation' : [ 0x60, ['pointer64', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x68, ['pointer64', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x78, ['pointer64', ['void']]], 'Override' : [ 0x80, ['unsigned char']], 'QueryOnly' : [ 0x81, ['unsigned char']], 'DeleteOnly' : [ 0x82, ['unsigned char']], 'FullAttributes' : [ 0x83, ['unsigned char']], 'LocalFileObject' : [ 0x88, ['pointer64', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x90, ['unsigned long']], 'DriverCreateContext' : [ 0x98, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x330, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer64', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer64', ['void']]], 'LoggerThread' : [ 0x30, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x38, ['long']], 'NBQHead' : [ 0x40, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x48, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x50, ['_SLIST_HEADER']], 'GlobalList' : [ 0x60, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x70, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x70, ['_EX_FAST_REF']], 'LoggerName' : [ 0x78, ['_UNICODE_STRING']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x98, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0xa8, ['_UNICODE_STRING']], 'ClockType' : [ 0xb8, ['unsigned long']], 'MaximumFileSize' : [ 0xbc, ['unsigned long']], 'LastFlushedBuffer' : [ 0xc0, ['unsigned long']], 'FlushTimer' : [ 0xc4, ['unsigned long']], 'FlushThreshold' : [ 0xc8, ['unsigned long']], 'ByteOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xd8, ['unsigned long']], 'BuffersAvailable' : [ 0xdc, ['long']], 'NumberOfBuffers' : [ 0xe0, ['long']], 'MaximumBuffers' : [ 0xe4, ['unsigned long']], 'EventsLost' : [ 0xe8, ['unsigned long']], 'BuffersWritten' : [ 0xec, ['unsigned long']], 'LogBuffersLost' : [ 0xf0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xf4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xf8, ['unsigned long']], 'SequencePtr' : [ 0x100, ['pointer64', ['long']]], 'LocalSequence' : [ 0x108, ['unsigned long']], 'InstanceGuid' : [ 0x10c, ['_GUID']], 'FileCounter' : [ 0x11c, ['long']], 'BufferCallback' : [ 0x120, ['pointer64', ['void']]], 'PoolType' : [ 0x128, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x130, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'TransitionConsumer' : [ 0x158, ['pointer64', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0x160, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x168, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x178, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x180, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x190, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x198, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a0, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1a8, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x1b8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1c0, ['_KEVENT']], 'FlushEvent' : [ 0x1d8, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x1f0, ['_KTIMER']], 'FlushDpc' : [ 0x230, ['_KDPC']], 'LoggerMutex' : [ 0x270, ['_KMUTANT']], 'LoggerLock' : [ 0x2a8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x2b0, ['unsigned long long']], 'BufferListPushLock' : [ 0x2b0, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x2b8, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x300, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x308, ['long long']], 'Flags' : [ 0x310, ['unsigned long']], 'Persistent' : [ 0x310, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x310, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x310, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x310, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x310, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x310, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x310, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x310, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x310, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x310, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x314, ['unsigned long']], 'RequestNewFie' : [ 0x314, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x314, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x314, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x314, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x314, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x318, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x10, { 'TraceBuffer' : [ 0x0, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x8, ['pointer64', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x20, { 'SListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'Next' : [ 0x10, ['unsigned long long']], 'Data' : [ 0x18, ['unsigned long long']], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x1b0, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LastEnable' : [ 0x40, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x40, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x170, ['array', 8, ['pointer64', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x310, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'LogonSession' : [ 0xd0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xd8, ['_LUID']], 'SidHash' : [ 0xe0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x1f0, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x300, ['pointer64', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x308, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0x18, ['unsigned char']], 'TraceFlags' : [ 0x19, ['unsigned char']], 'InfoMask' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0x10, ['pointer64', ['void']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x10, { 'ExclusiveProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0x18, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], 'HashIndex' : [ 0x14, ['unsigned short']], 'DirectoryLocked' : [ 0x16, ['unsigned char']], 'LockedExclusive' : [ 0x17, ['unsigned char']], 'LockStateSignature' : [ 0x18, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x48, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long long']], 'MemoryBandwidth' : [ 0x18, ['unsigned long long']], 'MaxPoolUsage' : [ 0x20, ['unsigned long long']], 'MaxSectionSize' : [ 0x28, ['unsigned long long']], 'MaxViewSize' : [ 0x30, ['unsigned long long']], 'MaxTotalSectionSize' : [ 0x38, ['unsigned long long']], 'DupObjectTypes' : [ 0x40, ['unsigned long']], 'Reserved' : [ 0x44, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x70, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x50, ['unsigned long']], 'InBlockDeccommits' : [ 0x54, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], 'HighWatermarkSize' : [ 0x60, ['unsigned long long']], 'LastPolledSize' : [ 0x68, ['unsigned long long']], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x68, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x10, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x30, ['pointer64', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x40, ['pointer64', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x48, ['pointer64', ['_IRP']]], 'Lock' : [ 0x50, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x54, ['unsigned long']], 'ProfileChangingEject' : [ 0x58, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x59, ['unsigned char']], 'LightestSleepState' : [ 0x5c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x60, ['pointer64', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x68, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x60, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x58, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x30, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'ContextListHead' : [ 0x48, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'BlockState' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x78, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x38, ['unsigned long']], 'CurrentTemperature' : [ 0x3c, ['unsigned long']], 'PassiveTripPoint' : [ 0x40, ['unsigned long']], 'CriticalTripPoint' : [ 0x44, ['unsigned long']], 'ActiveTripPointCount' : [ 0x48, ['unsigned char']], 'ActiveTripPoint' : [ 0x4c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x74, ['unsigned long']], } ], '__unnamed_1c5c' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c5e' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c5c']], 'Private' : [ 0x0, ['__unnamed_1c5e']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x28, { 'ObjectHeader' : [ 0x0, ['pointer64', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x8, ['pointer64', ['void']]], 'ImageFileName' : [ 0x10, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x20, ['unsigned short']], 'MaxStacks' : [ 0x22, ['unsigned short']], 'StackInfo' : [ 0x24, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c7f' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c85' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x90, { 'u1' : [ 0x0, ['__unnamed_15bf']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_15c2']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_15c5']], 'u2' : [ 0x40, ['__unnamed_15d2']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ViewLinks' : [ 0x60, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x70, ['pointer64', ['_EPROCESS']]], 'u3' : [ 0x78, ['__unnamed_1c7f']], 'u4' : [ 0x88, ['__unnamed_1c85']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x1c8, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0xe0, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'LimitFlags' : [ 0xf0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xf4, ['unsigned long']], 'Affinity' : [ 0xf8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0x120, ['unsigned char']], 'AccessState' : [ 0x128, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x130, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x134, ['unsigned long']], 'CompletionPort' : [ 0x138, ['pointer64', ['void']]], 'CompletionKey' : [ 0x140, ['pointer64', ['void']]], 'SessionId' : [ 0x148, ['unsigned long']], 'SchedulingClass' : [ 0x14c, ['unsigned long']], 'ReadOperationCount' : [ 0x150, ['unsigned long long']], 'WriteOperationCount' : [ 0x158, ['unsigned long long']], 'OtherOperationCount' : [ 0x160, ['unsigned long long']], 'ReadTransferCount' : [ 0x168, ['unsigned long long']], 'WriteTransferCount' : [ 0x170, ['unsigned long long']], 'OtherTransferCount' : [ 0x178, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x180, ['unsigned long long']], 'JobMemoryLimit' : [ 0x188, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x190, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x198, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1a0, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1a8, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x1b0, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1c0, ['unsigned long']], 'JobFlags' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_1c99' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0xa0, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c99']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['_KAFFINITY_EX']], 'State' : [ 0x40, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1ca2' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1ca2']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x88, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x10, ['pointer64', ['void']]], 'ProcessObject' : [ 0x18, ['pointer64', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x20, ['pointer64', ['void']]], 'RealtimeConnectContext' : [ 0x28, ['pointer64', ['void']]], 'DisconnectEvent' : [ 0x30, ['pointer64', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x38, ['pointer64', ['_KEVENT']]], 'UserBufferCount' : [ 0x40, ['pointer64', ['unsigned long']]], 'UserBufferListHead' : [ 0x48, ['pointer64', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x50, ['unsigned long']], 'EmptyBuffersCount' : [ 0x54, ['unsigned long']], 'LoggerId' : [ 0x58, ['unsigned long']], 'ShutDownRequested' : [ 0x5c, ['unsigned char']], 'NewBuffersLost' : [ 0x5d, ['unsigned char']], 'Disconnected' : [ 0x5e, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x60, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x70, ['pointer64', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x78, ['unsigned long']], 'UserPagesAllocated' : [ 0x7c, ['unsigned long']], 'UserPagesReused' : [ 0x80, ['unsigned long']], 'Wow' : [ 0x84, ['unsigned char']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x8, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x8, ['unsigned long long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer64', ['pointer64', ['void']]]], 'PendingFreeDepth' : [ 0x108, ['long']], 'ListHeads' : [ 0x140, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned long']], 'ShareVector' : [ 0x64, ['unsigned char']], 'Pad' : [ 0x65, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x6c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x70, ['unsigned long']], 'DispatchCount' : [ 0x74, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x30, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x8, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0x18, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x20, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x88, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmKcbCacheSize' : [ 0x28, ['unsigned long']], 'CmHive2' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'HiveMounted' : [ 0x38, ['unsigned char']], 'ThreadFinished' : [ 0x39, ['unsigned char']], 'ThreadStarted' : [ 0x3a, ['unsigned char']], 'Allocate' : [ 0x3b, ['unsigned char']], 'WinPERequired' : [ 0x3c, ['unsigned char']], 'StartEvent' : [ 0x40, ['_KEVENT']], 'FinishedEvent' : [ 0x58, ['_KEVENT']], 'MountLock' : [ 0x70, ['_KEVENT']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XSAVE_FORMAT']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_ALPC_HANDLE_TABLE' : [ 0x18, { 'Handles' : [ 0x0, ['pointer64', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 48, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'Thread' : [ 0x8, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x10, ['array', 62, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x98, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Mdl' : [ 0x18, ['pointer64', ['_MDL']]], 'UserVa' : [ 0x20, ['pointer64', ['void']]], 'UserLimit' : [ 0x28, ['pointer64', ['void']]], 'DataUserVa' : [ 0x30, ['pointer64', ['void']]], 'SystemVa' : [ 0x38, ['pointer64', ['void']]], 'TotalSize' : [ 0x40, ['unsigned long long']], 'Header' : [ 0x48, ['pointer64', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x50, ['pointer64', ['void']]], 'ListSize' : [ 0x58, ['unsigned long long']], 'Bitmap' : [ 0x60, ['pointer64', ['void']]], 'BitmapSize' : [ 0x68, ['unsigned long long']], 'Data' : [ 0x70, ['pointer64', ['void']]], 'DataSize' : [ 0x78, ['unsigned long long']], 'BitmapLimit' : [ 0x80, ['unsigned long']], 'BitmapNextHint' : [ 0x84, ['unsigned long']], 'ConcurrencyCount' : [ 0x88, ['unsigned long']], 'AttributeFlags' : [ 0x8c, ['unsigned long']], 'AttributeSize' : [ 0x90, ['unsigned long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x88, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x40, ['_KTIMER']], 'ScanActive' : [ 0x80, ['unsigned char']], 'OtherWork' : [ 0x81, ['unsigned char']], 'PendingTeardownScan' : [ 0x82, ['unsigned char']], 'PendingPeriodicScan' : [ 0x83, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x84, ['unsigned char']], 'PendingPowerScan' : [ 0x85, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x40, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x20, ['pointer64', ['void']]], 'IoObject' : [ 0x28, ['pointer64', ['void']]], 'Context' : [ 0x30, ['pointer64', ['void']]], 'Type' : [ 0x38, ['unsigned long']], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned short']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x80, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0x28, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'InStore' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_RTL_UMS_CONTEXT' : [ 0x540, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Context' : [ 0x10, ['_CONTEXT']], 'Teb' : [ 0x4e0, ['pointer64', ['void']]], 'UserContext' : [ 0x4e8, ['pointer64', ['void']]], 'ScheduledThread' : [ 0x4f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'HasQuantumReq' : [ 0x4f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HasAffinityReq' : [ 0x4f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'HasPriorityReq' : [ 0x4f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Suspended' : [ 0x4f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VolatileContext' : [ 0x4f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Terminated' : [ 0x4f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'DebugActive' : [ 0x4f0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DenyRunningOnSelfThread' : [ 0x4f0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReservedFlags' : [ 0x4f0, ['BitField', dict(start_bit = 10, end_bit = 32, native_type='unsigned long')]], 'Flags' : [ 0x4f0, ['long']], 'KernelUpdateLock' : [ 0x4f8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Reserved' : [ 0x4f8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PrimaryClientID' : [ 0x4f8, ['BitField', dict(start_bit = 2, end_bit = 64, native_type='unsigned long long')]], 'ContextLock' : [ 0x4f8, ['unsigned long long']], 'QuantumValue' : [ 0x500, ['unsigned long long']], 'AffinityMask' : [ 0x508, ['_GROUP_AFFINITY']], 'Priority' : [ 0x518, ['long']], 'PrimaryUmsContext' : [ 0x520, ['pointer64', ['_RTL_UMS_CONTEXT']]], 'SwitchCount' : [ 0x528, ['unsigned long']], 'KernelYieldCount' : [ 0x52c, ['unsigned long']], 'MixedYieldCount' : [ 0x530, ['unsigned long']], 'YieldCount' : [ 0x534, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer64', ['void']]], 'Pointer1' : [ 0x40, ['pointer64', ['void']]], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x100, { 'IdleStates' : [ 0x0, ['pointer64', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer64', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x2c, ['unsigned long']], 'ThermalConstraint' : [ 0x30, ['unsigned char']], 'PerfHistoryCount' : [ 0x31, ['unsigned char']], 'PerfHistorySlot' : [ 0x32, ['unsigned char']], 'Reserved' : [ 0x33, ['unsigned char']], 'LastSysTime' : [ 0x34, ['unsigned long']], 'WmiDispatchPtr' : [ 0x38, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x40, ['long']], 'FFHThrottleStateInfo' : [ 0x48, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x68, ['_KDPC']], 'PerfActionMask' : [ 0xa8, ['long']], 'IdleCheck' : [ 0xb0, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0xc0, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xd0, ['pointer64', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xd8, ['pointer64', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xe0, ['pointer64', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xe8, ['pointer64', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xf0, ['unsigned long']], 'OverUtilizedHistory' : [ 0xf4, ['unsigned long']], 'AffinityCount' : [ 0xf8, ['unsigned long']], 'AffinityHistory' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x28, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'DOCK_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ProfileDepartureSetMode' : [ 0x20, ['pointer64', ['void']]], 'ProfileDepartureUpdate' : [ 0x28, ['pointer64', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x50, { 'Lock' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'ActiveCount' : [ 0xc, ['unsigned long']], 'PendingNullCount' : [ 0x10, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x14, ['unsigned long']], 'PendingDelete' : [ 0x18, ['unsigned long']], 'FreeListHead' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x28, ['pointer64', ['void']]], 'CompletionKey' : [ 0x30, ['pointer64', ['void']]], 'Entry' : [ 0x38, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0x18, ['unsigned long long']], 'PageCount' : [ 0x20, ['unsigned long long']], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0xa0, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], 'PreviousBucketName' : [ 0x80, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x90, ['unsigned long']], 'PreviousActivityCounter' : [ 0x94, ['unsigned long']], 'WorkerTrimRequests' : [ 0x98, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x48, { 'Thread' : [ 0x0, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 8, ['pointer64', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'IoPriorityBoosted' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x8, ['_KGATE']], } ], '_ETIMER' : [ 0x110, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeReason' : [ 0xf8, ['pointer64', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x100, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1e01' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1e01']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x698, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'TransactionEvent' : [ 0x128, ['pointer64', ['_KEVENT']]], 'Extension' : [ 0x130, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x140, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x148, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x150, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3f0, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x690, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '__unnamed_1e5a' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e5c' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e5a']], } ], '__unnamed_1e5e' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e5a']], } ], '__unnamed_1e60' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e5c']], 'NewCell' : [ 0x0, ['__unnamed_1e5e']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e60']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x30, { 'Prcb' : [ 0x0, ['pointer64', ['_KPRCB']]], 'PerfContext' : [ 0x8, ['unsigned long long']], 'PercentageCap' : [ 0x10, ['unsigned long']], 'ThermalCap' : [ 0x14, ['unsigned long']], 'TargetFrequency' : [ 0x18, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x1c, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x20, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x24, ['unsigned long']], 'AverageFrequency' : [ 0x28, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], 'Pad0' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1e73' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e77' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1e79' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e7b' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e7d' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e7f' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e81' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e83' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e85' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e87' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e73']], 'Memory' : [ 0x0, ['__unnamed_1e73']], 'Interrupt' : [ 0x0, ['__unnamed_1e77']], 'Dma' : [ 0x0, ['__unnamed_1e79']], 'Generic' : [ 0x0, ['__unnamed_1e73']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7b']], 'BusNumber' : [ 0x0, ['__unnamed_1e7d']], 'ConfigData' : [ 0x0, ['__unnamed_1e7f']], 'Memory40' : [ 0x0, ['__unnamed_1e81']], 'Memory48' : [ 0x0, ['__unnamed_1e83']], 'Memory64' : [ 0x0, ['__unnamed_1e85']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e87']], } ], '_POP_THERMAL_ZONE' : [ 0x1e8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0x148, ['_LARGE_INTEGER']], 'Metrics' : [ 0x150, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x10, ['unsigned long']], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Parameter' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x98, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x68, ['unsigned long']], 'PassiveCount' : [ 0x6c, ['unsigned long']], 'LastActiveStartTick' : [ 0x70, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x78, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x80, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x88, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x90, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0xa8, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 7, ['pointer64', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x40, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ProbeMode' : [ 0x10, ['unsigned char']], 'PagedPoolCharge' : [ 0x14, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x1c, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQos' : [ 0x28, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x10, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x8, ['array', 1, ['pointer64', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1ec2' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1ec4' : [ 0x18, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1ec2']], } ], '_VF_TARGET_DRIVER' : [ 0x30, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x10, ['__unnamed_1ec4']], 'VerifiedData' : [ 0x28, ['pointer64', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1ecc' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1ece' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed0' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ed2' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1ed4' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1ed6' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ed8' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1eda' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1edc' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ede' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ee0' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1ecc']], 'TargetDevice' : [ 0x0, ['__unnamed_1ece']], 'InstallDevice' : [ 0x0, ['__unnamed_1ed0']], 'CustomNotification' : [ 0x0, ['__unnamed_1ed2']], 'ProfileNotification' : [ 0x0, ['__unnamed_1ed4']], 'PowerNotification' : [ 0x0, ['__unnamed_1ed6']], 'VetoNotification' : [ 0x0, ['__unnamed_1ed8']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1eda']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1edc']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ede']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1ed0']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1ee0']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x28, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer64', ['_XSAVE_AREA']]], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MBCB' : [ 0xc0, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x28, ['long long']], 'BitmapRange1' : [ 0x30, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x60, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x90, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x4080, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x10, ['unsigned long']], 'CpuShareWeight' : [ 0x14, ['unsigned long']], 'CapturedWeightData' : [ 0x18, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x20, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 256, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1efc' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1efc']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '__unnamed_1f31' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_1f31']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x10, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x20, ['unsigned long long']], 'CyclesRemaining' : [ 0x28, ['long long']], 'CurrentGeneration' : [ 0x30, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'Next' : [ 0x0, ['pointer64', ['_REQUEST_MAILBOX']]], 'RequestSummary' : [ 0x8, ['long long']], 'RequestPacket' : [ 0x10, ['_KREQUEST_PACKET']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_PEB32' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], 'pContextData' : [ 0x238, ['unsigned long']], 'pImageHeaderHash' : [ 0x23c, ['unsigned long']], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_KBUGCHECK_ACTIVE_STATE' : [ 0x4, { 'BugCheckState' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'RecursionCount' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'BugCheckOwner' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['long']], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0x18, { 'SharedExportThunks' : [ 0x0, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x8, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x10, ['pointer64', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x28, { 'SourceProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'SourceHandle' : [ 0x8, ['pointer64', ['void']]], 'Object' : [ 0x10, ['pointer64', ['void']]], 'TargetAccess' : [ 0x18, ['unsigned long']], 'ObjectInfo' : [ 0x1c, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x20, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1fa6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fa8' : [ 0x10, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1faa' : [ 0x10, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fac' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1faa']], 'Translated' : [ 0x0, ['__unnamed_1fa8']], } ], '__unnamed_1fae' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb0' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb2' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fb8' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1fba' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1fa6']], 'Port' : [ 0x0, ['__unnamed_1fa6']], 'Interrupt' : [ 0x0, ['__unnamed_1fa8']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1fac']], 'Memory' : [ 0x0, ['__unnamed_1fa6']], 'Dma' : [ 0x0, ['__unnamed_1fae']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e7b']], 'BusNumber' : [ 0x0, ['__unnamed_1fb0']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1fb2']], 'Memory40' : [ 0x0, ['__unnamed_1fb4']], 'Memory48' : [ 0x0, ['__unnamed_1fb6']], 'Memory64' : [ 0x0, ['__unnamed_1fb8']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1fba']], } ], '__unnamed_1fbf' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1fbf']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1fc9' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1fc9']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1fd3' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_1f31']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1fd3']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x10, { 'p' : [ 0x0, ['pointer64', ['void']]], 'RangeSize' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1fdb' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fdd' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1fdb']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x58, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x20, ['_LIST_ENTRY']], 'IdleType' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x40, ['_LIST_ENTRY']], 'Specific' : [ 0x50, ['__unnamed_1fdd']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp01_x64_syscalls.py0000644000175000017500000012276312227253532027565 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 7 SP0 and SP1 x64. """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAddBootEntry', # 0x66 'NtAddDriverEntry', # 0x67 'NtAdjustGroupsToken', # 0x68 'NtAlertResumeThread', # 0x69 'NtAlertThread', # 0x6a 'NtAllocateLocallyUniqueId', # 0x6b 'NtAllocateReserveObject', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelIoFileEx', # 0x86 'NtCancelSynchronousIoFile', # 0x87 'NtCommitComplete', # 0x88 'NtCommitEnlistment', # 0x89 'NtCommitTransaction', # 0x8a 'NtCompactKeys', # 0x8b 'NtCompareTokens', # 0x8c 'NtCompleteConnectPort', # 0x8d 'NtCompressKey', # 0x8e 'NtConnectPort', # 0x8f 'NtCreateDebugObject', # 0x90 'NtCreateDirectoryObject', # 0x91 'NtCreateEnlistment', # 0x92 'NtCreateEventPair', # 0x93 'NtCreateIoCompletion', # 0x94 'NtCreateJobObject', # 0x95 'NtCreateJobSet', # 0x96 'NtCreateKeyTransacted', # 0x97 'NtCreateKeyedEvent', # 0x98 'NtCreateMailslotFile', # 0x99 'NtCreateMutant', # 0x9a 'NtCreateNamedPipeFile', # 0x9b 'NtCreatePagingFile', # 0x9c 'NtCreatePort', # 0x9d 'NtCreatePrivateNamespace', # 0x9e 'NtCreateProcess', # 0x9f 'NtCreateProfile', # 0xa0 'NtCreateProfileEx', # 0xa1 'NtCreateResourceManager', # 0xa2 'NtCreateSemaphore', # 0xa3 'NtCreateSymbolicLinkObject', # 0xa4 'NtCreateThreadEx', # 0xa5 'NtCreateTimer', # 0xa6 'NtCreateToken', # 0xa7 'NtCreateTransaction', # 0xa8 'NtCreateTransactionManager', # 0xa9 'NtCreateUserProcess', # 0xaa 'NtCreateWaitablePort', # 0xab 'NtCreateWorkerFactory', # 0xac 'NtDebugActiveProcess', # 0xad 'NtDebugContinue', # 0xae 'NtDeleteAtom', # 0xaf 'NtDeleteBootEntry', # 0xb0 'NtDeleteDriverEntry', # 0xb1 'NtDeleteFile', # 0xb2 'NtDeleteKey', # 0xb3 'NtDeleteObjectAuditAlarm', # 0xb4 'NtDeletePrivateNamespace', # 0xb5 'NtDeleteValueKey', # 0xb6 'NtDisableLastKnownGood', # 0xb7 'NtDisplayString', # 0xb8 'NtDrawText', # 0xb9 'NtEnableLastKnownGood', # 0xba 'NtEnumerateBootEntries', # 0xbb 'NtEnumerateDriverEntries', # 0xbc 'NtEnumerateSystemEnvironmentValuesEx', # 0xbd 'NtEnumerateTransactionObject', # 0xbe 'NtExtendSection', # 0xbf 'NtFilterToken', # 0xc0 'NtFlushInstallUILanguage', # 0xc1 'NtFlushInstructionCache', # 0xc2 'NtFlushKey', # 0xc3 'NtFlushProcessWriteBuffers', # 0xc4 'NtFlushVirtualMemory', # 0xc5 'NtFlushWriteBuffer', # 0xc6 'NtFreeUserPhysicalPages', # 0xc7 'NtFreezeRegistry', # 0xc8 'NtFreezeTransactions', # 0xc9 'NtGetContextThread', # 0xca 'NtGetCurrentProcessorNumber', # 0xcb 'NtGetDevicePowerState', # 0xcc 'NtGetMUIRegistryInfo', # 0xcd 'NtGetNextProcess', # 0xce 'NtGetNextThread', # 0xcf 'NtGetNlsSectionPtr', # 0xd0 'NtGetNotificationResourceManager', # 0xd1 'NtGetPlugPlayEvent', # 0xd2 'NtGetWriteWatch', # 0xd3 'NtImpersonateAnonymousToken', # 0xd4 'NtImpersonateThread', # 0xd5 'NtInitializeNlsFiles', # 0xd6 'NtInitializeRegistry', # 0xd7 'NtInitiatePowerAction', # 0xd8 'NtIsSystemResumeAutomatic', # 0xd9 'NtIsUILanguageComitted', # 0xda 'NtListenPort', # 0xdb 'NtLoadDriver', # 0xdc 'NtLoadKey', # 0xdd 'NtLoadKey2', # 0xde 'NtLoadKeyEx', # 0xdf 'NtLockFile', # 0xe0 'NtLockProductActivationKeys', # 0xe1 'NtLockRegistryKey', # 0xe2 'NtLockVirtualMemory', # 0xe3 'NtMakePermanentObject', # 0xe4 'NtMakeTemporaryObject', # 0xe5 'NtMapCMFModule', # 0xe6 'NtMapUserPhysicalPages', # 0xe7 'NtModifyBootEntry', # 0xe8 'NtModifyDriverEntry', # 0xe9 'NtNotifyChangeDirectoryFile', # 0xea 'NtNotifyChangeKey', # 0xeb 'NtNotifyChangeMultipleKeys', # 0xec 'NtNotifyChangeSession', # 0xed 'NtOpenEnlistment', # 0xee 'NtOpenEventPair', # 0xef 'NtOpenIoCompletion', # 0xf0 'NtOpenJobObject', # 0xf1 'NtOpenKeyEx', # 0xf2 'NtOpenKeyTransacted', # 0xf3 'NtOpenKeyTransactedEx', # 0xf4 'NtOpenKeyedEvent', # 0xf5 'NtOpenMutant', # 0xf6 'NtOpenObjectAuditAlarm', # 0xf7 'NtOpenPrivateNamespace', # 0xf8 'NtOpenProcessToken', # 0xf9 'NtOpenResourceManager', # 0xfa 'NtOpenSemaphore', # 0xfb 'NtOpenSession', # 0xfc 'NtOpenSymbolicLinkObject', # 0xfd 'NtOpenThread', # 0xfe 'NtOpenTimer', # 0xff 'NtOpenTransaction', # 0x100 'NtOpenTransactionManager', # 0x101 'NtPlugPlayControl', # 0x102 'NtPrePrepareComplete', # 0x103 'NtPrePrepareEnlistment', # 0x104 'NtPrepareComplete', # 0x105 'NtPrepareEnlistment', # 0x106 'NtPrivilegeCheck', # 0x107 'NtPrivilegeObjectAuditAlarm', # 0x108 'NtPrivilegedServiceAuditAlarm', # 0x109 'NtPropagationComplete', # 0x10a 'NtPropagationFailed', # 0x10b 'NtPulseEvent', # 0x10c 'NtQueryBootEntryOrder', # 0x10d 'NtQueryBootOptions', # 0x10e 'NtQueryDebugFilterState', # 0x10f 'NtQueryDirectoryObject', # 0x110 'NtQueryDriverEntryOrder', # 0x111 'NtQueryEaFile', # 0x112 'NtQueryFullAttributesFile', # 0x113 'NtQueryInformationAtom', # 0x114 'NtQueryInformationEnlistment', # 0x115 'NtQueryInformationJobObject', # 0x116 'NtQueryInformationPort', # 0x117 'NtQueryInformationResourceManager', # 0x118 'NtQueryInformationTransaction', # 0x119 'NtQueryInformationTransactionManager', # 0x11a 'NtQueryInformationWorkerFactory', # 0x11b 'NtQueryInstallUILanguage', # 0x11c 'NtQueryIntervalProfile', # 0x11d 'NtQueryIoCompletion', # 0x11e 'NtQueryLicenseValue', # 0x11f 'NtQueryMultipleValueKey', # 0x120 'NtQueryMutant', # 0x121 'NtQueryOpenSubKeys', # 0x122 'NtQueryOpenSubKeysEx', # 0x123 'NtQueryPortInformationProcess', # 0x124 'NtQueryQuotaInformationFile', # 0x125 'NtQuerySecurityAttributesToken', # 0x126 'NtQuerySecurityObject', # 0x127 'NtQuerySemaphore', # 0x128 'NtQuerySymbolicLinkObject', # 0x129 'NtQuerySystemEnvironmentValue', # 0x12a 'NtQuerySystemEnvironmentValueEx', # 0x12b 'NtQuerySystemInformationEx', # 0x12c 'NtQueryTimerResolution', # 0x12d 'NtQueueApcThreadEx', # 0x12e 'NtRaiseException', # 0x12f 'NtRaiseHardError', # 0x130 'NtReadOnlyEnlistment', # 0x131 'NtRecoverEnlistment', # 0x132 'NtRecoverResourceManager', # 0x133 'NtRecoverTransactionManager', # 0x134 'NtRegisterProtocolAddressInformation', # 0x135 'NtRegisterThreadTerminatePort', # 0x136 'NtReleaseKeyedEvent', # 0x137 'NtReleaseWorkerFactoryWorker', # 0x138 'NtRemoveIoCompletionEx', # 0x139 'NtRemoveProcessDebug', # 0x13a 'NtRenameKey', # 0x13b 'NtRenameTransactionManager', # 0x13c 'NtReplaceKey', # 0x13d 'NtReplacePartitionUnit', # 0x13e 'NtReplyWaitReplyPort', # 0x13f 'NtRequestPort', # 0x140 'NtResetEvent', # 0x141 'NtResetWriteWatch', # 0x142 'NtRestoreKey', # 0x143 'NtResumeProcess', # 0x144 'NtRollbackComplete', # 0x145 'NtRollbackEnlistment', # 0x146 'NtRollbackTransaction', # 0x147 'NtRollforwardTransactionManager', # 0x148 'NtSaveKey', # 0x149 'NtSaveKeyEx', # 0x14a 'NtSaveMergedKeys', # 0x14b 'NtSecureConnectPort', # 0x14c 'NtSerializeBoot', # 0x14d 'NtSetBootEntryOrder', # 0x14e 'NtSetBootOptions', # 0x14f 'NtSetContextThread', # 0x150 'NtSetDebugFilterState', # 0x151 'NtSetDefaultHardErrorPort', # 0x152 'NtSetDefaultLocale', # 0x153 'NtSetDefaultUILanguage', # 0x154 'NtSetDriverEntryOrder', # 0x155 'NtSetEaFile', # 0x156 'NtSetHighEventPair', # 0x157 'NtSetHighWaitLowEventPair', # 0x158 'NtSetInformationDebugObject', # 0x159 'NtSetInformationEnlistment', # 0x15a 'NtSetInformationJobObject', # 0x15b 'NtSetInformationKey', # 0x15c 'NtSetInformationResourceManager', # 0x15d 'NtSetInformationToken', # 0x15e 'NtSetInformationTransaction', # 0x15f 'NtSetInformationTransactionManager', # 0x160 'NtSetInformationWorkerFactory', # 0x161 'NtSetIntervalProfile', # 0x162 'NtSetIoCompletion', # 0x163 'NtSetIoCompletionEx', # 0x164 'NtSetLdtEntries', # 0x165 'NtSetLowEventPair', # 0x166 'NtSetLowWaitHighEventPair', # 0x167 'NtSetQuotaInformationFile', # 0x168 'NtSetSecurityObject', # 0x169 'NtSetSystemEnvironmentValue', # 0x16a 'NtSetSystemEnvironmentValueEx', # 0x16b 'NtSetSystemInformation', # 0x16c 'NtSetSystemPowerState', # 0x16d 'NtSetSystemTime', # 0x16e 'NtSetThreadExecutionState', # 0x16f 'NtSetTimerEx', # 0x170 'NtSetTimerResolution', # 0x171 'NtSetUuidSeed', # 0x172 'NtSetVolumeInformationFile', # 0x173 'NtShutdownSystem', # 0x174 'NtShutdownWorkerFactory', # 0x175 'NtSignalAndWaitForSingleObject', # 0x176 'NtSinglePhaseReject', # 0x177 'NtStartProfile', # 0x178 'NtStopProfile', # 0x179 'NtSuspendProcess', # 0x17a 'NtSuspendThread', # 0x17b 'NtSystemDebugControl', # 0x17c 'NtTerminateJobObject', # 0x17d 'NtTestAlert', # 0x17e 'NtThawRegistry', # 0x17f 'NtThawTransactions', # 0x180 'NtTraceControl', # 0x181 'NtTranslateFilePath', # 0x182 'NtUmsThreadYield', # 0x183 'NtUnloadDriver', # 0x184 'NtUnloadKey', # 0x185 'NtUnloadKey2', # 0x186 'NtUnloadKeyEx', # 0x187 'NtUnlockFile', # 0x188 'NtUnlockVirtualMemory', # 0x189 'NtVdmControl', # 0x18a 'NtWaitForDebugEvent', # 0x18b 'NtWaitForKeyedEvent', # 0x18c 'NtWaitForWorkViaWorkerFactory', # 0x18d 'NtWaitHighEventPair', # 0x18e 'NtWaitLowEventPair', # 0x18f 'NtWorkerFactoryWorkerReady', # 0x190 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtUserFindWindowEx', # 0x6e 'NtGdiPolyPatBlt', # 0x6f 'NtUserUnhookWindowsHookEx', # 0x70 'NtGdiGetNearestColor', # 0x71 'NtGdiTransformPoints', # 0x72 'NtGdiGetDCPoint', # 0x73 'NtGdiCreateDIBBrush', # 0x74 'NtGdiGetTextMetricsW', # 0x75 'NtUserCreateWindowEx', # 0x76 'NtUserSetParent', # 0x77 'NtUserGetKeyboardState', # 0x78 'NtUserToUnicodeEx', # 0x79 'NtUserGetControlBrush', # 0x7a 'NtUserGetClassName', # 0x7b 'NtGdiAlphaBlend', # 0x7c 'NtGdiDdBlt', # 0x7d 'NtGdiOffsetRgn', # 0x7e 'NtUserDefSetText', # 0x7f 'NtGdiGetTextFaceW', # 0x80 'NtGdiStretchDIBitsInternal', # 0x81 'NtUserSendInput', # 0x82 'NtUserGetThreadDesktop', # 0x83 'NtGdiCreateRectRgn', # 0x84 'NtGdiGetDIBitsInternal', # 0x85 'NtUserGetUpdateRgn', # 0x86 'NtGdiDeleteClientObj', # 0x87 'NtUserGetIconSize', # 0x88 'NtUserFillWindow', # 0x89 'NtGdiExtCreateRegion', # 0x8a 'NtGdiComputeXformCoefficients', # 0x8b 'NtUserSetWindowsHookEx', # 0x8c 'NtUserNotifyProcessCreate', # 0x8d 'NtGdiUnrealizeObject', # 0x8e 'NtUserGetTitleBarInfo', # 0x8f 'NtGdiRectangle', # 0x90 'NtUserSetThreadDesktop', # 0x91 'NtUserGetDCEx', # 0x92 'NtUserGetScrollBarInfo', # 0x93 'NtGdiGetTextExtent', # 0x94 'NtUserSetWindowFNID', # 0x95 'NtGdiSetLayout', # 0x96 'NtUserCalcMenuBar', # 0x97 'NtUserThunkedMenuItemInfo', # 0x98 'NtGdiExcludeClipRect', # 0x99 'NtGdiCreateDIBSection', # 0x9a 'NtGdiGetDCforBitmap', # 0x9b 'NtUserDestroyCursor', # 0x9c 'NtUserDestroyWindow', # 0x9d 'NtUserCallHwndParam', # 0x9e 'NtGdiCreateDIBitmapInternal', # 0x9f 'NtUserOpenWindowStation', # 0xa0 'NtGdiDdDeleteSurfaceObject', # 0xa1 'NtGdiDdCanCreateSurface', # 0xa2 'NtGdiDdCreateSurface', # 0xa3 'NtUserSetCursorIconData', # 0xa4 'NtGdiDdDestroySurface', # 0xa5 'NtUserCloseDesktop', # 0xa6 'NtUserOpenDesktop', # 0xa7 'NtUserSetProcessWindowStation', # 0xa8 'NtUserGetAtomName', # 0xa9 'NtGdiDdResetVisrgn', # 0xaa 'NtGdiExtCreatePen', # 0xab 'NtGdiCreatePaletteInternal', # 0xac 'NtGdiSetBrushOrg', # 0xad 'NtUserBuildNameList', # 0xae 'NtGdiSetPixel', # 0xaf 'NtUserRegisterClassExWOW', # 0xb0 'NtGdiCreatePatternBrushInternal', # 0xb1 'NtUserGetAncestor', # 0xb2 'NtGdiGetOutlineTextMetricsInternalW', # 0xb3 'NtGdiSetBitmapBits', # 0xb4 'NtUserCloseWindowStation', # 0xb5 'NtUserGetDoubleClickTime', # 0xb6 'NtUserEnableScrollBar', # 0xb7 'NtGdiCreateSolidBrush', # 0xb8 'NtUserGetClassInfoEx', # 0xb9 'NtGdiCreateClientObj', # 0xba 'NtUserUnregisterClass', # 0xbb 'NtUserDeleteMenu', # 0xbc 'NtGdiRectInRegion', # 0xbd 'NtUserScrollWindowEx', # 0xbe 'NtGdiGetPixel', # 0xbf 'NtUserSetClassLong', # 0xc0 'NtUserGetMenuBarInfo', # 0xc1 'NtGdiDdCreateSurfaceEx', # 0xc2 'NtGdiDdCreateSurfaceObject', # 0xc3 'NtGdiGetNearestPaletteIndex', # 0xc4 'NtGdiDdLockD3D', # 0xc5 'NtGdiDdUnlockD3D', # 0xc6 'NtGdiGetCharWidthW', # 0xc7 'NtUserInvalidateRgn', # 0xc8 'NtUserGetClipboardOwner', # 0xc9 'NtUserSetWindowRgn', # 0xca 'NtUserBitBltSysBmp', # 0xcb 'NtGdiGetCharWidthInfo', # 0xcc 'NtUserValidateRect', # 0xcd 'NtUserCloseClipboard', # 0xce 'NtUserOpenClipboard', # 0xcf 'NtGdiGetStockObject', # 0xd0 'NtUserSetClipboardData', # 0xd1 'NtUserEnableMenuItem', # 0xd2 'NtUserAlterWindowStyle', # 0xd3 'NtGdiFillRgn', # 0xd4 'NtUserGetWindowPlacement', # 0xd5 'NtGdiModifyWorldTransform', # 0xd6 'NtGdiGetFontData', # 0xd7 'NtUserGetOpenClipboardWindow', # 0xd8 'NtUserSetThreadState', # 0xd9 'NtGdiOpenDCW', # 0xda 'NtUserTrackMouseEvent', # 0xdb 'NtGdiGetTransform', # 0xdc 'NtUserDestroyMenu', # 0xdd 'NtGdiGetBitmapBits', # 0xde 'NtUserConsoleControl', # 0xdf 'NtUserSetActiveWindow', # 0xe0 'NtUserSetInformationThread', # 0xe1 'NtUserSetWindowPlacement', # 0xe2 'NtUserGetControlColor', # 0xe3 'NtGdiSetMetaRgn', # 0xe4 'NtGdiSetMiterLimit', # 0xe5 'NtGdiSetVirtualResolution', # 0xe6 'NtGdiGetRasterizerCaps', # 0xe7 'NtUserSetWindowWord', # 0xe8 'NtUserGetClipboardFormatName', # 0xe9 'NtUserRealInternalGetMessage', # 0xea 'NtUserCreateLocalMemHandle', # 0xeb 'NtUserAttachThreadInput', # 0xec 'NtGdiCreateHalftonePalette', # 0xed 'NtUserPaintMenuBar', # 0xee 'NtUserSetKeyboardState', # 0xef 'NtGdiCombineTransform', # 0xf0 'NtUserCreateAcceleratorTable', # 0xf1 'NtUserGetCursorFrameInfo', # 0xf2 'NtUserGetAltTabInfo', # 0xf3 'NtUserGetCaretBlinkTime', # 0xf4 'NtGdiQueryFontAssocInfo', # 0xf5 'NtUserProcessConnect', # 0xf6 'NtUserEnumDisplayDevices', # 0xf7 'NtUserEmptyClipboard', # 0xf8 'NtUserGetClipboardData', # 0xf9 'NtUserRemoveMenu', # 0xfa 'NtGdiSetBoundsRect', # 0xfb 'NtGdiGetBitmapDimension', # 0xfc 'NtUserConvertMemHandle', # 0xfd 'NtUserDestroyAcceleratorTable', # 0xfe 'NtUserGetGUIThreadInfo', # 0xff 'NtGdiCloseFigure', # 0x100 'NtUserSetWindowsHookAW', # 0x101 'NtUserSetMenuDefaultItem', # 0x102 'NtUserCheckMenuItem', # 0x103 'NtUserSetWinEventHook', # 0x104 'NtUserUnhookWinEvent', # 0x105 'NtUserLockWindowUpdate', # 0x106 'NtUserSetSystemMenu', # 0x107 'NtUserThunkedMenuInfo', # 0x108 'NtGdiBeginPath', # 0x109 'NtGdiEndPath', # 0x10a 'NtGdiFillPath', # 0x10b 'NtUserCallHwnd', # 0x10c 'NtUserDdeInitialize', # 0x10d 'NtUserModifyUserStartupInfoFlags', # 0x10e 'NtUserCountClipboardFormats', # 0x10f 'NtGdiAddFontMemResourceEx', # 0x110 'NtGdiEqualRgn', # 0x111 'NtGdiGetSystemPaletteUse', # 0x112 'NtGdiRemoveFontMemResourceEx', # 0x113 'NtUserEnumDisplaySettings', # 0x114 'NtUserPaintDesktop', # 0x115 'NtGdiExtEscape', # 0x116 'NtGdiSetBitmapDimension', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtUserChangeClipboardChain', # 0x119 'NtUserSetClipboardViewer', # 0x11a 'NtUserShowWindowAsync', # 0x11b 'NtGdiCreateColorSpace', # 0x11c 'NtGdiDeleteColorSpace', # 0x11d 'NtUserActivateKeyboardLayout', # 0x11e 'NtGdiAbortDoc', # 0x11f 'NtGdiAbortPath', # 0x120 'NtGdiAddEmbFontToDC', # 0x121 'NtGdiAddFontResourceW', # 0x122 'NtGdiAddRemoteFontToDC', # 0x123 'NtGdiAddRemoteMMInstanceToDC', # 0x124 'NtGdiAngleArc', # 0x125 'NtGdiAnyLinkedFonts', # 0x126 'NtGdiArcInternal', # 0x127 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x128 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x129 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x12a 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x12b 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x12c 'NtGdiBeginGdiRendering', # 0x12d 'NtGdiCLIPOBJ_bEnum', # 0x12e 'NtGdiCLIPOBJ_cEnumStart', # 0x12f 'NtGdiCLIPOBJ_ppoGetPath', # 0x130 'NtGdiCancelDC', # 0x131 'NtGdiChangeGhostFont', # 0x132 'NtGdiCheckBitmapBits', # 0x133 'NtGdiClearBitmapAttributes', # 0x134 'NtGdiClearBrushAttributes', # 0x135 'NtGdiColorCorrectPalette', # 0x136 'NtGdiConfigureOPMProtectedOutput', # 0x137 'NtGdiConvertMetafileRect', # 0x138 'NtGdiCreateBitmapFromDxSurface', # 0x139 'NtGdiCreateColorTransform', # 0x13a 'NtGdiCreateEllipticRgn', # 0x13b 'NtGdiCreateHatchBrushInternal', # 0x13c 'NtGdiCreateMetafileDC', # 0x13d 'NtGdiCreateOPMProtectedOutputs', # 0x13e 'NtGdiCreateRoundRectRgn', # 0x13f 'NtGdiCreateServerMetaFile', # 0x140 'NtGdiD3dContextCreate', # 0x141 'NtGdiD3dContextDestroy', # 0x142 'NtGdiD3dContextDestroyAll', # 0x143 'NtGdiD3dValidateTextureStageState', # 0x144 'NtGdiDDCCIGetCapabilitiesString', # 0x145 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x146 'NtGdiDDCCIGetTimingReport', # 0x147 'NtGdiDDCCIGetVCPFeature', # 0x148 'NtGdiDDCCISaveCurrentSettings', # 0x149 'NtGdiDDCCISetVCPFeature', # 0x14a 'NtGdiDdAddAttachedSurface', # 0x14b 'NtGdiDdAlphaBlt', # 0x14c 'NtGdiDdAttachSurface', # 0x14d 'NtGdiDdBeginMoCompFrame', # 0x14e 'NtGdiDdCanCreateD3DBuffer', # 0x14f 'NtGdiDdColorControl', # 0x150 'NtGdiDdCreateD3DBuffer', # 0x151 'NtGdiDdCreateDirectDrawObject', # 0x152 'NtGdiDdCreateFullscreenSprite', # 0x153 'NtGdiDdCreateMoComp', # 0x154 'NtGdiDdDDIAcquireKeyedMutex', # 0x155 'NtGdiDdDDICheckExclusiveOwnership', # 0x156 'NtGdiDdDDICheckMonitorPowerState', # 0x157 'NtGdiDdDDICheckOcclusion', # 0x158 'NtGdiDdDDICheckSharedResourceAccess', # 0x159 'NtGdiDdDDICheckVidPnExclusiveOwnership', # 0x15a 'NtGdiDdDDICloseAdapter', # 0x15b 'NtGdiDdDDIConfigureSharedResource', # 0x15c 'NtGdiDdDDICreateAllocation', # 0x15d 'NtGdiDdDDICreateContext', # 0x15e 'NtGdiDdDDICreateDCFromMemory', # 0x15f 'NtGdiDdDDICreateDevice', # 0x160 'NtGdiDdDDICreateKeyedMutex', # 0x161 'NtGdiDdDDICreateOverlay', # 0x162 'NtGdiDdDDICreateSynchronizationObject', # 0x163 'NtGdiDdDDIDestroyAllocation', # 0x164 'NtGdiDdDDIDestroyContext', # 0x165 'NtGdiDdDDIDestroyDCFromMemory', # 0x166 'NtGdiDdDDIDestroyDevice', # 0x167 'NtGdiDdDDIDestroyKeyedMutex', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetOverlayState', # 0x171 'NtGdiDdDDIGetPresentHistory', # 0x172 'NtGdiDdDDIGetPresentQueueEvent', # 0x173 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x174 'NtGdiDdDDIGetRuntimeData', # 0x175 'NtGdiDdDDIGetScanLine', # 0x176 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x177 'NtGdiDdDDIInvalidateActiveVidPn', # 0x178 'NtGdiDdDDILock', # 0x179 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x17a 'NtGdiDdDDIOpenAdapterFromHdc', # 0x17b 'NtGdiDdDDIOpenKeyedMutex', # 0x17c 'NtGdiDdDDIOpenResource', # 0x17d 'NtGdiDdDDIOpenSynchronizationObject', # 0x17e 'NtGdiDdDDIPollDisplayChildren', # 0x17f 'NtGdiDdDDIPresent', # 0x180 'NtGdiDdDDIQueryAdapterInfo', # 0x181 'NtGdiDdDDIQueryAllocationResidency', # 0x182 'NtGdiDdDDIQueryResourceInfo', # 0x183 'NtGdiDdDDIQueryStatistics', # 0x184 'NtGdiDdDDIReleaseKeyedMutex', # 0x185 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x186 'NtGdiDdDDIRender', # 0x187 'NtGdiDdDDISetAllocationPriority', # 0x188 'NtGdiDdDDISetContextSchedulingPriority', # 0x189 'NtGdiDdDDISetDisplayMode', # 0x18a 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x18b 'NtGdiDdDDISetGammaRamp', # 0x18c 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x18d 'NtGdiDdDDISetQueuedLimit', # 0x18e 'NtGdiDdDDISetVidPnSourceOwner', # 0x18f 'NtGdiDdDDISharedPrimaryLockNotification', # 0x190 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x191 'NtGdiDdDDISignalSynchronizationObject', # 0x192 'NtGdiDdDDIUnlock', # 0x193 'NtGdiDdDDIUpdateOverlay', # 0x194 'NtGdiDdDDIWaitForIdle', # 0x195 'NtGdiDdDDIWaitForSynchronizationObject', # 0x196 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x197 'NtGdiDdDeleteDirectDrawObject', # 0x198 'NtGdiDdDestroyD3DBuffer', # 0x199 'NtGdiDdDestroyFullscreenSprite', # 0x19a 'NtGdiDdDestroyMoComp', # 0x19b 'NtGdiDdEndMoCompFrame', # 0x19c 'NtGdiDdFlip', # 0x19d 'NtGdiDdFlipToGDISurface', # 0x19e 'NtGdiDdGetAvailDriverMemory', # 0x19f 'NtGdiDdGetBltStatus', # 0x1a0 'NtGdiDdGetDC', # 0x1a1 'NtGdiDdGetDriverInfo', # 0x1a2 'NtGdiDdGetDriverState', # 0x1a3 'NtGdiDdGetDxHandle', # 0x1a4 'NtGdiDdGetFlipStatus', # 0x1a5 'NtGdiDdGetInternalMoCompInfo', # 0x1a6 'NtGdiDdGetMoCompBuffInfo', # 0x1a7 'NtGdiDdGetMoCompFormats', # 0x1a8 'NtGdiDdGetMoCompGuids', # 0x1a9 'NtGdiDdGetScanLine', # 0x1aa 'NtGdiDdLock', # 0x1ab 'NtGdiDdNotifyFullscreenSpriteUpdate', # 0x1ac 'NtGdiDdQueryDirectDrawObject', # 0x1ad 'NtGdiDdQueryMoCompStatus', # 0x1ae 'NtGdiDdQueryVisRgnUniqueness', # 0x1af 'NtGdiDdReenableDirectDrawObject', # 0x1b0 'NtGdiDdReleaseDC', # 0x1b1 'NtGdiDdRenderMoComp', # 0x1b2 'NtGdiDdSetColorKey', # 0x1b3 'NtGdiDdSetExclusiveMode', # 0x1b4 'NtGdiDdSetGammaRamp', # 0x1b5 'NtGdiDdSetOverlayPosition', # 0x1b6 'NtGdiDdUnattachSurface', # 0x1b7 'NtGdiDdUnlock', # 0x1b8 'NtGdiDdUpdateOverlay', # 0x1b9 'NtGdiDdWaitForVerticalBlank', # 0x1ba 'NtGdiDeleteColorTransform', # 0x1bb 'NtGdiDescribePixelFormat', # 0x1bc 'NtGdiDestroyOPMProtectedOutput', # 0x1bd 'NtGdiDestroyPhysicalMonitor', # 0x1be 'NtGdiDoBanding', # 0x1bf 'NtGdiDrawEscape', # 0x1c0 'NtGdiDvpAcquireNotification', # 0x1c1 'NtGdiDvpCanCreateVideoPort', # 0x1c2 'NtGdiDvpColorControl', # 0x1c3 'NtGdiDvpCreateVideoPort', # 0x1c4 'NtGdiDvpDestroyVideoPort', # 0x1c5 'NtGdiDvpFlipVideoPort', # 0x1c6 'NtGdiDvpGetVideoPortBandwidth', # 0x1c7 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c8 'NtGdiDvpGetVideoPortField', # 0x1c9 'NtGdiDvpGetVideoPortFlipStatus', # 0x1ca 'NtGdiDvpGetVideoPortInputFormats', # 0x1cb 'NtGdiDvpGetVideoPortLine', # 0x1cc 'NtGdiDvpGetVideoPortOutputFormats', # 0x1cd 'NtGdiDvpGetVideoSignalStatus', # 0x1ce 'NtGdiDvpReleaseNotification', # 0x1cf 'NtGdiDvpUpdateVideoPort', # 0x1d0 'NtGdiDvpWaitForVideoPortSync', # 0x1d1 'NtGdiDxgGenericThunk', # 0x1d2 'NtGdiEllipse', # 0x1d3 'NtGdiEnableEudc', # 0x1d4 'NtGdiEndDoc', # 0x1d5 'NtGdiEndGdiRendering', # 0x1d6 'NtGdiEndPage', # 0x1d7 'NtGdiEngAlphaBlend', # 0x1d8 'NtGdiEngAssociateSurface', # 0x1d9 'NtGdiEngBitBlt', # 0x1da 'NtGdiEngCheckAbort', # 0x1db 'NtGdiEngComputeGlyphSet', # 0x1dc 'NtGdiEngCopyBits', # 0x1dd 'NtGdiEngCreateBitmap', # 0x1de 'NtGdiEngCreateClip', # 0x1df 'NtGdiEngCreateDeviceBitmap', # 0x1e0 'NtGdiEngCreateDeviceSurface', # 0x1e1 'NtGdiEngCreatePalette', # 0x1e2 'NtGdiEngDeleteClip', # 0x1e3 'NtGdiEngDeletePalette', # 0x1e4 'NtGdiEngDeletePath', # 0x1e5 'NtGdiEngDeleteSurface', # 0x1e6 'NtGdiEngEraseSurface', # 0x1e7 'NtGdiEngFillPath', # 0x1e8 'NtGdiEngGradientFill', # 0x1e9 'NtGdiEngLineTo', # 0x1ea 'NtGdiEngLockSurface', # 0x1eb 'NtGdiEngMarkBandingSurface', # 0x1ec 'NtGdiEngPaint', # 0x1ed 'NtGdiEngPlgBlt', # 0x1ee 'NtGdiEngStretchBlt', # 0x1ef 'NtGdiEngStretchBltROP', # 0x1f0 'NtGdiEngStrokeAndFillPath', # 0x1f1 'NtGdiEngStrokePath', # 0x1f2 'NtGdiEngTextOut', # 0x1f3 'NtGdiEngTransparentBlt', # 0x1f4 'NtGdiEngUnlockSurface', # 0x1f5 'NtGdiEnumFonts', # 0x1f6 'NtGdiEnumObjects', # 0x1f7 'NtGdiEudcLoadUnloadLink', # 0x1f8 'NtGdiExtFloodFill', # 0x1f9 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1fa 'NtGdiFONTOBJ_cGetGlyphs', # 0x1fb 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1fc 'NtGdiFONTOBJ_pfdg', # 0x1fd 'NtGdiFONTOBJ_pifi', # 0x1fe 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1ff 'NtGdiFONTOBJ_pxoGetXform', # 0x200 'NtGdiFONTOBJ_vGetInfo', # 0x201 'NtGdiFlattenPath', # 0x202 'NtGdiFontIsLinked', # 0x203 'NtGdiForceUFIMapping', # 0x204 'NtGdiFrameRgn', # 0x205 'NtGdiFullscreenControl', # 0x206 'NtGdiGetBoundsRect', # 0x207 'NtGdiGetCOPPCompatibleOPMInformation', # 0x208 'NtGdiGetCertificate', # 0x209 'NtGdiGetCertificateSize', # 0x20a 'NtGdiGetCharABCWidthsW', # 0x20b 'NtGdiGetCharacterPlacementW', # 0x20c 'NtGdiGetColorAdjustment', # 0x20d 'NtGdiGetColorSpaceforBitmap', # 0x20e 'NtGdiGetDeviceCaps', # 0x20f 'NtGdiGetDeviceCapsAll', # 0x210 'NtGdiGetDeviceGammaRamp', # 0x211 'NtGdiGetDeviceWidth', # 0x212 'NtGdiGetDhpdev', # 0x213 'NtGdiGetETM', # 0x214 'NtGdiGetEmbUFI', # 0x215 'NtGdiGetEmbedFonts', # 0x216 'NtGdiGetEudcTimeStampEx', # 0x217 'NtGdiGetFontFileData', # 0x218 'NtGdiGetFontFileInfo', # 0x219 'NtGdiGetFontResourceInfoInternalW', # 0x21a 'NtGdiGetFontUnicodeRanges', # 0x21b 'NtGdiGetGlyphIndicesW', # 0x21c 'NtGdiGetGlyphIndicesWInternal', # 0x21d 'NtGdiGetGlyphOutline', # 0x21e 'NtGdiGetKerningPairs', # 0x21f 'NtGdiGetLinkedUFIs', # 0x220 'NtGdiGetMiterLimit', # 0x221 'NtGdiGetMonitorID', # 0x222 'NtGdiGetNumberOfPhysicalMonitors', # 0x223 'NtGdiGetOPMInformation', # 0x224 'NtGdiGetOPMRandomNumber', # 0x225 'NtGdiGetObjectBitmapHandle', # 0x226 'NtGdiGetPath', # 0x227 'NtGdiGetPerBandInfo', # 0x228 'NtGdiGetPhysicalMonitorDescription', # 0x229 'NtGdiGetPhysicalMonitors', # 0x22a 'NtGdiGetRealizationInfo', # 0x22b 'NtGdiGetServerMetaFileBits', # 0x22c 'NtGdiGetSpoolMessage', # 0x22d 'NtGdiGetStats', # 0x22e 'NtGdiGetStringBitmapW', # 0x22f 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x230 'NtGdiGetTextExtentExW', # 0x231 'NtGdiGetUFI', # 0x232 'NtGdiGetUFIPathname', # 0x233 'NtGdiGradientFill', # 0x234 'NtGdiHLSurfGetInformation', # 0x235 'NtGdiHLSurfSetInformation', # 0x236 'NtGdiHT_Get8BPPFormatPalette', # 0x237 'NtGdiHT_Get8BPPMaskPalette', # 0x238 'NtGdiIcmBrushInfo', # 0x239 'NtGdiInit', # 0x23a 'NtGdiInitSpool', # 0x23b 'NtGdiMakeFontDir', # 0x23c 'NtGdiMakeInfoDC', # 0x23d 'NtGdiMakeObjectUnXferable', # 0x23e 'NtGdiMakeObjectXferable', # 0x23f 'NtGdiMirrorWindowOrg', # 0x240 'NtGdiMonoBitmap', # 0x241 'NtGdiMoveTo', # 0x242 'NtGdiOffsetClipRgn', # 0x243 'NtGdiPATHOBJ_bEnum', # 0x244 'NtGdiPATHOBJ_bEnumClipLines', # 0x245 'NtGdiPATHOBJ_vEnumStart', # 0x246 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x247 'NtGdiPATHOBJ_vGetBounds', # 0x248 'NtGdiPathToRegion', # 0x249 'NtGdiPlgBlt', # 0x24a 'NtGdiPolyDraw', # 0x24b 'NtGdiPolyTextOutW', # 0x24c 'NtGdiPtInRegion', # 0x24d 'NtGdiPtVisible', # 0x24e 'NtGdiQueryFonts', # 0x24f 'NtGdiRemoveFontResourceW', # 0x250 'NtGdiRemoveMergeFont', # 0x251 'NtGdiResetDC', # 0x252 'NtGdiResizePalette', # 0x253 'NtGdiRoundRect', # 0x254 'NtGdiSTROBJ_bEnum', # 0x255 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x256 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x257 'NtGdiSTROBJ_dwGetCodePage', # 0x258 'NtGdiSTROBJ_vEnumStart', # 0x259 'NtGdiScaleViewportExtEx', # 0x25a 'NtGdiScaleWindowExtEx', # 0x25b 'NtGdiSelectBrush', # 0x25c 'NtGdiSelectClipPath', # 0x25d 'NtGdiSelectPen', # 0x25e 'NtGdiSetBitmapAttributes', # 0x25f 'NtGdiSetBrushAttributes', # 0x260 'NtGdiSetColorAdjustment', # 0x261 'NtGdiSetColorSpace', # 0x262 'NtGdiSetDeviceGammaRamp', # 0x263 'NtGdiSetFontXform', # 0x264 'NtGdiSetIcmMode', # 0x265 'NtGdiSetLinkedUFIs', # 0x266 'NtGdiSetMagicColors', # 0x267 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x268 'NtGdiSetPUMPDOBJ', # 0x269 'NtGdiSetPixelFormat', # 0x26a 'NtGdiSetRectRgn', # 0x26b 'NtGdiSetSizeDevice', # 0x26c 'NtGdiSetSystemPaletteUse', # 0x26d 'NtGdiSetTextJustification', # 0x26e 'NtGdiSfmGetNotificationTokens', # 0x26f 'NtGdiStartDoc', # 0x270 'NtGdiStartPage', # 0x271 'NtGdiStrokeAndFillPath', # 0x272 'NtGdiStrokePath', # 0x273 'NtGdiSwapBuffers', # 0x274 'NtGdiTransparentBlt', # 0x275 'NtGdiUMPDEngFreeUserMem', # 0x276 'NtGdiUnloadPrinterDriver', # 0x277 'NtGdiUnmapMemFont', # 0x278 'NtGdiUpdateColors', # 0x279 'NtGdiUpdateTransform', # 0x27a 'NtGdiWidenPath', # 0x27b 'NtGdiXFORMOBJ_bApplyXform', # 0x27c 'NtGdiXFORMOBJ_iGetXform', # 0x27d 'NtGdiXLATEOBJ_cGetPalette', # 0x27e 'NtGdiXLATEOBJ_hGetColorTransform', # 0x27f 'NtGdiXLATEOBJ_iXlate', # 0x280 'NtUserAddClipboardFormatListener', # 0x281 'NtUserAssociateInputContext', # 0x282 'NtUserBlockInput', # 0x283 'NtUserBuildHimcList', # 0x284 'NtUserBuildPropList', # 0x285 'NtUserCalculatePopupWindowPosition', # 0x286 'NtUserCallHwndOpt', # 0x287 'NtUserChangeDisplaySettings', # 0x288 'NtUserChangeWindowMessageFilterEx', # 0x289 'NtUserCheckAccessForIntegrityLevel', # 0x28a 'NtUserCheckDesktopByThreadId', # 0x28b 'NtUserCheckWindowThreadDesktop', # 0x28c 'NtUserChildWindowFromPointEx', # 0x28d 'NtUserClipCursor', # 0x28e 'NtUserCreateDesktopEx', # 0x28f 'NtUserCreateInputContext', # 0x290 'NtUserCreateWindowStation', # 0x291 'NtUserCtxDisplayIOCtl', # 0x292 'NtUserDestroyInputContext', # 0x293 'NtUserDisableThreadIme', # 0x294 'NtUserDisplayConfigGetDeviceInfo', # 0x295 'NtUserDisplayConfigSetDeviceInfo', # 0x296 'NtUserDoSoundConnect', # 0x297 'NtUserDoSoundDisconnect', # 0x298 'NtUserDragDetect', # 0x299 'NtUserDragObject', # 0x29a 'NtUserDrawAnimatedRects', # 0x29b 'NtUserDrawCaption', # 0x29c 'NtUserDrawCaptionTemp', # 0x29d 'NtUserDrawMenuBarTemp', # 0x29e 'NtUserDwmStartRedirection', # 0x29f 'NtUserDwmStopRedirection', # 0x2a0 'NtUserEndMenu', # 0x2a1 'NtUserEndTouchOperation', # 0x2a2 'NtUserEvent', # 0x2a3 'NtUserFlashWindowEx', # 0x2a4 'NtUserFrostCrashedWindow', # 0x2a5 'NtUserGetAppImeLevel', # 0x2a6 'NtUserGetCaretPos', # 0x2a7 'NtUserGetClipCursor', # 0x2a8 'NtUserGetClipboardViewer', # 0x2a9 'NtUserGetComboBoxInfo', # 0x2aa 'NtUserGetCursorInfo', # 0x2ab 'NtUserGetDisplayConfigBufferSizes', # 0x2ac 'NtUserGetGestureConfig', # 0x2ad 'NtUserGetGestureExtArgs', # 0x2ae 'NtUserGetGestureInfo', # 0x2af 'NtUserGetGuiResources', # 0x2b0 'NtUserGetImeHotKey', # 0x2b1 'NtUserGetImeInfoEx', # 0x2b2 'NtUserGetInputLocaleInfo', # 0x2b3 'NtUserGetInternalWindowPos', # 0x2b4 'NtUserGetKeyNameText', # 0x2b5 'NtUserGetKeyboardLayoutName', # 0x2b6 'NtUserGetLayeredWindowAttributes', # 0x2b7 'NtUserGetListBoxInfo', # 0x2b8 'NtUserGetMenuIndex', # 0x2b9 'NtUserGetMenuItemRect', # 0x2ba 'NtUserGetMouseMovePointsEx', # 0x2bb 'NtUserGetPriorityClipboardFormat', # 0x2bc 'NtUserGetRawInputBuffer', # 0x2bd 'NtUserGetRawInputData', # 0x2be 'NtUserGetRawInputDeviceInfo', # 0x2bf 'NtUserGetRawInputDeviceList', # 0x2c0 'NtUserGetRegisteredRawInputDevices', # 0x2c1 'NtUserGetTopLevelWindow', # 0x2c2 'NtUserGetTouchInputInfo', # 0x2c3 'NtUserGetUpdatedClipboardFormats', # 0x2c4 'NtUserGetWOWClass', # 0x2c5 'NtUserGetWindowCompositionAttribute', # 0x2c6 'NtUserGetWindowCompositionInfo', # 0x2c7 'NtUserGetWindowDisplayAffinity', # 0x2c8 'NtUserGetWindowMinimizeRect', # 0x2c9 'NtUserGetWindowRgnEx', # 0x2ca 'NtUserGhostWindowFromHungWindow', # 0x2cb 'NtUserHardErrorControl', # 0x2cc 'NtUserHiliteMenuItem', # 0x2cd 'NtUserHungWindowFromGhostWindow', # 0x2ce 'NtUserHwndQueryRedirectionInfo', # 0x2cf 'NtUserHwndSetRedirectionInfo', # 0x2d0 'NtUserImpersonateDdeClientWindow', # 0x2d1 'NtUserInitTask', # 0x2d2 'NtUserInitialize', # 0x2d3 'NtUserInitializeClientPfnArrays', # 0x2d4 'NtUserInjectGesture', # 0x2d5 'NtUserInternalGetWindowIcon', # 0x2d6 'NtUserIsTopLevelWindow', # 0x2d7 'NtUserIsTouchWindow', # 0x2d8 'NtUserLoadKeyboardLayoutEx', # 0x2d9 'NtUserLockWindowStation', # 0x2da 'NtUserLockWorkStation', # 0x2db 'NtUserLogicalToPhysicalPoint', # 0x2dc 'NtUserMNDragLeave', # 0x2dd 'NtUserMNDragOver', # 0x2de 'NtUserMagControl', # 0x2df 'NtUserMagGetContextInformation', # 0x2e0 'NtUserMagSetContextInformation', # 0x2e1 'NtUserManageGestureHandlerWindow', # 0x2e2 'NtUserMenuItemFromPoint', # 0x2e3 'NtUserMinMaximize', # 0x2e4 'NtUserModifyWindowTouchCapability', # 0x2e5 'NtUserNotifyIMEStatus', # 0x2e6 'NtUserOpenInputDesktop', # 0x2e7 'NtUserOpenThreadDesktop', # 0x2e8 'NtUserPaintMonitor', # 0x2e9 'NtUserPhysicalToLogicalPoint', # 0x2ea 'NtUserPrintWindow', # 0x2eb 'NtUserQueryDisplayConfig', # 0x2ec 'NtUserQueryInformationThread', # 0x2ed 'NtUserQueryInputContext', # 0x2ee 'NtUserQuerySendMessage', # 0x2ef 'NtUserRealChildWindowFromPoint', # 0x2f0 'NtUserRealWaitMessageEx', # 0x2f1 'NtUserRegisterErrorReportingDialog', # 0x2f2 'NtUserRegisterHotKey', # 0x2f3 'NtUserRegisterRawInputDevices', # 0x2f4 'NtUserRegisterServicesProcess', # 0x2f5 'NtUserRegisterSessionPort', # 0x2f6 'NtUserRegisterTasklist', # 0x2f7 'NtUserRegisterUserApiHook', # 0x2f8 'NtUserRemoteConnect', # 0x2f9 'NtUserRemoteRedrawRectangle', # 0x2fa 'NtUserRemoteRedrawScreen', # 0x2fb 'NtUserRemoteStopScreenUpdates', # 0x2fc 'NtUserRemoveClipboardFormatListener', # 0x2fd 'NtUserResolveDesktopForWOW', # 0x2fe 'NtUserSendTouchInput', # 0x2ff 'NtUserSetAppImeLevel', # 0x300 'NtUserSetChildWindowNoActivate', # 0x301 'NtUserSetClassWord', # 0x302 'NtUserSetCursorContents', # 0x303 'NtUserSetDisplayConfig', # 0x304 'NtUserSetGestureConfig', # 0x305 'NtUserSetImeHotKey', # 0x306 'NtUserSetImeInfoEx', # 0x307 'NtUserSetImeOwnerWindow', # 0x308 'NtUserSetInternalWindowPos', # 0x309 'NtUserSetLayeredWindowAttributes', # 0x30a 'NtUserSetMenu', # 0x30b 'NtUserSetMenuContextHelpId', # 0x30c 'NtUserSetMenuFlagRtoL', # 0x30d 'NtUserSetMirrorRendering', # 0x30e 'NtUserSetObjectInformation', # 0x30f 'NtUserSetProcessDPIAware', # 0x310 'NtUserSetShellWindowEx', # 0x311 'NtUserSetSysColors', # 0x312 'NtUserSetSystemCursor', # 0x313 'NtUserSetSystemTimer', # 0x314 'NtUserSetThreadLayoutHandles', # 0x315 'NtUserSetWindowCompositionAttribute', # 0x316 'NtUserSetWindowDisplayAffinity', # 0x317 'NtUserSetWindowRgnEx', # 0x318 'NtUserSetWindowStationUser', # 0x319 'NtUserSfmDestroyLogicalSurfaceBinding', # 0x31a 'NtUserSfmDxBindSwapChain', # 0x31b 'NtUserSfmDxGetSwapChainStats', # 0x31c 'NtUserSfmDxOpenSwapChain', # 0x31d 'NtUserSfmDxQuerySwapChainBindingStatus', # 0x31e 'NtUserSfmDxReleaseSwapChain', # 0x31f 'NtUserSfmDxReportPendingBindingsToDwm', # 0x320 'NtUserSfmDxSetSwapChainBindingStatus', # 0x321 'NtUserSfmDxSetSwapChainStats', # 0x322 'NtUserSfmGetLogicalSurfaceBinding', # 0x323 'NtUserShowSystemCursor', # 0x324 'NtUserSoundSentry', # 0x325 'NtUserSwitchDesktop', # 0x326 'NtUserTestForInteractiveUser', # 0x327 'NtUserTrackPopupMenuEx', # 0x328 'NtUserUnloadKeyboardLayout', # 0x329 'NtUserUnlockWindowStation', # 0x32a 'NtUserUnregisterHotKey', # 0x32b 'NtUserUnregisterSessionPort', # 0x32c 'NtUserUnregisterUserApiHook', # 0x32d 'NtUserUpdateInputContext', # 0x32e 'NtUserUpdateInstance', # 0x32f 'NtUserUpdateLayeredWindow', # 0x330 'NtUserUpdatePerUserSystemParameters', # 0x331 'NtUserUpdateWindowTransform', # 0x332 'NtUserUserHandleGrantAccess', # 0x333 'NtUserValidateHandleSecure', # 0x334 'NtUserWaitForInputIdle', # 0x335 'NtUserWaitForMsgAndEvent', # 0x336 'NtUserWindowFromPhysicalPoint', # 0x337 'NtUserYieldTask', # 0x338 'NtUserSetClassLongPtr', # 0x339 'NtUserSetWindowLongPtr', # 0x33a ], ] volatility-2.3.1/volatility/plugins/overlays/windows/windows64.py0000644000175000017500000001000312227253532025243 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import copy import volatility.obj as obj import volatility.plugins.overlays.windows.windows as windows # File-wide pylint message disable because we have a few situations where we access structs starting _ #pylint: disable-msg=W0212 class Pointer64Decorator(object): def __init__(self, f): self.f = f def __call__(self, name, typeList, typeDict = None): if len(typeList) and typeList[0] == 'pointer64': typeList = copy.deepcopy(typeList) typeList[0] = 'pointer' return self.f(name, typeList, typeDict) class _EX_FAST_REF(windows._EX_FAST_REF): MAX_FAST_REF = 15 class ExFastRefx64(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'os': lambda x : x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.object_classes.update({'_EX_FAST_REF': _EX_FAST_REF}) class Windows64Overlay(obj.ProfileModification): before = ['WindowsOverlay', 'WindowsObjectClasses'] conditions = {'memory_model': lambda x: x == '64bit', 'os': lambda x: x == 'windows'} def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]] } ]}) # This is the location of the MMVAD type which controls how to parse the # node. It is located before the structure. profile.merge_overlay({'_MMVAD_SHORT': [None, { 'Tag' : [-12, None], }], '_MMVAD_LONG' : [None, { 'Tag' : [-12, None], }] }) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type) volatility-2.3.1/volatility/plugins/overlays/windows/win7_sp1_x86_vtypes.py0000644000175000017500000163176511732225561027217 0ustar mikemike00000000000000ntkrnlmp_types = { '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_RTL_DYNAMIC_HASH_TABLE_ENTRY' : [ 0xc, { 'Linkage' : [ 0x0, ['_LIST_ENTRY']], 'Signature' : [ 0x8, ['unsigned long']], } ], '__unnamed_200a' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_200a']], 'TargetProcessors' : [ 0x30, ['_KAFFINITY_EX']], 'PStateHandler' : [ 0x3c, ['pointer', ['void']]], 'PStateContext' : [ 0x40, ['unsigned long']], 'TStateHandler' : [ 0x44, ['pointer', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long']], 'FeedbackHandler' : [ 0x4c, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x50, ['pointer', ['void']]], 'State' : [ 0x58, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['unsigned long']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x38, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'ProgrammedRTCTime' : [ 0x50, ['unsigned long long']], 'WakeOnRTC' : [ 0x58, ['unsigned char']], 'WakeTimerInfo' : [ 0x5c, ['pointer', ['_DIAGNOSTIC_BUFFER']]], 'FilteredCapabilities' : [ 0x60, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'PowerChildren' : [ 0x8, ['_LIST_ENTRY']], 'PowerParents' : [ 0x10, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x1c, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x24, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x28, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x2c, ['unsigned long']], 'ActiveChild' : [ 0x30, ['unsigned long']], 'ParentCount' : [ 0x34, ['unsigned long']], 'ActiveParent' : [ 0x38, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PROC_IDLE_STATE_ACCOUNTING' : [ 0x228, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'IdleTransitions' : [ 0x8, ['unsigned long']], 'FailedTransitions' : [ 0xc, ['unsigned long']], 'InvalidBucketIndex' : [ 0x10, ['unsigned long']], 'MinTime' : [ 0x18, ['unsigned long long']], 'MaxTime' : [ 0x20, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x28, ['array', 16, ['_PROC_IDLE_STATE_BUCKET']]], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_204d' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_204f' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_204d']], 'Button' : [ 0xc, ['__unnamed_204f']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xe8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'EmInfFileImage' : [ 0x14, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x18, ['unsigned long']], 'TriageDumpBlock' : [ 0x1c, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x20, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x24, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x28, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x2c, ['pointer', ['void']]], 'DrvDBSize' : [ 0x30, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x34, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x38, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x3c, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x40, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x48, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x4c, ['unsigned long']], 'LastBootSucceeded' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LastBootShutdown' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IoPortAccessSupported' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x50, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x54, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x58, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x60, ['pointer', ['void']]], 'BootIdentifier' : [ 0x64, ['_GUID']], 'ResumePages' : [ 0x74, ['unsigned long']], 'DumpHeader' : [ 0x78, ['pointer', ['void']]], 'BgContext' : [ 0x7c, ['pointer', ['void']]], 'NumaLocalityInfo' : [ 0x80, ['pointer', ['void']]], 'NumaGroupAssignment' : [ 0x84, ['pointer', ['void']]], 'AttachedHives' : [ 0x88, ['_LIST_ENTRY']], 'MemoryCachingRequirementsCount' : [ 0x90, ['unsigned long']], 'MemoryCachingRequirements' : [ 0x94, ['pointer', ['void']]], 'TpmBootEntropyResult' : [ 0x98, ['_TPM_BOOT_ENTROPY_LDR_RESULT']], 'ProcessorCounterFrequency' : [ 0xe0, ['unsigned long long']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x298, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], 'EnvironmentVersion' : [ 0x294, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_PROC_PERF_LOAD' : [ 0x2, { 'BusyPercentage' : [ 0x0, ['unsigned char']], 'FrequencyPercentage' : [ 0x1, ['unsigned char']], } ], '_PROC_HISTORY_ENTRY' : [ 0x4, { 'Utility' : [ 0x0, ['unsigned short']], 'Frequency' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_20e1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x2000, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_20e1']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'SessionPoolAllocationFailures' : [ 0x40, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x50, ['_LIST_ENTRY']], 'LocaleId' : [ 0x58, ['unsigned long']], 'AttachCount' : [ 0x5c, ['unsigned long']], 'AttachGate' : [ 0x60, ['_KGATE']], 'WsListEntry' : [ 0x70, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xddc, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xde0, ['pointer', ['void']]], 'PagedPool' : [ 0xe00, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1f40, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1f44, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1f68, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1f88, ['long']], 'PagedPoolPdeCount' : [ 0x1f8c, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1f90, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1f94, ['unsigned long']], 'SystemPteInfo' : [ 0x1f98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1fc8, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1fcc, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1fd0, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1fd4, ['unsigned long']], 'IoState' : [ 0x1fd8, ['Enumeration', dict(target = 'long', choices = {1: 'IoSessionStateCreated', 2: 'IoSessionStateInitialized', 3: 'IoSessionStateConnected', 4: 'IoSessionStateDisconnected', 5: 'IoSessionStateDisconnectedLoggedOn', 6: 'IoSessionStateLoggedOn', 7: 'IoSessionStateLoggedOff', 8: 'IoSessionStateTerminated', 9: 'IoSessionStateMax'})]], 'IoStateSequence' : [ 0x1fdc, ['unsigned long']], 'IoNotificationEvent' : [ 0x1fe0, ['_KEVENT']], 'SessionPoolPdes' : [ 0x1ff0, ['_RTL_BITMAP']], 'CpuQuotaBlock' : [ 0x1ff8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_MEMORY_ERROR_SECTION' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_SECTION_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_KWAIT_STATUS_REGISTER' : [ 0x1, { 'Flags' : [ 0x0, ['unsigned char']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned char')]], 'Affinity' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Apc' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'UserApc' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Alert' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockInStackQueuedSpinLock', 7: 'VfDeadlockUnusedSpinLock', 8: 'VfDeadlockEresource', 9: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_PROC_PERF_DOMAIN' : [ 0x78, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'Master' : [ 0x8, ['pointer', ['_KPRCB']]], 'Members' : [ 0xc, ['_KAFFINITY_EX']], 'FeedbackHandler' : [ 0x18, ['pointer', ['void']]], 'GetFFHThrottleState' : [ 0x1c, ['pointer', ['void']]], 'BoostPolicyHandler' : [ 0x20, ['pointer', ['void']]], 'PerfSelectionHandler' : [ 0x24, ['pointer', ['void']]], 'PerfHandler' : [ 0x28, ['pointer', ['void']]], 'Processors' : [ 0x2c, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'PerfChangeTime' : [ 0x30, ['unsigned long long']], 'ProcessorCount' : [ 0x38, ['unsigned long']], 'PreviousFrequencyMhz' : [ 0x3c, ['unsigned long']], 'CurrentFrequencyMhz' : [ 0x40, ['unsigned long']], 'PreviousFrequency' : [ 0x44, ['unsigned long']], 'CurrentFrequency' : [ 0x48, ['unsigned long']], 'CurrentPerfContext' : [ 0x4c, ['unsigned long']], 'DesiredFrequency' : [ 0x50, ['unsigned long']], 'MaxFrequency' : [ 0x54, ['unsigned long']], 'MinPerfPercent' : [ 0x58, ['unsigned long']], 'MinThrottlePercent' : [ 0x5c, ['unsigned long']], 'MaxPercent' : [ 0x60, ['unsigned long']], 'MinPercent' : [ 0x64, ['unsigned long']], 'ConstrainedMaxPercent' : [ 0x68, ['unsigned long']], 'ConstrainedMinPercent' : [ 0x6c, ['unsigned long']], 'Coordination' : [ 0x70, ['unsigned char']], 'PerfChangeIntervalCount' : [ 0x74, ['long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_TP_NBQ_GUARD' : [ 0x10, { 'GuardLinks' : [ 0x0, ['_LIST_ENTRY']], 'Guards' : [ 0x8, ['array', 2, ['pointer', ['void']]]], } ], '_DUMMY_FILE_OBJECT' : [ 0xa0, { 'ObjectHeader' : [ 0x0, ['_OBJECT_HEADER']], 'FileObjectBody' : [ 0x20, ['array', 128, ['unsigned char']]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_RELATION_LIST' : [ 0x14, { 'Count' : [ 0x0, ['unsigned long']], 'TagCount' : [ 0x4, ['unsigned long']], 'FirstLevel' : [ 0x8, ['unsigned long']], 'MaxLevel' : [ 0xc, ['unsigned long']], 'Entries' : [ 0x10, ['array', 1, ['pointer', ['_RELATION_LIST_ENTRY']]]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x24, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'Lock' : [ 0x4, ['unsigned long']], 'Paged' : [ 0x8, ['_MI_SPECIAL_POOL_PTE_LIST']], 'NonPaged' : [ 0x10, ['_MI_SPECIAL_POOL_PTE_LIST']], 'PagesInUse' : [ 0x18, ['long']], 'SpecialPoolPdes' : [ 0x1c, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_PPM_FFH_THROTTLE_STATE_INFO' : [ 0x20, { 'EnableLogging' : [ 0x0, ['unsigned char']], 'MismatchCount' : [ 0x4, ['unsigned long']], 'Initialized' : [ 0x8, ['unsigned char']], 'LastValue' : [ 0x10, ['unsigned long long']], 'LastLogTickCount' : [ 0x18, ['_LARGE_INTEGER']], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '__unnamed_2171' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_2173' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_2171']], 'Merged' : [ 0x10, ['__unnamed_2173']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['_IO_MINI_COMPLETION_PACKET_USER']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_217b' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_217b']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef4']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1f82']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], '_MI_SPECIAL_POOL_PTE_LIST' : [ 0x8, { 'FreePteHead' : [ 0x0, ['_MMPTE']], 'FreePteTail' : [ 0x4, ['_MMPTE']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_2191' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_2195' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_2191']], 'u2' : [ 0x24, ['__unnamed_2195']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_DIAGNOSTIC_CONTEXT' : [ 0x10, { 'CallerType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'Process' : [ 0x4, ['pointer', ['_EPROCESS']]], 'ServiceTag' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'ReasonSize' : [ 0xc, ['unsigned long']], } ], '__unnamed_219e' : [ 0x4, { 'MissedEtwRegistration' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_21a0' : [ 0x4, { 'Flags' : [ 0x0, ['__unnamed_219e']], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VF_TARGET_VERIFIED_DRIVER_DATA' : [ 0x90, { 'SuspectDriverEntry' : [ 0x0, ['pointer', ['_VF_SUSPECT_DRIVER_ENTRY']]], 'WMICallback' : [ 0x4, ['pointer', ['void']]], 'EtwHandlesListHead' : [ 0x8, ['_LIST_ENTRY']], 'u1' : [ 0x10, ['__unnamed_21a0']], 'Signature' : [ 0x14, ['unsigned long']], 'PoolPageHeaders' : [ 0x18, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x20, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x28, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x2c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x30, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x34, ['unsigned long']], 'PagedBytes' : [ 0x38, ['unsigned long']], 'NonPagedBytes' : [ 0x3c, ['unsigned long']], 'PeakPagedBytes' : [ 0x40, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x44, ['unsigned long']], 'RaiseIrqls' : [ 0x48, ['unsigned long']], 'AcquireSpinLocks' : [ 0x4c, ['unsigned long']], 'SynchronizeExecutions' : [ 0x50, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x54, ['unsigned long']], 'AllocationsFailed' : [ 0x58, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x5c, ['unsigned long']], 'LockedBytes' : [ 0x60, ['unsigned long']], 'PeakLockedBytes' : [ 0x64, ['unsigned long']], 'MappedLockedBytes' : [ 0x68, ['unsigned long']], 'PeakMappedLockedBytes' : [ 0x6c, ['unsigned long']], 'MappedIoSpaceBytes' : [ 0x70, ['unsigned long']], 'PeakMappedIoSpaceBytes' : [ 0x74, ['unsigned long']], 'PagesForMdlBytes' : [ 0x78, ['unsigned long']], 'PeakPagesForMdlBytes' : [ 0x7c, ['unsigned long']], 'ContiguousMemoryBytes' : [ 0x80, ['unsigned long']], 'PeakContiguousMemoryBytes' : [ 0x84, ['unsigned long']], 'ContiguousMemoryListHead' : [ 0x88, ['_LIST_ENTRY']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'SequentialReadCount' : [ 0x30, ['unsigned long']], 'ReadAheadLength' : [ 0x34, ['unsigned long']], 'ReadAheadOffset' : [ 0x38, ['_LARGE_INTEGER']], 'ReadAheadBeyondLastByte' : [ 0x40, ['_LARGE_INTEGER']], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_TPM_BOOT_ENTROPY_LDR_RESULT' : [ 0x48, { 'Policy' : [ 0x0, ['unsigned long long']], 'ResultCode' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'TpmBootEntropyStructureUninitialized', 1: 'TpmBootEntropyDisabledByPolicy', 2: 'TpmBootEntropyNoTpmFound', 3: 'TpmBootEntropyTpmError', 4: 'TpmBootEntropySuccess'})]], 'ResultStatus' : [ 0xc, ['long']], 'Time' : [ 0x10, ['unsigned long long']], 'EntropyLength' : [ 0x18, ['unsigned long']], 'EntropyData' : [ 0x1c, ['array', 40, ['unsigned char']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_KTHREAD_COUNTERS' : [ 0x1a8, { 'WaitReasonBitMap' : [ 0x0, ['unsigned long long']], 'UserData' : [ 0x8, ['pointer', ['_THREAD_PERFORMANCE_DATA']]], 'Flags' : [ 0xc, ['unsigned long']], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'CycleTimeBias' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'HwCounter' : [ 0x28, ['array', 16, ['_COUNTER_READING']]], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_PNP_DEVICE_ACTION_ENTRY' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RequestType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'AssignResources', 1: 'ClearDeviceProblem', 2: 'ClearProblem', 3: 'ClearEjectProblem', 4: 'HaltDevice', 5: 'QueryPowerRelations', 6: 'Rebalance', 7: 'ReenumerateBootDevices', 8: 'ReenumerateDeviceOnly', 9: 'ReenumerateDeviceTree', 10: 'ReenumerateRootDevices', 11: 'RequeryDeviceState', 12: 'ResetDevice', 13: 'ResourceRequirementsChanged', 14: 'RestartEnumeration', 15: 'SetDeviceProblem', 16: 'StartDevice', 17: 'StartSystemDevicesPass0', 18: 'StartSystemDevicesPass1'})]], 'ReorderingBarrier' : [ 0x10, ['unsigned char']], 'RequestArgument' : [ 0x14, ['unsigned long']], 'CompletionEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'CompletionStatus' : [ 0x1c, ['pointer', ['long']]], } ], '_COUNTER_READING' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PMCCounter', 1: 'MaxHardwareCounterType'})]], 'Index' : [ 0x4, ['unsigned long']], 'Start' : [ 0x8, ['unsigned long long']], 'Total' : [ 0x10, ['unsigned long long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'SessionId' : [ 0x14, ['unsigned long']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_POP_DEVICE_SYS_STATE' : [ 0x1a8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'Pending' : [ 0x190, ['_LIST_ENTRY']], 'Status' : [ 0x198, ['long']], 'FailedDevice' : [ 0x19c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x1a0, ['unsigned char']], 'Cancelled' : [ 0x1a1, ['unsigned char']], 'IgnoreErrors' : [ 0x1a2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x1a3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x1a4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'ContainsDebug' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_VF_KE_CRITICAL_REGION_TRACE' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 7, ['pointer', ['void']]]], } ], '_DIAGNOSTIC_BUFFER' : [ 0x18, { 'Size' : [ 0x0, ['unsigned long']], 'CallerType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KernelRequester', 1: 'UserProcessRequester', 2: 'UserSharedServiceRequester'})]], 'ProcessImageNameOffset' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'ServiceTag' : [ 0x10, ['unsigned long']], 'DeviceDescriptionOffset' : [ 0x8, ['unsigned long']], 'DevicePathOffset' : [ 0xc, ['unsigned long']], 'ReasonOffset' : [ 0x14, ['unsigned long']], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], 'ThreadUsesEresources' : [ 0x1c, ['unsigned char']], } ], '_PPM_IDLE_STATE' : [ 0x40, { 'DomainMembers' : [ 0x0, ['_KAFFINITY_EX']], 'IdleCheck' : [ 0xc, ['pointer', ['void']]], 'IdleHandler' : [ 0x10, ['pointer', ['void']]], 'HvConfig' : [ 0x18, ['unsigned long long']], 'Context' : [ 0x20, ['pointer', ['void']]], 'Latency' : [ 0x24, ['unsigned long']], 'Power' : [ 0x28, ['unsigned long']], 'TimeCheck' : [ 0x2c, ['unsigned long']], 'StateFlags' : [ 0x30, ['unsigned long']], 'PromotePercent' : [ 0x34, ['unsigned char']], 'DemotePercent' : [ 0x35, ['unsigned char']], 'PromotePercentBase' : [ 0x36, ['unsigned char']], 'DemotePercentBase' : [ 0x37, ['unsigned char']], 'StateType' : [ 0x38, ['unsigned char']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '__unnamed_2217' : [ 0x4, { 'NodeSize' : [ 0x0, ['unsigned long']], 'UseLookaside' : [ 0x0, ['unsigned long']], } ], '_VF_AVL_TREE' : [ 0x40, { 'Lock' : [ 0x0, ['long']], 'NodeToFree' : [ 0x4, ['pointer', ['void']]], 'NodeRangeSize' : [ 0x8, ['unsigned long']], 'NodeCount' : [ 0xc, ['unsigned long']], 'Tables' : [ 0x10, ['pointer', ['_VF_AVL_TABLE']]], 'TablesNo' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_2217']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_WHEA_MEMORY_ERROR_SECTION_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_RELATION_LIST_ENTRY' : [ 0xc, { 'Count' : [ 0x0, ['unsigned long']], 'MaxCount' : [ 0x4, ['unsigned long']], 'Devices' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VF_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_KTM' : [ 0x238, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], 'OfflineWorkItem' : [ 0x228, ['_WORK_QUEUE_ITEM']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'Group' : [ 0x14, ['unsigned short']], 'GroupIndex' : [ 0x16, ['unsigned short']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VF_WATCHDOG_IRP' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer', ['_IRP']]], 'DueTickCount' : [ 0xc, ['unsigned long']], 'Inserted' : [ 0x10, ['unsigned char']], 'TrackedStackLocation' : [ 0x11, ['unsigned char']], 'CancelTimeoutTicks' : [ 0x12, ['unsigned short']], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'GroupAssigned' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'GroupCommitted' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'GroupAssignmentFixed' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_2272' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_2274' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_2272']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_2274']], } ], '_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA' : [ 0x8, { 'CapturedCpuShareWeight' : [ 0x0, ['unsigned long']], 'CapturedTotalWeight' : [ 0x4, ['unsigned long']], 'CombinedData' : [ 0x0, ['long long']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_PROC_IDLE_STATE_BUCKET' : [ 0x20, { 'TotalTime' : [ 0x0, ['unsigned long long']], 'MinTime' : [ 0x8, ['unsigned long long']], 'MaxTime' : [ 0x10, ['unsigned long long']], 'Count' : [ 0x18, ['unsigned long']], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_2287' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_2287']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_VF_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x18, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'DosDeviceDriveIndex' : [ 0x10, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x24, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_VF_AVL_TABLE' : [ 0x3c, { 'RtlTable' : [ 0x0, ['_RTL_AVL_TABLE']], 'ReservedNode' : [ 0x38, ['pointer', ['_VF_AVL_TREE_NODE']]], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_22dd' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_22df' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_22e3' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_22e7' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_22e9' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_22dd']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_22df']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_22e3']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_22e7']], 'Others' : [ 0x0, ['__unnamed_22e9']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0xa0, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'Reset' : [ 0x3, ['unsigned char']], 'HiberFlags' : [ 0x4, ['unsigned char']], 'WroteHiberFile' : [ 0x5, ['unsigned char']], 'MapFrozen' : [ 0x6, ['unsigned char']], 'MemoryMap' : [ 0x8, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x10, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x18, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x20, ['unsigned long']], 'NextCloneRange' : [ 0x24, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x28, ['unsigned long']], 'LoaderMdl' : [ 0x2c, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x30, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x38, ['unsigned long long']], 'IoPages' : [ 0x40, ['pointer', ['void']]], 'IoPagesCount' : [ 0x44, ['unsigned long']], 'CurrentMcb' : [ 0x48, ['pointer', ['void']]], 'DumpStack' : [ 0x4c, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x50, ['pointer', ['_KPROCESSOR_STATE']]], 'PreferredIoWriteSize' : [ 0x54, ['unsigned long']], 'IoProgress' : [ 0x58, ['unsigned long']], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'CompressionWorkspace' : [ 0x70, ['pointer', ['void']]], 'CompressedWriteBuffer' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBufferSize' : [ 0x78, ['unsigned long']], 'MaxCompressedOutputSize' : [ 0x7c, ['unsigned long']], 'PerformanceStats' : [ 0x80, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x84, ['pointer', ['void']]], 'DmaIO' : [ 0x88, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x8c, ['pointer', ['void']]], 'BootLoaderLogMdl' : [ 0x90, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0x94, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0x98, ['pointer', ['void']]], 'ResumeContextPages' : [ 0x9c, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_PCW_COUNTER_INFORMATION' : [ 0x10, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'SizeOfImage' : [ 0x4, ['unsigned long']], } ], '_PCW_MASK_INFORMATION' : [ 0x20, { 'CounterMask' : [ 0x0, ['unsigned long long']], 'InstanceMask' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'InstanceId' : [ 0xc, ['unsigned long']], 'CollectMultiple' : [ 0x10, ['unsigned char']], 'Buffer' : [ 0x14, ['pointer', ['_PCW_BUFFER']]], 'CancelEvent' : [ 0x18, ['pointer', ['_KEVENT']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '__unnamed_230d' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_230d']], } ], '__unnamed_2311' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2311']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xe0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'FirstTablePage' : [ 0x4c, ['unsigned long']], 'PerfInfo' : [ 0x50, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xa8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xac, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xb0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xb4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xd4, ['unsigned long']], 'ResumeContextCheck' : [ 0xd8, ['unsigned long']], 'ResumeContextPages' : [ 0xdc, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x58, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'ElapsedTicks' : [ 0x18, ['unsigned long long']], 'CompressTicks' : [ 0x20, ['unsigned long long']], 'ResumeAppTime' : [ 0x28, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x30, ['unsigned long long']], 'BytesCopied' : [ 0x38, ['unsigned long long']], 'PagesProcessed' : [ 0x40, ['unsigned long long']], 'PagesWritten' : [ 0x48, ['unsigned long']], 'DumpCount' : [ 0x4c, ['unsigned long']], 'FileRuns' : [ 0x50, ['unsigned long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x18, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], 'ViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'SessionViewVa' : [ 0x10, ['pointer', ['void']]], 'SessionId' : [ 0x14, ['unsigned long']], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '__unnamed_2339' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_233b' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_233d' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_2339']], 'Gpt' : [ 0x0, ['__unnamed_233b']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_233d']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x30, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Flags' : [ 0x8, ['unsigned long']], 'Hint' : [ 0xc, ['unsigned long']], 'BasePte' : [ 0x10, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x14, ['pointer', ['unsigned long']]], 'Vm' : [ 0x18, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x1c, ['long']], 'TotalFreeSystemPtes' : [ 0x20, ['long']], 'CachedPteCount' : [ 0x24, ['long']], 'PteFailures' : [ 0x28, ['unsigned long']], 'SpinLock' : [ 0x2c, ['unsigned long']], 'GlobalMutex' : [ 0x2c, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x170, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 9, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_THREAD_PERFORMANCE_DATA' : [ 0x1c0, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'ProcessorNumber' : [ 0x4, ['_PROCESSOR_NUMBER']], 'ContextSwitches' : [ 0x8, ['unsigned long']], 'HwCountersCount' : [ 0xc, ['unsigned long']], 'UpdateCount' : [ 0x10, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x18, ['unsigned long long']], 'HardwareCounters' : [ 0x20, ['unsigned long long']], 'CycleTime' : [ 0x28, ['_COUNTER_READING']], 'HwCounters' : [ 0x40, ['array', 16, ['_COUNTER_READING']]], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_KUSER_SHARED_DATA' : [ 0x5f0, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'AltArchitecturePad' : [ 0x2c4, ['array', 1, ['unsigned long']]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TscQpcData' : [ 0x2ed, ['unsigned char']], 'TscQpcEnabled' : [ 0x2ed, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TscQpcSpareFlag' : [ 0x2ed, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TscQpcShift' : [ 0x2ed, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'TscQpcPad' : [ 0x2ee, ['array', 2, ['unsigned char']]], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'DataFlagsPad' : [ 0x2f4, ['array', 1, ['unsigned long']]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'ReservedTickCountOverlay' : [ 0x320, ['array', 3, ['unsigned long']]], 'TickCountPad' : [ 0x32c, ['array', 1, ['unsigned long']]], 'Cookie' : [ 0x330, ['unsigned long']], 'CookiePad' : [ 0x334, ['array', 1, ['unsigned long']]], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 16, ['unsigned short']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'Reserved5' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], 'TscQpcBias' : [ 0x3b8, ['unsigned long long']], 'ActiveProcessorCount' : [ 0x3c0, ['unsigned long']], 'ActiveGroupCount' : [ 0x3c4, ['unsigned short']], 'Reserved4' : [ 0x3c6, ['unsigned short']], 'AitSamplingValue' : [ 0x3c8, ['unsigned long']], 'AppCompatFlag' : [ 0x3cc, ['unsigned long']], 'SystemDllNativeRelocation' : [ 0x3d0, ['unsigned long long']], 'SystemDllWowRelocation' : [ 0x3d8, ['unsigned long']], 'XStatePad' : [ 0x3dc, ['array', 1, ['unsigned long']]], 'XState' : [ 0x3e0, ['_XSTATE_CONFIGURATION']], } ], '__unnamed_1041' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1041']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1045' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1045']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_105e' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1060' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_105e']], } ], '_TP_CALLBACK_ENVIRON_V3' : [ 0x28, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1060']], 'CallbackPriority' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'TP_CALLBACK_PRIORITY_HIGH', 1: 'TP_CALLBACK_PRIORITY_NORMAL', 2: 'TP_CALLBACK_PRIORITY_LOW', 3: 'TP_CALLBACK_PRIORITY_INVALID'})]], 'Size' : [ 0x24, ['unsigned long']], } ], '_TP_TASK' : [ 0x20, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], 'PostGuard' : [ 0xc, ['_TP_NBQ_GUARD']], 'NBQNode' : [ 0x1c, ['pointer', ['void']]], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_DIRECT' : [ 0xc, { 'Callback' : [ 0x0, ['pointer', ['void']]], 'NumaNode' : [ 0x4, ['unsigned long']], 'IdealProcessor' : [ 0x8, ['unsigned char']], } ], '_TEB' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_RTL_DYNAMIC_HASH_TABLE_CONTEXT' : [ 0xc, { 'ChainHead' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'PrevLinkage' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE_ENUMERATOR' : [ 0x14, { 'HashEntry' : [ 0x0, ['_RTL_DYNAMIC_HASH_TABLE_ENTRY']], 'ChainHead' : [ 0xc, ['pointer', ['_LIST_ENTRY']]], 'BucketIndex' : [ 0x10, ['unsigned long']], } ], '_RTL_DYNAMIC_HASH_TABLE' : [ 0x24, { 'Flags' : [ 0x0, ['unsigned long']], 'Shift' : [ 0x4, ['unsigned long']], 'TableSize' : [ 0x8, ['unsigned long']], 'Pivot' : [ 0xc, ['unsigned long']], 'DivisorMask' : [ 0x10, ['unsigned long']], 'NumEntries' : [ 0x14, ['unsigned long']], 'NonEmptyBuckets' : [ 0x18, ['unsigned long']], 'NumEnumerators' : [ 0x1c, ['unsigned long']], 'Directory' : [ 0x20, ['pointer', ['void']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KPCR' : [ 0x3748, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KPRCB' : [ 0x3628, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'LegacyNumber' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'CpuType' : [ 0x14, ['unsigned char']], 'CpuID' : [ 0x15, ['unsigned char']], 'CpuStep' : [ 0x16, ['unsigned short']], 'CpuStepping' : [ 0x16, ['unsigned char']], 'CpuModel' : [ 0x17, ['unsigned char']], 'ProcessorState' : [ 0x18, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x338, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x378, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3b8, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3bc, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3bd, ['unsigned char']], 'PrcbPad0' : [ 0x3be, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c0, ['unsigned long']], 'CpuVendor' : [ 0x3c4, ['unsigned char']], 'GroupIndex' : [ 0x3c5, ['unsigned char']], 'Group' : [ 0x3c6, ['unsigned short']], 'GroupSetMember' : [ 0x3c8, ['unsigned long']], 'Number' : [ 0x3cc, ['unsigned long']], 'PrcbPad1' : [ 0x3d0, ['array', 72, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 17, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x4a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x4a4, ['unsigned long']], 'KernelTime' : [ 0x4a8, ['unsigned long']], 'UserTime' : [ 0x4ac, ['unsigned long']], 'DpcTime' : [ 0x4b0, ['unsigned long']], 'DpcTimeCount' : [ 0x4b4, ['unsigned long']], 'InterruptTime' : [ 0x4b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x4bc, ['unsigned long']], 'PageColor' : [ 0x4c0, ['unsigned long']], 'DebuggerSavedIRQL' : [ 0x4c4, ['unsigned char']], 'NodeColor' : [ 0x4c5, ['unsigned char']], 'PrcbPad20' : [ 0x4c6, ['array', 2, ['unsigned char']]], 'NodeShiftedColor' : [ 0x4c8, ['unsigned long']], 'ParentNode' : [ 0x4cc, ['pointer', ['_KNODE']]], 'SecondaryColorMask' : [ 0x4d0, ['unsigned long']], 'DpcTimeLimit' : [ 0x4d4, ['unsigned long']], 'PrcbPad21' : [ 0x4d8, ['array', 2, ['unsigned long']]], 'CcFastReadNoWait' : [ 0x4e0, ['unsigned long']], 'CcFastReadWait' : [ 0x4e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x4e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x4ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x4f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x4f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x4f8, ['long']], 'IoReadOperationCount' : [ 0x4fc, ['long']], 'IoWriteOperationCount' : [ 0x500, ['long']], 'IoOtherOperationCount' : [ 0x504, ['long']], 'IoReadTransferCount' : [ 0x508, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x510, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x518, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x520, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x524, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x528, ['unsigned long']], 'CcMapDataNoWait' : [ 0x52c, ['unsigned long']], 'CcMapDataWait' : [ 0x530, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x534, ['unsigned long']], 'CcPinReadNoWait' : [ 0x538, ['unsigned long']], 'CcPinReadWait' : [ 0x53c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x540, ['unsigned long']], 'CcMdlReadWait' : [ 0x544, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x548, ['unsigned long']], 'CcLazyWriteIos' : [ 0x54c, ['unsigned long']], 'CcLazyWritePages' : [ 0x550, ['unsigned long']], 'CcDataFlushes' : [ 0x554, ['unsigned long']], 'CcDataPages' : [ 0x558, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x55c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x560, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x564, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x568, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x56c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x570, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x574, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x578, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x57c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x580, ['unsigned long']], 'CcReadAheadIos' : [ 0x584, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x588, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x58c, ['unsigned long']], 'KeSystemCalls' : [ 0x590, ['unsigned long']], 'AvailableTime' : [ 0x594, ['unsigned long']], 'PrcbPad22' : [ 0x598, ['array', 2, ['unsigned long']]], 'PPLookasideList' : [ 0x5a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x620, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0xf20, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1820, ['unsigned long']], 'ReverseStall' : [ 0x1824, ['long']], 'IpiFrame' : [ 0x1828, ['pointer', ['void']]], 'PrcbPad3' : [ 0x182c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1860, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x186c, ['unsigned long']], 'WorkerRoutine' : [ 0x1870, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1874, ['unsigned long']], 'PrcbPad4' : [ 0x1878, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x18a0, ['unsigned long']], 'SignalDone' : [ 0x18a4, ['pointer', ['_KPRCB']]], 'PrcbPad50' : [ 0x18a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x18e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1908, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x190c, ['long']], 'DpcRequestRate' : [ 0x1910, ['unsigned long']], 'MinimumDpcRate' : [ 0x1914, ['unsigned long']], 'DpcLastCount' : [ 0x1918, ['unsigned long']], 'PrcbLock' : [ 0x191c, ['unsigned long']], 'DpcGate' : [ 0x1920, ['_KGATE']], 'ThreadDpcEnable' : [ 0x1930, ['unsigned char']], 'QuantumEnd' : [ 0x1931, ['unsigned char']], 'DpcRoutineActive' : [ 0x1932, ['unsigned char']], 'IdleSchedule' : [ 0x1933, ['unsigned char']], 'DpcRequestSummary' : [ 0x1934, ['long']], 'DpcRequestSlot' : [ 0x1934, ['array', 2, ['short']]], 'NormalDpcState' : [ 0x1934, ['short']], 'DpcThreadActive' : [ 0x1936, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ThreadDpcState' : [ 0x1936, ['short']], 'TimerHand' : [ 0x1938, ['unsigned long']], 'LastTick' : [ 0x193c, ['unsigned long']], 'MasterOffset' : [ 0x1940, ['long']], 'PrcbPad41' : [ 0x1944, ['array', 2, ['unsigned long']]], 'PeriodicCount' : [ 0x194c, ['unsigned long']], 'PeriodicBias' : [ 0x1950, ['unsigned long']], 'TickOffset' : [ 0x1958, ['unsigned long long']], 'TimerTable' : [ 0x1960, ['_KTIMER_TABLE']], 'CallDpc' : [ 0x31a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x31c0, ['long']], 'ClockCheckSlot' : [ 0x31c4, ['unsigned char']], 'ClockPollCycle' : [ 0x31c5, ['unsigned char']], 'PrcbPad6' : [ 0x31c6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x31c8, ['long']], 'DpcWatchdogCount' : [ 0x31cc, ['long']], 'ThreadWatchdogPeriod' : [ 0x31d0, ['long']], 'ThreadWatchdogCount' : [ 0x31d4, ['long']], 'KeSpinLockOrdering' : [ 0x31d8, ['long']], 'PrcbPad70' : [ 0x31dc, ['array', 1, ['unsigned long']]], 'WaitListHead' : [ 0x31e0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x31e8, ['unsigned long']], 'ReadySummary' : [ 0x31ec, ['unsigned long']], 'QueueIndex' : [ 0x31f0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x31f4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x31f8, ['unsigned long long']], 'CycleTime' : [ 0x3200, ['unsigned long long']], 'HighCycleTime' : [ 0x3208, ['unsigned long']], 'PrcbPad71' : [ 0x320c, ['unsigned long']], 'PrcbPad72' : [ 0x3210, ['array', 2, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3220, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x3320, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x3324, ['long']], 'MmPageFaultCount' : [ 0x3328, ['long']], 'MmCopyOnWriteCount' : [ 0x332c, ['long']], 'MmTransitionCount' : [ 0x3330, ['long']], 'MmCacheTransitionCount' : [ 0x3334, ['long']], 'MmDemandZeroCount' : [ 0x3338, ['long']], 'MmPageReadCount' : [ 0x333c, ['long']], 'MmPageReadIoCount' : [ 0x3340, ['long']], 'MmCacheReadCount' : [ 0x3344, ['long']], 'MmCacheIoCount' : [ 0x3348, ['long']], 'MmDirtyPagesWriteCount' : [ 0x334c, ['long']], 'MmDirtyWriteIoCount' : [ 0x3350, ['long']], 'MmMappedPagesWriteCount' : [ 0x3354, ['long']], 'MmMappedWriteIoCount' : [ 0x3358, ['long']], 'CachedCommit' : [ 0x335c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x3360, ['unsigned long']], 'HyperPte' : [ 0x3364, ['pointer', ['void']]], 'PrcbPad8' : [ 0x3368, ['array', 4, ['unsigned char']]], 'VendorString' : [ 0x336c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x3379, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x337a, ['unsigned char']], 'PrcbPad9' : [ 0x337b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x3380, ['unsigned long']], 'UpdateSignature' : [ 0x3388, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x3390, ['unsigned long long']], 'RuntimeAccumulation' : [ 0x3398, ['unsigned long long']], 'PowerState' : [ 0x33a0, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x3468, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3488, ['_KTIMER']], 'WheaInfo' : [ 0x34b0, ['pointer', ['void']]], 'EtwSupport' : [ 0x34b4, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x34b8, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x34c0, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x34c8, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x34cc, ['pointer', ['void']]], 'StatisticsPage' : [ 0x34d0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x34d4, ['pointer', ['void']]], 'Cache' : [ 0x34d8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3514, ['unsigned long']], 'CacheProcessorMask' : [ 0x3518, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x352c, ['_KAFFINITY_EX']], 'PrcbPad91' : [ 0x3538, ['array', 1, ['unsigned long']]], 'CoreProcessorSet' : [ 0x353c, ['unsigned long']], 'TimerExpirationDpc' : [ 0x3540, ['_KDPC']], 'SpinLockAcquireCount' : [ 0x3560, ['unsigned long']], 'SpinLockContentionCount' : [ 0x3564, ['unsigned long']], 'SpinLockSpinCount' : [ 0x3568, ['unsigned long']], 'IpiSendRequestBroadcastCount' : [ 0x356c, ['unsigned long']], 'IpiSendRequestRoutineCount' : [ 0x3570, ['unsigned long']], 'IpiSendSoftwareInterruptCount' : [ 0x3574, ['unsigned long']], 'ExInitializeResourceCount' : [ 0x3578, ['unsigned long']], 'ExReInitializeResourceCount' : [ 0x357c, ['unsigned long']], 'ExDeleteResourceCount' : [ 0x3580, ['unsigned long']], 'ExecutiveResourceAcquiresCount' : [ 0x3584, ['unsigned long']], 'ExecutiveResourceContentionsCount' : [ 0x3588, ['unsigned long']], 'ExecutiveResourceReleaseExclusiveCount' : [ 0x358c, ['unsigned long']], 'ExecutiveResourceReleaseSharedCount' : [ 0x3590, ['unsigned long']], 'ExecutiveResourceConvertsCount' : [ 0x3594, ['unsigned long']], 'ExAcqResExclusiveAttempts' : [ 0x3598, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusive' : [ 0x359c, ['unsigned long']], 'ExAcqResExclusiveAcquiresExclusiveRecursive' : [ 0x35a0, ['unsigned long']], 'ExAcqResExclusiveWaits' : [ 0x35a4, ['unsigned long']], 'ExAcqResExclusiveNotAcquires' : [ 0x35a8, ['unsigned long']], 'ExAcqResSharedAttempts' : [ 0x35ac, ['unsigned long']], 'ExAcqResSharedAcquiresExclusive' : [ 0x35b0, ['unsigned long']], 'ExAcqResSharedAcquiresShared' : [ 0x35b4, ['unsigned long']], 'ExAcqResSharedAcquiresSharedRecursive' : [ 0x35b8, ['unsigned long']], 'ExAcqResSharedWaits' : [ 0x35bc, ['unsigned long']], 'ExAcqResSharedNotAcquires' : [ 0x35c0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAttempts' : [ 0x35c4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresExclusive' : [ 0x35c8, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresShared' : [ 0x35cc, ['unsigned long']], 'ExAcqResSharedStarveExclusiveAcquiresSharedRecursive' : [ 0x35d0, ['unsigned long']], 'ExAcqResSharedStarveExclusiveWaits' : [ 0x35d4, ['unsigned long']], 'ExAcqResSharedStarveExclusiveNotAcquires' : [ 0x35d8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAttempts' : [ 0x35dc, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresExclusive' : [ 0x35e0, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresShared' : [ 0x35e4, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveAcquiresSharedRecursive' : [ 0x35e8, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveWaits' : [ 0x35ec, ['unsigned long']], 'ExAcqResSharedWaitForExclusiveNotAcquires' : [ 0x35f0, ['unsigned long']], 'ExSetResOwnerPointerExclusive' : [ 0x35f4, ['unsigned long']], 'ExSetResOwnerPointerSharedNew' : [ 0x35f8, ['unsigned long']], 'ExSetResOwnerPointerSharedOld' : [ 0x35fc, ['unsigned long']], 'ExTryToAcqExclusiveAttempts' : [ 0x3600, ['unsigned long']], 'ExTryToAcqExclusiveAcquires' : [ 0x3604, ['unsigned long']], 'ExBoostExclusiveOwner' : [ 0x3608, ['unsigned long']], 'ExBoostSharedOwners' : [ 0x360c, ['unsigned long']], 'ExEtwSynchTrackingNotificationsCount' : [ 0x3610, ['unsigned long']], 'ExEtwSynchTrackingNotificationsAccountedCount' : [ 0x3614, ['unsigned long']], 'Context' : [ 0x3618, ['pointer', ['_CONTEXT']]], 'ContextFlags' : [ 0x361c, ['unsigned long']], 'ExtendedState' : [ 0x3620, ['pointer', ['_XSAVE_AREA']]], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x200, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'WaitRegister' : [ 0x38, ['_KWAIT_STATUS_REGISTER']], 'Running' : [ 0x39, ['unsigned char']], 'Alerted' : [ 0x3a, ['array', 2, ['unsigned char']]], 'KernelStackResident' : [ 0x3c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x3c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x3c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x3c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x3c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x3c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x3c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x3c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ApcInterruptRequest' : [ 0x3c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ForceDeferSchedule' : [ 0x3c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'QuantumEndMigrate' : [ 0x3c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'UmsDirectedSwitchEnable' : [ 0x3c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'TimerActive' : [ 0x3c, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'SystemThread' : [ 0x3c, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Reserved' : [ 0x3c, ['BitField', dict(start_bit = 14, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x3c, ['long']], 'ApcState' : [ 0x40, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x40, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x57, ['unsigned char']], 'NextProcessor' : [ 0x58, ['unsigned long']], 'DeferredProcessor' : [ 0x5c, ['unsigned long']], 'ApcQueueLock' : [ 0x60, ['unsigned long']], 'ContextSwitches' : [ 0x64, ['unsigned long']], 'State' : [ 0x68, ['unsigned char']], 'NpxState' : [ 0x69, ['unsigned char']], 'WaitIrql' : [ 0x6a, ['unsigned char']], 'WaitMode' : [ 0x6b, ['unsigned char']], 'WaitStatus' : [ 0x6c, ['long']], 'WaitBlockList' : [ 0x70, ['pointer', ['_KWAIT_BLOCK']]], 'WaitListEntry' : [ 0x74, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x74, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x7c, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x80, ['unsigned long']], 'KernelApcDisable' : [ 0x84, ['short']], 'SpecialApcDisable' : [ 0x86, ['short']], 'CombinedApcDisable' : [ 0x84, ['unsigned long']], 'Teb' : [ 0x88, ['pointer', ['void']]], 'Timer' : [ 0x90, ['_KTIMER']], 'AutoAlignment' : [ 0xb8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb8, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CalloutActive' : [ 0xb8, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb8, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb8, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'GuiThread' : [ 0xb8, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'UmsPerformingSyscall' : [ 0xb8, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'VdmSafe' : [ 0xb8, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'UmsDispatched' : [ 0xb8, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb8, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb8, ['long']], 'ServiceTable' : [ 0xbc, ['pointer', ['void']]], 'WaitBlock' : [ 0xc0, ['array', 4, ['_KWAIT_BLOCK']]], 'QueueListEntry' : [ 0x120, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x128, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x12c, ['pointer', ['void']]], 'CallbackStack' : [ 0x130, ['pointer', ['void']]], 'CallbackDepth' : [ 0x130, ['unsigned long']], 'ApcStateIndex' : [ 0x134, ['unsigned char']], 'BasePriority' : [ 0x135, ['unsigned char']], 'PriorityDecrement' : [ 0x136, ['unsigned char']], 'ForegroundBoost' : [ 0x136, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'UnusualBoost' : [ 0x136, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Preempted' : [ 0x137, ['unsigned char']], 'AdjustReason' : [ 0x138, ['unsigned char']], 'AdjustIncrement' : [ 0x139, ['unsigned char']], 'PreviousMode' : [ 0x13a, ['unsigned char']], 'Saturation' : [ 0x13b, ['unsigned char']], 'SystemCallNumber' : [ 0x13c, ['unsigned long']], 'FreezeCount' : [ 0x140, ['unsigned long']], 'UserAffinity' : [ 0x144, ['_GROUP_AFFINITY']], 'Process' : [ 0x150, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x154, ['_GROUP_AFFINITY']], 'IdealProcessor' : [ 0x160, ['unsigned long']], 'UserIdealProcessor' : [ 0x164, ['unsigned long']], 'ApcStatePointer' : [ 0x168, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x170, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x170, ['array', 23, ['unsigned char']]], 'WaitReason' : [ 0x187, ['unsigned char']], 'SuspendCount' : [ 0x188, ['unsigned char']], 'Spare1' : [ 0x189, ['unsigned char']], 'OtherPlatformFill' : [ 0x18a, ['unsigned char']], 'Win32Thread' : [ 0x18c, ['pointer', ['void']]], 'StackBase' : [ 0x190, ['pointer', ['void']]], 'SuspendApc' : [ 0x194, ['_KAPC']], 'SuspendApcFill0' : [ 0x194, ['array', 1, ['unsigned char']]], 'ResourceIndex' : [ 0x195, ['unsigned char']], 'SuspendApcFill1' : [ 0x194, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x197, ['unsigned char']], 'SuspendApcFill2' : [ 0x194, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x198, ['unsigned long']], 'SuspendApcFill3' : [ 0x194, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x1b8, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x194, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1bc, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x194, ['array', 47, ['unsigned char']]], 'LargeStack' : [ 0x1c3, ['unsigned char']], 'UserTime' : [ 0x1c4, ['unsigned long']], 'SuspendSemaphore' : [ 0x1c8, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1c8, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1dc, ['unsigned long']], 'ThreadListEntry' : [ 0x1e0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1e8, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1f0, ['pointer', ['void']]], 'ThreadCounters' : [ 0x1f4, ['pointer', ['_KTHREAD_COUNTERS']]], 'XStateSave' : [ 0x1f8, ['pointer', ['_XSTATE_SAVE']]], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Event' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_PROCESSOR_NUMBER' : [ 0x4, { 'Group' : [ 0x0, ['unsigned short']], 'Number' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x2b8, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x200, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x208, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x208, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x210, ['long']], 'PostBlockList' : [ 0x214, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x214, ['pointer', ['void']]], 'StartAddress' : [ 0x218, ['pointer', ['void']]], 'TerminationPort' : [ 0x21c, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x21c, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x21c, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x220, ['unsigned long']], 'ActiveTimerListHead' : [ 0x224, ['_LIST_ENTRY']], 'Cid' : [ 0x22c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x234, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x248, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x24c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x254, ['unsigned long']], 'DeviceToVerify' : [ 0x258, ['pointer', ['_DEVICE_OBJECT']]], 'CpuQuotaApc' : [ 0x25c, ['pointer', ['_PSP_CPU_QUOTA_APC']]], 'Win32StartAddress' : [ 0x260, ['pointer', ['void']]], 'LegacyPowerObject' : [ 0x264, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x268, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x270, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x274, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x278, ['unsigned long']], 'MmLockOrdering' : [ 0x27c, ['long']], 'CrossThreadFlags' : [ 0x280, ['unsigned long']], 'Terminated' : [ 0x280, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x280, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x280, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x280, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x280, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x280, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x280, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x280, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x280, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x280, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x280, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x280, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x280, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NeedsWorkingSetAging' : [ 0x280, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x284, ['unsigned long']], 'ActiveExWorker' : [ 0x284, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x284, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x284, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x284, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x284, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x284, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x284, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x288, ['unsigned long']], 'Spare' : [ 0x288, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x288, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x288, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemCacheWorkingSetShared' : [ 0x288, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x288, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x289, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x289, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x289, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x289, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x289, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x289, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x289, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x289, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsPagedPoolWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetExclusive' : [ 0x28a, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsSystemPtesWorkingSetShared' : [ 0x28a, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimTrigger' : [ 0x28a, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned char')]], 'Spare1' : [ 0x28a, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x28b, ['unsigned char']], 'CacheManagerActive' : [ 0x28c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x28d, ['unsigned char']], 'ActiveFaultCount' : [ 0x28e, ['unsigned char']], 'LockOrderState' : [ 0x28f, ['unsigned char']], 'AlpcMessageId' : [ 0x290, ['unsigned long']], 'AlpcMessage' : [ 0x294, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x294, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x298, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x2a0, ['unsigned long']], 'IoBoostCount' : [ 0x2a4, ['unsigned long']], 'IrpListLock' : [ 0x2a8, ['unsigned long']], 'ReservedForSynchTracking' : [ 0x2ac, ['pointer', ['void']]], 'CmCallbackListHead' : [ 0x2b0, ['_SINGLE_LIST_ENTRY']], } ], '_EPROCESS' : [ 0x2c0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x98, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xa0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xa8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xb0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xb4, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xb8, ['_LIST_ENTRY']], 'ProcessQuotaUsage' : [ 0xc0, ['array', 2, ['unsigned long']]], 'ProcessQuotaPeak' : [ 0xc8, ['array', 2, ['unsigned long']]], 'CommitCharge' : [ 0xd0, ['unsigned long']], 'QuotaBlock' : [ 0xd4, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'CpuQuotaBlock' : [ 0xd8, ['pointer', ['_PS_CPU_QUOTA_BLOCK']]], 'PeakVirtualSize' : [ 0xdc, ['unsigned long']], 'VirtualSize' : [ 0xe0, ['unsigned long']], 'SessionProcessLinks' : [ 0xe4, ['_LIST_ENTRY']], 'DebugPort' : [ 0xec, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xf0, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xf0, ['unsigned long']], 'ExceptionPortState' : [ 0xf0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xf4, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xf8, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xfc, ['unsigned long']], 'AddressCreationLock' : [ 0x100, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x104, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0x108, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x10c, ['unsigned long']], 'PhysicalVadRoot' : [ 0x110, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x114, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x118, ['unsigned long']], 'NumberOfLockedPages' : [ 0x11c, ['unsigned long']], 'Win32Process' : [ 0x120, ['pointer', ['void']]], 'Job' : [ 0x124, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x128, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x12c, ['pointer', ['void']]], 'Cookie' : [ 0x130, ['unsigned long']], 'Spare8' : [ 0x134, ['unsigned long']], 'WorkingSetWatch' : [ 0x138, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x13c, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x140, ['pointer', ['void']]], 'LdtInformation' : [ 0x144, ['pointer', ['void']]], 'VdmObjects' : [ 0x148, ['pointer', ['void']]], 'ConsoleHostProcess' : [ 0x14c, ['unsigned long']], 'DeviceMap' : [ 0x150, ['pointer', ['void']]], 'EtwDataSource' : [ 0x154, ['pointer', ['void']]], 'FreeTebHint' : [ 0x158, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x160, ['_HARDWARE_PTE']], 'Filler' : [ 0x160, ['unsigned long long']], 'Session' : [ 0x168, ['pointer', ['void']]], 'ImageFileName' : [ 0x16c, ['array', 15, ['unsigned char']]], 'PriorityClass' : [ 0x17b, ['unsigned char']], 'JobLinks' : [ 0x17c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x184, ['pointer', ['void']]], 'ThreadListHead' : [ 0x188, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x190, ['pointer', ['void']]], 'PaeTop' : [ 0x194, ['pointer', ['void']]], 'ActiveThreads' : [ 0x198, ['unsigned long']], 'ImagePathHash' : [ 0x19c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x1a0, ['unsigned long']], 'LastThreadExitStatus' : [ 0x1a4, ['long']], 'Peb' : [ 0x1a8, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x1ac, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1c0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1c8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1d0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1d8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1e0, ['unsigned long']], 'CommitChargePeak' : [ 0x1e4, ['unsigned long']], 'AweInfo' : [ 0x1e8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1ec, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x25c, ['_LIST_ENTRY']], 'HighestUserAddress' : [ 0x264, ['pointer', ['void']]], 'ModifiedPageCount' : [ 0x268, ['unsigned long']], 'Flags2' : [ 0x26c, ['unsigned long']], 'JobNotReallyActive' : [ 0x26c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x26c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x26c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x26c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x26c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x26c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x26c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x26c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x26c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x26c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x26c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x26c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x26c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x26c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x26c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x26c, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x26c, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'PropagateNode' : [ 0x26c, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'ExplicitAffinity' : [ 0x26c, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Flags' : [ 0x270, ['unsigned long']], 'CreateReported' : [ 0x270, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x270, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x270, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x270, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x270, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x270, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x270, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x270, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x270, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x270, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x270, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x270, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x270, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x270, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x270, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x270, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x270, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x270, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x270, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x270, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x270, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x270, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x270, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x270, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x270, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x270, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x270, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SetTimerResolutionLink' : [ 0x270, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x274, ['long']], 'VadRoot' : [ 0x278, ['_MM_AVL_TABLE']], 'AlpcContext' : [ 0x298, ['_ALPC_PROCESS_CONTEXT']], 'TimerResolutionLink' : [ 0x2a8, ['_LIST_ENTRY']], 'RequestedTimerResolution' : [ 0x2b0, ['unsigned long']], 'ActiveThreadsHighWatermark' : [ 0x2b4, ['unsigned long']], 'SmallestTimerResolution' : [ 0x2b8, ['unsigned long']], 'TimerResolutionStackRecord' : [ 0x2bc, ['pointer', ['_PO_DIAG_STACK_RECORD']]], } ], '_KPROCESS' : [ 0x98, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'LdtDescriptor' : [ 0x1c, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x24, ['_KIDTENTRY']], 'ThreadListHead' : [ 0x2c, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x34, ['unsigned long']], 'Affinity' : [ 0x38, ['_KAFFINITY_EX']], 'ReadyListHead' : [ 0x44, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x4c, ['_SINGLE_LIST_ENTRY']], 'ActiveProcessors' : [ 0x50, ['_KAFFINITY_EX']], 'AutoAlignment' : [ 0x5c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x5c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x5c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ActiveGroupsMask' : [ 0x5c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedFlags' : [ 0x5c, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x5c, ['long']], 'BasePriority' : [ 0x60, ['unsigned char']], 'QuantumReset' : [ 0x61, ['unsigned char']], 'Visited' : [ 0x62, ['unsigned char']], 'Unused3' : [ 0x63, ['unsigned char']], 'ThreadSeed' : [ 0x64, ['array', 1, ['unsigned long']]], 'IdealNode' : [ 0x68, ['array', 1, ['unsigned short']]], 'IdealGlobalNode' : [ 0x6a, ['unsigned short']], 'Flags' : [ 0x6c, ['_KEXECUTE_OPTIONS']], 'Unused1' : [ 0x6d, ['unsigned char']], 'IopmOffset' : [ 0x6e, ['unsigned short']], 'Unused4' : [ 0x70, ['unsigned long']], 'StackCount' : [ 0x74, ['_KSTACK_COUNT']], 'ProcessListEntry' : [ 0x78, ['_LIST_ENTRY']], 'CycleTime' : [ 0x80, ['unsigned long long']], 'KernelTime' : [ 0x88, ['unsigned long']], 'UserTime' : [ 0x8c, ['unsigned long']], 'VdmTrapcHandler' : [ 0x90, ['pointer', ['void']]], } ], '__unnamed_1293' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_1293']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '_AUX_ACCESS_DATA' : [ 0xc0, { 'PrivilegesUsed' : [ 0x0, ['pointer', ['_PRIVILEGE_SET']]], 'GenericMapping' : [ 0x4, ['_GENERIC_MAPPING']], 'AccessesToAudit' : [ 0x14, ['unsigned long']], 'MaximumAuditMask' : [ 0x18, ['unsigned long']], 'TransactionId' : [ 0x1c, ['_GUID']], 'NewSecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'ExistingSecurityDescriptor' : [ 0x30, ['pointer', ['void']]], 'ParentSecurityDescriptor' : [ 0x34, ['pointer', ['void']]], 'DeRefSecurityDescriptor' : [ 0x38, ['pointer', ['void']]], 'SDLock' : [ 0x3c, ['pointer', ['void']]], 'AccessReasons' : [ 0x40, ['_ACCESS_REASONS']], } ], '__unnamed_12a2' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_12a7' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12a9' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_12a7']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_12b4' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_12b6' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_12b4']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_12a2']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_12a9']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_12b6']], } ], '__unnamed_12bd' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12c1' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_12c5' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_12c7' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12cb' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12cd' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_12cf' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], } ], '__unnamed_12d1' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileIsRemoteDeviceInformation', 52: 'FileAttributeCacheInformation', 53: 'FileNumaNodeInformation', 54: 'FileStandardLinkInformation', 55: 'FileRemoteProtocolInformation', 56: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12d3' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_12d5' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_12d9' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_12db' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12de' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_12e0' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12e2' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_12e4' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_12e8' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_12ec' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_12f0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_12f4' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations', 6: 'TransportRelations'})]], } ], '__unnamed_12fa' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_12fe' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1302' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1304' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_1306' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_130a' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber', 5: 'BusQueryContainerID'})]], } ], '__unnamed_130e' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1312' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1316' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_131a' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1322' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1326' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1328' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132a' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_132c' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_12bd']], 'CreatePipe' : [ 0x0, ['__unnamed_12c1']], 'CreateMailslot' : [ 0x0, ['__unnamed_12c5']], 'Read' : [ 0x0, ['__unnamed_12c7']], 'Write' : [ 0x0, ['__unnamed_12c7']], 'QueryDirectory' : [ 0x0, ['__unnamed_12cb']], 'NotifyDirectory' : [ 0x0, ['__unnamed_12cd']], 'QueryFile' : [ 0x0, ['__unnamed_12cf']], 'SetFile' : [ 0x0, ['__unnamed_12d1']], 'QueryEa' : [ 0x0, ['__unnamed_12d3']], 'SetEa' : [ 0x0, ['__unnamed_12d5']], 'QueryVolume' : [ 0x0, ['__unnamed_12d9']], 'SetVolume' : [ 0x0, ['__unnamed_12d9']], 'FileSystemControl' : [ 0x0, ['__unnamed_12db']], 'LockControl' : [ 0x0, ['__unnamed_12de']], 'DeviceIoControl' : [ 0x0, ['__unnamed_12e0']], 'QuerySecurity' : [ 0x0, ['__unnamed_12e2']], 'SetSecurity' : [ 0x0, ['__unnamed_12e4']], 'MountVolume' : [ 0x0, ['__unnamed_12e8']], 'VerifyVolume' : [ 0x0, ['__unnamed_12e8']], 'Scsi' : [ 0x0, ['__unnamed_12ec']], 'QueryQuota' : [ 0x0, ['__unnamed_12f0']], 'SetQuota' : [ 0x0, ['__unnamed_12d5']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_12f4']], 'QueryInterface' : [ 0x0, ['__unnamed_12fa']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_12fe']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1302']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1304']], 'SetLock' : [ 0x0, ['__unnamed_1306']], 'QueryId' : [ 0x0, ['__unnamed_130a']], 'QueryDeviceText' : [ 0x0, ['__unnamed_130e']], 'UsageNotification' : [ 0x0, ['__unnamed_1312']], 'WaitWake' : [ 0x0, ['__unnamed_1316']], 'PowerSequence' : [ 0x0, ['__unnamed_131a']], 'Power' : [ 0x0, ['__unnamed_1322']], 'StartDevice' : [ 0x0, ['__unnamed_1326']], 'WMI' : [ 0x0, ['__unnamed_1328']], 'Others' : [ 0x0, ['__unnamed_132a']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_132c']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '__unnamed_1342' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_1342']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_WHEA_ERROR_PACKET_V2' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['_WHEA_ERROR_PACKET_FLAGS']], 'ErrorType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ErrorSourceId' : [ 0x18, ['unsigned long']], 'ErrorSourceType' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'NotifyType' : [ 0x20, ['_GUID']], 'Context' : [ 0x30, ['unsigned long long']], 'DataFormat' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'WheaDataFormatIPFSalRecord', 1: 'WheaDataFormatXPFMCA', 2: 'WheaDataFormatMemory', 3: 'WheaDataFormatPCIExpress', 4: 'WheaDataFormatNMIPort', 5: 'WheaDataFormatPCIXBus', 6: 'WheaDataFormatPCIXDevice', 7: 'WheaDataFormatGeneric', 8: 'WheaDataFormatMax'})]], 'Reserved1' : [ 0x3c, ['unsigned long']], 'DataOffset' : [ 0x40, ['unsigned long']], 'DataLength' : [ 0x44, ['unsigned long']], 'PshedDataOffset' : [ 0x48, ['unsigned long']], 'PshedDataLength' : [ 0x4c, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_FSRTL_ADVANCED_FCB_HEADER' : [ 0x40, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned char']], 'IsFastIoPossible' : [ 0x5, ['unsigned char']], 'Flags2' : [ 0x6, ['unsigned char']], 'Reserved' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned char')]], 'Version' : [ 0x7, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Resource' : [ 0x8, ['pointer', ['_ERESOURCE']]], 'PagingIoResource' : [ 0xc, ['pointer', ['_ERESOURCE']]], 'AllocationSize' : [ 0x10, ['_LARGE_INTEGER']], 'FileSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'FastMutex' : [ 0x28, ['pointer', ['_FAST_MUTEX']]], 'FilterContexts' : [ 0x2c, ['_LIST_ENTRY']], 'PushLock' : [ 0x34, ['_EX_PUSH_LOCK']], 'FileContextSupportPointer' : [ 0x38, ['pointer', ['pointer', ['void']]]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '__unnamed_14af' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_14af']], } ], '__unnamed_14c0' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x88, { 'OsMajorVersion' : [ 0x0, ['unsigned long']], 'OsMinorVersion' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'LoadOrderListHead' : [ 0x10, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x18, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x28, ['unsigned long']], 'Prcb' : [ 0x2c, ['unsigned long']], 'Process' : [ 0x30, ['unsigned long']], 'Thread' : [ 0x34, ['unsigned long']], 'RegistryLength' : [ 0x38, ['unsigned long']], 'RegistryBase' : [ 0x3c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x40, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x44, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x48, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x4c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x50, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x54, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x58, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x5c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x60, ['pointer', ['void']]], 'Extension' : [ 0x64, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x68, ['__unnamed_14c0']], 'FirmwareInformation' : [ 0x74, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_MMPFNLIST' : [ 0x14, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], 'Lock' : [ 0x10, ['unsigned long']], } ], '__unnamed_14f1' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_14f3' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_14f6' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_14f8' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_14f6']], } ], '__unnamed_14fd' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_14f1']], 'u2' : [ 0x4, ['__unnamed_14f3']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'Lock' : [ 0x8, ['long']], 'PteLong' : [ 0x8, ['unsigned long']], 'u3' : [ 0xc, ['__unnamed_14f8']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_14fd']], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x6c, { 'WorkingSetMutex' : [ 0x0, ['_EX_PUSH_LOCK']], 'ExitGate' : [ 0x4, ['pointer', ['_KGATE']]], 'AccessLog' : [ 0x8, ['pointer', ['void']]], 'WorkingSetExpansionLinks' : [ 0xc, ['_LIST_ENTRY']], 'AgeDistribution' : [ 0x14, ['array', 7, ['unsigned long']]], 'MinimumWorkingSetSize' : [ 0x30, ['unsigned long']], 'WorkingSetSize' : [ 0x34, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x38, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x3c, ['unsigned long']], 'ChargedWslePages' : [ 0x40, ['unsigned long']], 'ActualWslePages' : [ 0x44, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x48, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x4c, ['unsigned long']], 'HardFaultCount' : [ 0x50, ['unsigned long']], 'VmWorkingSetList' : [ 0x54, ['pointer', ['_MMWSL']]], 'NextPageColor' : [ 0x58, ['unsigned short']], 'LastTrimStamp' : [ 0x5a, ['unsigned short']], 'PageFaultCount' : [ 0x5c, ['unsigned long']], 'RepurposeCount' : [ 0x60, ['unsigned long']], 'Spare' : [ 0x64, ['array', 1, ['unsigned long']]], 'Flags' : [ 0x68, ['_MMSUPPORT_FLAGS']], } ], '_MMWSL' : [ 0x6a8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextAgingSlot' : [ 0x1c, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x20, ['unsigned long']], 'VadBitMapHint' : [ 0x24, ['unsigned long']], 'NonDirectCount' : [ 0x28, ['unsigned long']], 'LastVadBit' : [ 0x2c, ['unsigned long']], 'MaximumLastVadBit' : [ 0x30, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'NonDirectHash' : [ 0x3c, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x40, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x44, ['pointer', ['_MMWSLE_HASH']]], 'UsedPageTableEntries' : [ 0x48, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x648, ['array', 24, ['unsigned long']]], } ], '__unnamed_152d' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_152d']], } ], '__unnamed_153c' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1546' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1548' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1546']], } ], '_CONTROL_AREA' : [ 0x50, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_153c']], 'FlushInProgressCount' : [ 0x20, ['unsigned long']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'ModifiedWriteCount' : [ 0x2c, ['unsigned long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1548']], 'LockedPages' : [ 0x40, ['long long']], 'ViewList' : [ 0x48, ['_LIST_ENTRY']], } ], '_MM_STORE_KEY' : [ 0x4, { 'KeyLow' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 28, native_type='unsigned long')]], 'KeyHigh' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'EntireKey' : [ 0x0, ['unsigned long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'EvictStoreBitmap' : [ 0x30, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x34, ['unsigned long']], 'LastAllocationSize' : [ 0x38, ['unsigned long']], 'ToBeEvictedCount' : [ 0x3c, ['unsigned long']], 'PageFileNumber' : [ 0x40, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x40, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x40, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x42, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x42, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x44, ['pointer', ['void']]], 'Lock' : [ 0x48, ['unsigned long']], 'LockOwner' : [ 0x4c, ['pointer', ['_ETHREAD']]], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_1581' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_1584' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1587' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], } ], '__unnamed_158f' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_158f']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_1594' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], 'u2' : [ 0x20, ['__unnamed_1594']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], } ], '__unnamed_159f' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_159f']], } ], '__unnamed_15a5' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_15a7' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_15a5']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_15a7']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_HHIVE' : [ 0x2ec, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'HiveLoadFailure' : [ 0x24, ['pointer', ['void']]], 'BaseBlock' : [ 0x28, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x2c, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x34, ['unsigned long']], 'DirtyAlloc' : [ 0x38, ['unsigned long']], 'BaseBlockAlloc' : [ 0x3c, ['unsigned long']], 'Cluster' : [ 0x40, ['unsigned long']], 'Flat' : [ 0x44, ['unsigned char']], 'ReadOnly' : [ 0x45, ['unsigned char']], 'DirtyFlag' : [ 0x46, ['unsigned char']], 'HvBinHeadersUse' : [ 0x48, ['unsigned long']], 'HvFreeCellsUse' : [ 0x4c, ['unsigned long']], 'HvUsedCellsUse' : [ 0x50, ['unsigned long']], 'CmUsedCellsUse' : [ 0x54, ['unsigned long']], 'HiveFlags' : [ 0x58, ['unsigned long']], 'CurrentLog' : [ 0x5c, ['unsigned long']], 'LogSize' : [ 0x60, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x68, ['unsigned long']], 'StorageTypeCount' : [ 0x6c, ['unsigned long']], 'Version' : [ 0x70, ['unsigned long']], 'Storage' : [ 0x74, ['array', 2, ['_DUAL']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_CMHIVE' : [ 0x638, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2ec, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x304, ['_LIST_ENTRY']], 'HiveList' : [ 0x30c, ['_LIST_ENTRY']], 'PreloadedHiveList' : [ 0x314, ['_LIST_ENTRY']], 'HiveRundown' : [ 0x31c, ['_EX_RUNDOWN_REF']], 'ParseCacheEntries' : [ 0x320, ['_LIST_ENTRY']], 'KcbCacheTable' : [ 0x328, ['pointer', ['_CM_KEY_HASH_TABLE_ENTRY']]], 'KcbCacheTableSize' : [ 0x32c, ['unsigned long']], 'Identity' : [ 0x330, ['unsigned long']], 'HiveLock' : [ 0x334, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x338, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x33c, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x340, ['unsigned long']], 'ViewUnLockLast' : [ 0x344, ['unsigned long']], 'WriterLock' : [ 0x348, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x34c, ['pointer', ['_ERESOURCE']]], 'FlushDirtyVector' : [ 0x350, ['_RTL_BITMAP']], 'FlushOffsetArray' : [ 0x358, ['pointer', ['CMP_OFFSET_ARRAY']]], 'FlushOffsetArrayCount' : [ 0x35c, ['unsigned long']], 'FlushHiveTruncated' : [ 0x360, ['unsigned long']], 'FlushLock2' : [ 0x364, ['pointer', ['_FAST_MUTEX']]], 'SecurityLock' : [ 0x368, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x36c, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x374, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x37c, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x384, ['unsigned short']], 'PinnedViewCount' : [ 0x386, ['unsigned short']], 'UseCount' : [ 0x388, ['unsigned long']], 'ViewsPerHive' : [ 0x38c, ['unsigned long']], 'FileObject' : [ 0x390, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x394, ['unsigned long']], 'ActualFileSize' : [ 0x398, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x3a0, ['_UNICODE_STRING']], 'FileUserName' : [ 0x3a8, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x3b0, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x3b8, ['unsigned long']], 'SecurityCacheSize' : [ 0x3bc, ['unsigned long']], 'SecurityHitHint' : [ 0x3c0, ['long']], 'SecurityCache' : [ 0x3c4, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x3c8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x5c8, ['unsigned long']], 'UnloadEventArray' : [ 0x5cc, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x5d0, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x5d4, ['unsigned char']], 'UnloadWorkItem' : [ 0x5d8, ['pointer', ['_CM_WORKITEM']]], 'UnloadWorkItemHolder' : [ 0x5dc, ['_CM_WORKITEM']], 'GrowOnlyMode' : [ 0x5f0, ['unsigned char']], 'GrowOffset' : [ 0x5f4, ['unsigned long']], 'KcbConvertListHead' : [ 0x5f8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x600, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x608, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x60c, ['unsigned long']], 'TrustClassEntry' : [ 0x610, ['_LIST_ENTRY']], 'FlushCount' : [ 0x618, ['unsigned long']], 'CmRm' : [ 0x61c, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x620, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x624, ['long']], 'CreatorOwner' : [ 0x628, ['pointer', ['_KTHREAD']]], 'RundownThread' : [ 0x62c, ['pointer', ['_KTHREAD']]], 'LastWriteTime' : [ 0x630, ['_LARGE_INTEGER']], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xa0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HiveUnloaded' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Decommissioned' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'LockTablePresent' : [ 0x4, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 21, end_bit = 31, native_type='unsigned long')]], 'DelayedDeref' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DelayedClose' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Parking' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyHash' : [ 0xc, ['_CM_KEY_HASH']], 'ConvKey' : [ 0xc, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x14, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], 'KcbPushlock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x20, ['pointer', ['_KTHREAD']]], 'SharedCount' : [ 0x20, ['long']], 'SlotHint' : [ 0x24, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x2c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x30, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x34, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x3c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x3c, ['unsigned long']], 'SubKeyCount' : [ 0x3c, ['unsigned long']], 'KeyBodyListHead' : [ 0x40, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x40, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x48, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'KcbLastWriteTime' : [ 0x58, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x60, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x62, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x64, ['unsigned long']], 'KcbUserFlags' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x68, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x6c, ['_LIST_ENTRY']], 'DelayQueueEntry' : [ 0x74, ['_LIST_ENTRY']], 'Stolen' : [ 0x74, ['pointer', ['unsigned char']]], 'TransKCBOwner' : [ 0x7c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x80, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x88, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x90, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x98, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x9c, ['pointer', ['_UNICODE_STRING']]], } ], '_CM_KEY_HASH_TABLE_ENTRY' : [ 0xc, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Entry' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], } ], '__unnamed_162c' : [ 0xc, { 'Failure' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: '_None', 1: '_CmInitializeHive', 2: '_HvInitializeHive', 3: '_HvpBuildMap', 4: '_HvpBuildMapAndCopy', 5: '_HvpInitMap', 6: '_HvLoadHive', 7: '_HvpReadFileImageAndBuildMap', 8: '_HvpRecoverData', 9: '_HvpRecoverWholeHive', 10: '_HvpMapFileImageAndBuildMap', 11: '_CmpValidateHiveSecurityDescriptors', 12: '_HvpEnlistBinInMap', 13: '_CmCheckRegistry', 14: '_CmRegistryIO', 15: '_CmCheckRegistry2', 16: '_CmpCheckKey', 17: '_CmpCheckValueList', 18: '_HvCheckHive', 19: '_HvCheckBin'})]], 'Status' : [ 0x4, ['long']], 'Point' : [ 0x8, ['unsigned long']], } ], '__unnamed_162f' : [ 0xc, { 'Action' : [ 0x0, ['unsigned long']], 'Handle' : [ 0x4, ['pointer', ['void']]], 'Status' : [ 0x8, ['long']], } ], '__unnamed_1631' : [ 0x4, { 'CheckStack' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1633' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CellPoint' : [ 0x4, ['pointer', ['_CELL_DATA']]], 'RootPoint' : [ 0x8, ['pointer', ['void']]], 'Index' : [ 0xc, ['unsigned long']], } ], '__unnamed_1635' : [ 0x10, { 'List' : [ 0x0, ['pointer', ['_CELL_DATA']]], 'Index' : [ 0x4, ['unsigned long']], 'Cell' : [ 0x8, ['unsigned long']], 'CellPoint' : [ 0xc, ['pointer', ['_CELL_DATA']]], } ], '__unnamed_1639' : [ 0xc, { 'Space' : [ 0x0, ['unsigned long']], 'MapPoint' : [ 0x4, ['unsigned long']], 'BinPoint' : [ 0x8, ['pointer', ['_HBIN']]], } ], '__unnamed_163d' : [ 0x8, { 'Bin' : [ 0x0, ['pointer', ['_HBIN']]], 'CellPoint' : [ 0x4, ['pointer', ['_HCELL']]], } ], '__unnamed_163f' : [ 0x4, { 'FileOffset' : [ 0x0, ['unsigned long']], } ], '_HIVE_LOAD_FAILURE' : [ 0x120, { 'Hive' : [ 0x0, ['pointer', ['_HHIVE']]], 'Index' : [ 0x4, ['unsigned long']], 'RecoverableIndex' : [ 0x8, ['unsigned long']], 'Locations' : [ 0xc, ['array', 8, ['__unnamed_162c']]], 'RecoverableLocations' : [ 0x6c, ['array', 8, ['__unnamed_162c']]], 'RegistryIO' : [ 0xcc, ['__unnamed_162f']], 'CheckRegistry2' : [ 0xd8, ['__unnamed_1631']], 'CheckKey' : [ 0xdc, ['__unnamed_1633']], 'CheckValueList' : [ 0xec, ['__unnamed_1635']], 'CheckHive' : [ 0xfc, ['__unnamed_1639']], 'CheckHive1' : [ 0x108, ['__unnamed_1639']], 'CheckBin' : [ 0x114, ['__unnamed_163d']], 'RecoverData' : [ 0x11c, ['__unnamed_163f']], } ], '_PCW_COUNTER_DESCRIPTOR' : [ 0x8, { 'Id' : [ 0x0, ['unsigned short']], 'StructIndex' : [ 0x2, ['unsigned short']], 'Offset' : [ 0x4, ['unsigned short']], 'Size' : [ 0x6, ['unsigned short']], } ], '_PCW_REGISTRATION_INFORMATION' : [ 0x18, { 'Version' : [ 0x0, ['unsigned long']], 'Name' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'CounterCount' : [ 0x8, ['unsigned long']], 'Counters' : [ 0xc, ['pointer', ['_PCW_COUNTER_DESCRIPTOR']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'CallbackContext' : [ 0x14, ['pointer', ['void']]], } ], '_PCW_PROCESSOR_INFO' : [ 0x80, { 'IdleTime' : [ 0x0, ['unsigned long long']], 'AvailableTime' : [ 0x8, ['unsigned long long']], 'UserTime' : [ 0x10, ['unsigned long long']], 'KernelTime' : [ 0x18, ['unsigned long long']], 'Interrupts' : [ 0x20, ['unsigned long']], 'DpcTime' : [ 0x28, ['unsigned long long']], 'InterruptTime' : [ 0x30, ['unsigned long long']], 'DpcCount' : [ 0x38, ['unsigned long']], 'DpcRate' : [ 0x3c, ['unsigned long']], 'C1Time' : [ 0x40, ['unsigned long long']], 'C2Time' : [ 0x48, ['unsigned long long']], 'C3Time' : [ 0x50, ['unsigned long long']], 'C1Transitions' : [ 0x58, ['unsigned long long']], 'C2Transitions' : [ 0x60, ['unsigned long long']], 'C3Transitions' : [ 0x68, ['unsigned long long']], 'ParkingStatus' : [ 0x70, ['unsigned long']], 'CurrentFrequency' : [ 0x74, ['unsigned long']], 'PercentMaxFrequency' : [ 0x78, ['unsigned long']], 'StateFlags' : [ 0x7c, ['unsigned long']], } ], '_PCW_DATA' : [ 0x8, { 'Data' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], } ], '_ETW_PERF_COUNTERS' : [ 0x18, { 'TotalActiveSessions' : [ 0x0, ['long']], 'TotalBufferMemoryNonPagedPool' : [ 0x4, ['long']], 'TotalBufferMemoryPagedPool' : [ 0x8, ['long']], 'TotalGuidsEnabled' : [ 0xc, ['long']], 'TotalGuidsNotEnabled' : [ 0x10, ['long']], 'TotalGuidsPreEnabled' : [ 0x14, ['long']], } ], '_ETW_SESSION_PERF_COUNTERS' : [ 0x18, { 'BufferMemoryPagedPool' : [ 0x0, ['long']], 'BufferMemoryNonPagedPool' : [ 0x4, ['long']], 'EventsLoggedCount' : [ 0x8, ['unsigned long long']], 'EventsLost' : [ 0x10, ['long']], 'NumConsumers' : [ 0x14, ['long']], } ], '_TEB32' : [ 0xfe4, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'CurrentIdealProcessor' : [ 0xf74, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0xf74, ['unsigned long']], 'ReservedPad0' : [ 0xf74, ['unsigned char']], 'ReservedPad1' : [ 0xf75, ['unsigned char']], 'ReservedPad2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'MuiGeneration' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'SafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'SpareUlong0' : [ 0xfdc, ['unsigned long']], 'ResourceRetValue' : [ 0xfe0, ['unsigned long']], } ], '_TEB64' : [ 0x1818, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'CurrentIdealProcessor' : [ 0x1744, ['_PROCESSOR_NUMBER']], 'IdealProcessorValue' : [ 0x1744, ['unsigned long']], 'ReservedPad0' : [ 0x1744, ['unsigned char']], 'ReservedPad1' : [ 0x1745, ['unsigned char']], 'ReservedPad2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'MuiGeneration' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'SafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'InDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'HasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'SkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'WerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'RanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'ClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'SuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'DisableUserStackWalk' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0x17ee, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'InitialThread' : [ 0x17ee, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'SpareUlong0' : [ 0x180c, ['unsigned long']], 'ResourceRetValue' : [ 0x1810, ['unsigned long long']], } ], '_KTIMER_TABLE' : [ 0x1840, { 'TimerExpiry' : [ 0x0, ['array', 16, ['pointer', ['_KTIMER']]]], 'TimerEntries' : [ 0x40, ['array', 256, ['_KTIMER_TABLE_ENTRY']]], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Lock' : [ 0x0, ['unsigned long']], 'Entry' : [ 0x4, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KAFFINITY_EX' : [ 0xc, { 'Count' : [ 0x0, ['unsigned short']], 'Size' : [ 0x2, ['unsigned short']], 'Reserved' : [ 0x4, ['unsigned long']], 'Bitmap' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_KAFFINITY_ENUMERATION_CONTEXT' : [ 0xc, { 'Affinity' : [ 0x0, ['pointer', ['_KAFFINITY_EX']]], 'CurrentMask' : [ 0x4, ['unsigned long']], 'CurrentIndex' : [ 0x8, ['unsigned short']], } ], '_GROUP_AFFINITY' : [ 0xc, { 'Mask' : [ 0x0, ['unsigned long']], 'Group' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['array', 3, ['unsigned short']]], } ], '_XSTATE_SAVE' : [ 0x20, { 'Reserved1' : [ 0x0, ['long long']], 'Reserved2' : [ 0x8, ['unsigned long']], 'Prev' : [ 0xc, ['pointer', ['_XSTATE_SAVE']]], 'Reserved3' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Thread' : [ 0x14, ['pointer', ['_KTHREAD']]], 'Reserved4' : [ 0x18, ['pointer', ['void']]], 'Level' : [ 0x1c, ['unsigned char']], 'XStateContext' : [ 0x0, ['_XSTATE_CONTEXT']], } ], '_XSAVE_AREA' : [ 0x240, { 'LegacyState' : [ 0x0, ['_XSAVE_FORMAT']], 'Header' : [ 0x200, ['_XSAVE_AREA_HEADER']], } ], '_FXSAVE_FORMAT' : [ 0x1e0, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_KSTACK_AREA' : [ 0x210, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'NpxFrame' : [ 0x0, ['_FXSAVE_FORMAT']], 'StackControl' : [ 0x1e0, ['_KERNEL_STACK_CONTROL']], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], 'Padding' : [ 0x200, ['array', 4, ['unsigned long']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'DispatchedList' : [ 0x0, ['_LIST_ENTRY']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'CompletedList' : [ 0xc, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x14, ['_KSEMAPHORE']], 'SpinLock' : [ 0x28, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '__unnamed_1742' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1744' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1748' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x188, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'InstancePath' : [ 0x14, ['_UNICODE_STRING']], 'ServiceName' : [ 0x1c, ['_UNICODE_STRING']], 'PendingIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Level' : [ 0x28, ['unsigned long']], 'Notify' : [ 0x2c, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x78, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x7c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x80, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xd0, ['unsigned long']], 'CompletionStatus' : [ 0xd4, ['long']], 'Flags' : [ 0xd8, ['unsigned long']], 'UserFlags' : [ 0xdc, ['unsigned long']], 'Problem' : [ 0xe0, ['unsigned long']], 'ResourceList' : [ 0xe4, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xe8, ['pointer', ['_CM_RESOURCE_LIST']]], 'DuplicatePDO' : [ 0xec, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xf0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf8, ['unsigned long']], 'ChildInterfaceType' : [ 0xfc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x100, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x104, ['unsigned short']], 'RemovalPolicy' : [ 0x106, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x107, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x110, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x118, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x120, ['unsigned short']], 'QueryTranslatorMask' : [ 0x122, ['unsigned short']], 'NoArbiterMask' : [ 0x124, ['unsigned short']], 'QueryArbiterMask' : [ 0x126, ['unsigned short']], 'OverUsed1' : [ 0x128, ['__unnamed_1742']], 'OverUsed2' : [ 0x12c, ['__unnamed_1744']], 'BootResources' : [ 0x130, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x134, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x138, ['unsigned long']], 'DockInfo' : [ 0x13c, ['__unnamed_1748']], 'DisableableDepends' : [ 0x14c, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x150, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x158, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x160, ['unsigned long']], 'PreviousParent' : [ 0x164, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x168, ['unsigned long']], 'NumaNodeIndex' : [ 0x16c, ['unsigned long']], 'ContainerID' : [ 0x170, ['_GUID']], 'OverrideFlags' : [ 0x180, ['unsigned char']], 'RequiresUnloadedDriver' : [ 0x181, ['unsigned char']], 'PendingEjectRelations' : [ 0x184, ['pointer', ['_PENDING_RELATIONS_LIST_ENTRY']]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'Affinity' : [ 0x20, ['_GROUP_AFFINITY']], 'ProximityId' : [ 0x2c, ['unsigned long']], 'NodeNumber' : [ 0x30, ['unsigned short']], 'PrimaryNodeNumber' : [ 0x32, ['unsigned short']], 'MaximumProcessors' : [ 0x34, ['unsigned char']], 'Color' : [ 0x35, ['unsigned char']], 'Flags' : [ 0x36, ['_flags']], 'NodePad0' : [ 0x37, ['unsigned char']], 'Seed' : [ 0x38, ['unsigned long']], 'MmShiftedColor' : [ 0x3c, ['unsigned long']], 'FreeCount' : [ 0x40, ['array', 2, ['unsigned long']]], 'CachedKernelStacks' : [ 0x48, ['_CACHED_KSTACK_LIST']], 'ParkLock' : [ 0x60, ['long']], 'NodePad1' : [ 0x64, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_17f1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_17f1']], } ], '__unnamed_17f8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_17f8']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x20, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'PagesQueuedToDisk' : [ 0x1c, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x160, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'VacbLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'DirtyPages' : [ 0x4c, ['unsigned long']], 'LoggedStreamLinks' : [ 0x50, ['_LIST_ENTRY']], 'SharedCacheMapLinks' : [ 0x58, ['_LIST_ENTRY']], 'Flags' : [ 0x60, ['unsigned long']], 'Status' : [ 0x64, ['long']], 'Mbcb' : [ 0x68, ['pointer', ['_MBCB']]], 'Section' : [ 0x6c, ['pointer', ['void']]], 'CreateEvent' : [ 0x70, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x74, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x78, ['unsigned long']], 'BeyondLastFlush' : [ 0x80, ['long long']], 'Callbacks' : [ 0x88, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x8c, ['pointer', ['void']]], 'PrivateList' : [ 0x90, ['_LIST_ENTRY']], 'LogHandle' : [ 0x98, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0x9c, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa0, ['unsigned long']], 'LazyWritePassCount' : [ 0xa4, ['unsigned long']], 'UninitializeEvent' : [ 0xa8, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'BcbLock' : [ 0xac, ['_KGUARDED_MUTEX']], 'LastUnmapBehindOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'Event' : [ 0xd8, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xe8, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xf0, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x148, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x14c, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x150, ['unsigned long']], 'WritesInProgress' : [ 0x154, ['unsigned long']], 'PipelinedReadAheadSize' : [ 0x158, ['unsigned long']], } ], '__unnamed_1868' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_1868']], 'Links' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '__unnamed_1886' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1888' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_188a' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_188c' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_188e' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1886']], 'Write' : [ 0x0, ['__unnamed_1888']], 'Event' : [ 0x0, ['__unnamed_188a']], 'Notification' : [ 0x0, ['__unnamed_188c']], } ], '_WORK_QUEUE_ENTRY' : [ 0x10, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'Parameters' : [ 0x8, ['__unnamed_188e']], 'Function' : [ 0xc, ['unsigned char']], } ], 'VACB_LEVEL_ALLOCATION_LIST' : [ 0x10, { 'VacbLevelList' : [ 0x0, ['_LIST_ENTRY']], 'VacbLevelWithBcbListHeads' : [ 0x8, ['pointer', ['void']]], 'VacbLevelsAllocated' : [ 0xc, ['unsigned long']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x138, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x130, ['_HEAP_TUNING_PARAMETERS']], } ], '__unnamed_18df' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_18df']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_PEB' : [ 0x248, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ProcessUsingFTH' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'AtlThunkSListPtr32' : [ 0x34, ['unsigned long']], 'ApiSetMap' : [ 0x38, ['pointer', ['void']]], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], 'pContextData' : [ 0x238, ['pointer', ['void']]], 'pImageHeaderHash' : [ 0x23c, ['pointer', ['void']]], 'TracingFlags' : [ 0x240, ['unsigned long']], 'HeapTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CritSecTracingEnabled' : [ 0x240, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SpareTracingBits' : [ 0x240, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x78, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], 'ContextInformation' : [ 0x68, ['pointer', ['void']]], 'OriginalBase' : [ 0x6c, ['unsigned long']], 'LoadTime' : [ 0x70, ['_LARGE_INTEGER']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '__unnamed_195e' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1960' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_195e']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1962' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1964' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1962']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1960']], 'u2' : [ 0x4, ['__unnamed_1964']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '__unnamed_1980' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1982' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1980']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1982']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1994' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1996' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1994']], } ], '_KALPC_SECTION' : [ 0x28, { 'SectionObject' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'HandleTable' : [ 0x8, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0xc, ['pointer', ['void']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'u1' : [ 0x18, ['__unnamed_1996']], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_199c' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_199e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_199c']], } ], '_KALPC_REGION' : [ 0x30, { 'RegionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Section' : [ 0x8, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0xc, ['unsigned long']], 'Size' : [ 0x10, ['unsigned long']], 'ViewSize' : [ 0x14, ['unsigned long']], 'u1' : [ 0x18, ['__unnamed_199e']], 'NumberOfViews' : [ 0x1c, ['unsigned long']], 'ViewListHead' : [ 0x20, ['_LIST_ENTRY']], 'ReadOnlyView' : [ 0x28, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x2c, ['pointer', ['_KALPC_VIEW']]], } ], '__unnamed_19a4' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_19a6' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a4']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Region' : [ 0x8, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x14, ['pointer', ['void']]], 'Size' : [ 0x18, ['unsigned long']], 'SecureViewHandle' : [ 0x1c, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x20, ['pointer', ['void']]], 'u1' : [ 0x24, ['__unnamed_19a6']], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_19c2' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'EnableCompletionList' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], } ], '__unnamed_19c4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19c2']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xfc, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'CompletionPort' : [ 0x10, ['pointer', ['void']]], 'CompletionKey' : [ 0x14, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x18, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x1c, ['pointer', ['void']]], 'StaticSecurity' : [ 0x20, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x5c, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x64, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x6c, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x74, ['_LIST_ENTRY']], 'Semaphore' : [ 0x7c, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'PortAttributes' : [ 0x80, ['_ALPC_PORT_ATTRIBUTES']], 'Lock' : [ 0xac, ['_EX_PUSH_LOCK']], 'ResourceListLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb4, ['_LIST_ENTRY']], 'CompletionList' : [ 0xbc, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc0, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CallbackObject' : [ 0xc4, ['pointer', ['_CALLBACK_OBJECT']]], 'CallbackContext' : [ 0xc8, ['pointer', ['void']]], 'CanceledQueue' : [ 0xcc, ['_LIST_ENTRY']], 'SequenceNo' : [ 0xd4, ['long']], 'u1' : [ 0xd8, ['__unnamed_19c4']], 'TargetQueuePort' : [ 0xdc, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xe0, ['pointer', ['_ALPC_PORT']]], 'CachedMessage' : [ 0xe4, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe8, ['unsigned long']], 'PendingQueueLength' : [ 0xec, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xf0, ['unsigned long']], 'CanceledQueueLength' : [ 0xf4, ['unsigned long']], 'WaitQueueLength' : [ 0xf8, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x88, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned char']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'TypeLock' : [ 0x78, ['_EX_PUSH_LOCK']], 'Key' : [ 0x7c, ['unsigned long']], 'CallbackList' : [ 0x80, ['_LIST_ENTRY']], } ], '__unnamed_19dc' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'ViewAttributeRetrieved' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'InDispatch' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_19de' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19dc']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x88, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_19de']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'MessageAttributes' : [ 0x40, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x5c, ['pointer', ['void']]], 'DataSystemVa' : [ 0x60, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x64, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x68, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x6c, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x70, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_1a1b' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_1a1d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1a1b']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_1a1d']], } ], '_IO_MINI_COMPLETION_PACKET_USER' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'PacketType' : [ 0x8, ['unsigned long']], 'KeyContext' : [ 0xc, ['pointer', ['void']]], 'ApcContext' : [ 0x10, ['pointer', ['void']]], 'IoStatus' : [ 0x14, ['long']], 'IoStatusInformation' : [ 0x18, ['unsigned long']], 'MiniPacketCallback' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], 'Allocated' : [ 0x24, ['unsigned char']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'TargetThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'Flags' : [ 0x14, ['unsigned long']], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_FILE_SEGMENT_ELEMENT' : [ 0x8, { 'Buffer' : [ 0x0, ['pointer64', ['void']]], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_RELATIVE_SYMLINK_INFO' : [ 0x14, { 'ExposedNamespaceLength' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'DeviceNameLength' : [ 0x4, ['unsigned short']], 'Reserved' : [ 0x6, ['unsigned short']], 'InteriorMountPoint' : [ 0x8, ['pointer', ['_RELATIVE_SYMLINK_INFO']]], 'OpenedName' : [ 0xc, ['_UNICODE_STRING']], } ], '_ECP_LIST' : [ 0x10, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'EcpList' : [ 0x8, ['_LIST_ENTRY']], } ], '_IOP_FILE_OBJECT_EXTENSION' : [ 0x24, { 'FoExtFlags' : [ 0x0, ['unsigned long']], 'FoExtPerTypeExtension' : [ 0x4, ['array', 7, ['pointer', ['void']]]], 'FoIoPriorityHint' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IopIoPriorityNotSet', 1: 'IopIoPriorityVeryLow', 2: 'IopIoPriorityLow', 3: 'IopIoPriorityNormal', 4: 'IopIoPriorityHigh', 5: 'IopIoPriorityCritical', 6: 'MaxIopIoPriorityTypes'})]], } ], '_OPEN_PACKET' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'FinalStatus' : [ 0x8, ['long']], 'Information' : [ 0xc, ['unsigned long']], 'ParseCheck' : [ 0x10, ['unsigned long']], 'RelatedFileObject' : [ 0x14, ['pointer', ['_FILE_OBJECT']]], 'OriginalAttributes' : [ 0x18, ['pointer', ['_OBJECT_ATTRIBUTES']]], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'CreateOptions' : [ 0x28, ['unsigned long']], 'FileAttributes' : [ 0x2c, ['unsigned short']], 'ShareAccess' : [ 0x2e, ['unsigned short']], 'EaBuffer' : [ 0x30, ['pointer', ['void']]], 'EaLength' : [ 0x34, ['unsigned long']], 'Options' : [ 0x38, ['unsigned long']], 'Disposition' : [ 0x3c, ['unsigned long']], 'BasicInformation' : [ 0x40, ['pointer', ['_FILE_BASIC_INFORMATION']]], 'NetworkInformation' : [ 0x44, ['pointer', ['_FILE_NETWORK_OPEN_INFORMATION']]], 'CreateFileType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'CreateFileTypeNone', 1: 'CreateFileTypeNamedPipe', 2: 'CreateFileTypeMailslot'})]], 'MailslotOrPipeParameters' : [ 0x4c, ['pointer', ['void']]], 'Override' : [ 0x50, ['unsigned char']], 'QueryOnly' : [ 0x51, ['unsigned char']], 'DeleteOnly' : [ 0x52, ['unsigned char']], 'FullAttributes' : [ 0x53, ['unsigned char']], 'LocalFileObject' : [ 0x54, ['pointer', ['_DUMMY_FILE_OBJECT']]], 'InternalFlags' : [ 0x58, ['unsigned long']], 'DriverCreateContext' : [ 0x5c, ['_IO_DRIVER_CREATE_CONTEXT']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x238, { 'LoggerId' : [ 0x0, ['unsigned long']], 'BufferSize' : [ 0x4, ['unsigned long']], 'MaximumEventSize' : [ 0x8, ['unsigned long']], 'CollectionOn' : [ 0xc, ['long']], 'LoggerMode' : [ 0x10, ['unsigned long']], 'AcceptNewEvents' : [ 0x14, ['long']], 'GetCpuClock' : [ 0x18, ['pointer', ['void']]], 'StartTime' : [ 0x20, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x28, ['pointer', ['void']]], 'LoggerThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x30, ['long']], 'NBQHead' : [ 0x34, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x38, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x40, ['_SLIST_HEADER']], 'GlobalList' : [ 0x48, ['_LIST_ENTRY']], 'BatchedBufferList' : [ 0x50, ['pointer', ['_WMI_BUFFER_HEADER']]], 'CurrentBuffer' : [ 0x50, ['_EX_FAST_REF']], 'LoggerName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileName' : [ 0x5c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x64, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x6c, ['_UNICODE_STRING']], 'ClockType' : [ 0x74, ['unsigned long']], 'MaximumFileSize' : [ 0x78, ['unsigned long']], 'LastFlushedBuffer' : [ 0x7c, ['unsigned long']], 'FlushTimer' : [ 0x80, ['unsigned long']], 'FlushThreshold' : [ 0x84, ['unsigned long']], 'ByteOffset' : [ 0x88, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x90, ['unsigned long']], 'BuffersAvailable' : [ 0x94, ['long']], 'NumberOfBuffers' : [ 0x98, ['long']], 'MaximumBuffers' : [ 0x9c, ['unsigned long']], 'EventsLost' : [ 0xa0, ['unsigned long']], 'BuffersWritten' : [ 0xa4, ['unsigned long']], 'LogBuffersLost' : [ 0xa8, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xac, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xb0, ['unsigned long']], 'SequencePtr' : [ 0xb4, ['pointer', ['long']]], 'LocalSequence' : [ 0xb8, ['unsigned long']], 'InstanceGuid' : [ 0xbc, ['_GUID']], 'FileCounter' : [ 0xcc, ['long']], 'BufferCallback' : [ 0xd0, ['pointer', ['void']]], 'PoolType' : [ 0xd4, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'Consumers' : [ 0xe8, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf0, ['unsigned long']], 'TransitionConsumer' : [ 0xf4, ['pointer', ['_ETW_REALTIME_CONSUMER']]], 'RealtimeLogfileHandle' : [ 0xf8, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0xfc, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x108, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x120, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x128, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x130, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x138, ['_ETW_REF_CLOCK']], 'NewRTEventsLost' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x14c, ['_KEVENT']], 'FlushEvent' : [ 0x15c, ['_KEVENT']], 'FlushTimeOutTimer' : [ 0x170, ['_KTIMER']], 'FlushDpc' : [ 0x198, ['_KDPC']], 'LoggerMutex' : [ 0x1b8, ['_KMUTANT']], 'LoggerLock' : [ 0x1d8, ['_EX_PUSH_LOCK']], 'BufferListSpinLock' : [ 0x1dc, ['unsigned long']], 'BufferListPushLock' : [ 0x1dc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1e0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x21c, ['_EX_FAST_REF']], 'BufferSequenceNumber' : [ 0x220, ['long long']], 'Flags' : [ 0x228, ['unsigned long']], 'Persistent' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'StackTracing' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ErrorLogged' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RealtimeLoggerContextFreed' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'RequestFlag' : [ 0x22c, ['unsigned long']], 'RequestNewFie' : [ 0x22c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x22c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x22c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x22c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RequestConnectConsumer' : [ 0x22c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'HookIdMap' : [ 0x230, ['_RTL_BITMAP']], } ], '_ETW_LOGGER_HANDLE' : [ 0x1, { 'DereferenceAndLeave' : [ 0x0, ['unsigned char']], } ], '_ETW_BUFFER_HANDLE' : [ 0x8, { 'TraceBuffer' : [ 0x0, ['pointer', ['_WMI_BUFFER_HEADER']]], 'BufferFastRef' : [ 0x4, ['pointer', ['_EX_FAST_REF']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_NBQUEUE_BLOCK' : [ 0x18, { 'SListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Next' : [ 0x8, ['unsigned long long']], 'Data' : [ 0x10, ['unsigned long long']], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x178, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'MatchId' : [ 0x28, ['unsigned long long']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], 'FilterData' : [ 0x158, ['array', 8, ['pointer', ['_EVENT_FILTER_HEADER']]]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'LogonSession' : [ 0xbc, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'SidHash' : [ 0xc8, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x150, ['_SID_AND_ATTRIBUTES_HASH']], 'pSecurityAttributes' : [ 0x1d8, ['pointer', ['_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION']]], 'VariablePart' : [ 0x1dc, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Lock' : [ 0x8, ['_EX_PUSH_LOCK']], 'TypeIndex' : [ 0xc, ['unsigned char']], 'TraceFlags' : [ 0xd, ['unsigned char']], 'InfoMask' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'SecurityDescriptorQuotaBlock' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HEADER_PROCESS_INFO' : [ 0x8, { 'ExclusiveProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'Reserved' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'ReferenceCount' : [ 0xc, ['long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockedExclusive' : [ 0xf, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], 'PpcControlSet' : [ 0x0, ['_PPC_DBGKD_CONTROL_SET']], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KSTACK_COUNT' : [ 0x4, { 'Value' : [ 0x0, ['long']], 'State' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'StackCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'TimerControlFlags' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Coalescable' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'KeepShifting' : [ 0x1, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'EncodedTolerableDelay' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Abandoned' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'ThreadControlFlags' : [ 0x2, ['unsigned char']], 'CpuThrottled' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'CycleProfiling' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'CounterProfiling' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'Hand' : [ 0x2, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'TimerMiscFlags' : [ 0x3, ['unsigned char']], 'Index' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Processor' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned char')]], 'Inserted' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Expired' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DebugActive' : [ 0x3, ['unsigned char']], 'ActiveDR7' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Instrumented' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved2' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned char')]], 'UmsScheduled' : [ 0x3, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'UmsPrimary' : [ 0x3, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x54, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'AllocAndFreeOps' : [ 0x40, ['unsigned long']], 'InBlockDeccommits' : [ 0x44, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x48, ['unsigned long']], 'HighWatermarkSize' : [ 0x4c, ['unsigned long']], 'LastPolledSize' : [ 0x50, ['unsigned long']], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PENDING_RELATIONS_LIST_ENTRY' : [ 0x3c, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'WorkItem' : [ 0x8, ['_WORK_QUEUE_ITEM']], 'DeviceEvent' : [ 0x18, ['pointer', ['_PNP_DEVICE_EVENT_ENTRY']]], 'DeviceObject' : [ 0x1c, ['pointer', ['_DEVICE_OBJECT']]], 'RelationsList' : [ 0x20, ['pointer', ['_RELATION_LIST']]], 'EjectIrp' : [ 0x24, ['pointer', ['_IRP']]], 'Lock' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'IRPLOCK_CANCELABLE', 1: 'IRPLOCK_CANCEL_STARTED', 2: 'IRPLOCK_CANCEL_COMPLETE', 3: 'IRPLOCK_COMPLETED'})]], 'Problem' : [ 0x2c, ['unsigned long']], 'ProfileChangingEject' : [ 0x30, ['unsigned char']], 'DisplaySafeRemovalDialog' : [ 0x31, ['unsigned char']], 'LightestSleepState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DockInterface' : [ 0x38, ['pointer', ['DOCK_INTERFACE']]], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_HANDLE_TABLE' : [ 0x3c, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['unsigned long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], 'HandleCountHighWatermark' : [ 0x38, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_ACCESS_REASONS' : [ 0x80, { 'Data' : [ 0x0, ['array', 32, ['unsigned long']]], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'HandleTags' : [ 0x18, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'BlockState' : [ 0x17, ['unsigned char']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'PlatformPfaControl' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PlatformDirectedOffline' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['_KAFFINITY_EX']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_1c1d' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1c1f' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1c1d']], 'Private' : [ 0x0, ['__unnamed_1c1f']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_HBIN' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'FileOffset' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['array', 2, ['unsigned long']]], 'TimeStamp' : [ 0x14, ['_LARGE_INTEGER']], 'Spare' : [ 0x1c, ['unsigned long']], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_1c41' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1c47' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x48, { 'u1' : [ 0x0, ['__unnamed_1581']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_1584']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_1587']], 'u2' : [ 0x20, ['__unnamed_1594']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'ViewLinks' : [ 0x30, ['_LIST_ENTRY']], 'VadsProcess' : [ 0x38, ['pointer', ['_EPROCESS']]], 'u3' : [ 0x3c, ['__unnamed_1c41']], 'u4' : [ 0x44, ['__unnamed_1c47']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_EJOB' : [ 0x138, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'MinimumWorkingSetSize' : [ 0x98, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'LimitFlags' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['_KAFFINITY_EX']], 'PriorityClass' : [ 0xb4, ['unsigned char']], 'AccessState' : [ 0xb8, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xbc, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xc0, ['unsigned long']], 'CompletionPort' : [ 0xc4, ['pointer', ['void']]], 'CompletionKey' : [ 0xc8, ['pointer', ['void']]], 'SessionId' : [ 0xcc, ['unsigned long']], 'SchedulingClass' : [ 0xd0, ['unsigned long']], 'ReadOperationCount' : [ 0xd8, ['unsigned long long']], 'WriteOperationCount' : [ 0xe0, ['unsigned long long']], 'OtherOperationCount' : [ 0xe8, ['unsigned long long']], 'ReadTransferCount' : [ 0xf0, ['unsigned long long']], 'WriteTransferCount' : [ 0xf8, ['unsigned long long']], 'OtherTransferCount' : [ 0x100, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x108, ['unsigned long']], 'JobMemoryLimit' : [ 0x10c, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x110, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x114, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x118, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x120, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x124, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x12c, ['unsigned long']], 'JobFlags' : [ 0x130, ['unsigned long']], } ], '__unnamed_1c58' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x60, { 'Count' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['__unnamed_1c58']], 'TargetState' : [ 0x8, ['unsigned long']], 'ActualState' : [ 0xc, ['unsigned long']], 'OldState' : [ 0x10, ['unsigned long']], 'TargetProcessors' : [ 0x14, ['_KAFFINITY_EX']], 'State' : [ 0x20, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '__unnamed_1c61' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_1c61']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_ETW_REALTIME_CONSUMER' : [ 0x50, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'ProcessHandle' : [ 0x8, ['pointer', ['void']]], 'ProcessObject' : [ 0xc, ['pointer', ['_EPROCESS']]], 'NextNotDelivered' : [ 0x10, ['pointer', ['void']]], 'RealtimeConnectContext' : [ 0x14, ['pointer', ['void']]], 'DisconnectEvent' : [ 0x18, ['pointer', ['_KEVENT']]], 'DataAvailableEvent' : [ 0x1c, ['pointer', ['_KEVENT']]], 'UserBufferCount' : [ 0x20, ['pointer', ['unsigned long']]], 'UserBufferListHead' : [ 0x24, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'BuffersLost' : [ 0x28, ['unsigned long']], 'EmptyBuffersCount' : [ 0x2c, ['unsigned long']], 'LoggerId' : [ 0x30, ['unsigned long']], 'ShutDownRequested' : [ 0x34, ['unsigned char']], 'NewBuffersLost' : [ 0x35, ['unsigned char']], 'Disconnected' : [ 0x36, ['unsigned char']], 'ReservedBufferSpaceBitMap' : [ 0x38, ['_RTL_BITMAP']], 'ReservedBufferSpace' : [ 0x40, ['pointer', ['unsigned char']]], 'ReservedBufferSpaceSize' : [ 0x44, ['unsigned long']], 'UserPagesAllocated' : [ 0x48, ['unsigned long']], 'UserPagesReused' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1c6a' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1c70' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1c72' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_1c6a']], 'Bits' : [ 0x0, ['__unnamed_1c70']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1c72']], } ], '_POOL_DESCRIPTOR' : [ 0x1140, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PagedLock' : [ 0x4, ['_KGUARDED_MUTEX']], 'NonPagedLock' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x40, ['long']], 'RunningDeAllocs' : [ 0x44, ['long']], 'TotalBigPages' : [ 0x48, ['long']], 'ThreadsProcessingDeferrals' : [ 0x4c, ['long']], 'TotalBytes' : [ 0x50, ['unsigned long']], 'PoolIndex' : [ 0x80, ['unsigned long']], 'TotalPages' : [ 0xc0, ['long']], 'PendingFrees' : [ 0x100, ['pointer', ['pointer', ['void']]]], 'PendingFreeDepth' : [ 0x104, ['long']], 'ListHeads' : [ 0x140, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevInformational'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x278, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned long']], 'ShareVector' : [ 0x38, ['unsigned char']], 'Pad' : [ 0x39, ['array', 3, ['unsigned char']]], 'Mode' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x44, ['unsigned long']], 'DispatchCount' : [ 0x48, ['unsigned long']], 'Rsvd1' : [ 0x50, ['unsigned long long']], 'DispatchCode' : [ 0x58, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['unsigned long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION' : [ 0x18, { 'SecurityAttributeCount' : [ 0x0, ['unsigned long']], 'SecurityAttributesList' : [ 0x4, ['_LIST_ENTRY']], 'WorkingSecurityAttributeCount' : [ 0xc, ['unsigned long']], 'WorkingSecurityAttributesList' : [ 0x10, ['_LIST_ENTRY']], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_HIVE_LIST_ENTRY' : [ 0x58, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmKcbCacheSize' : [ 0x18, ['unsigned long']], 'CmHive2' : [ 0x1c, ['pointer', ['_CMHIVE']]], 'HiveMounted' : [ 0x20, ['unsigned char']], 'ThreadFinished' : [ 0x21, ['unsigned char']], 'ThreadStarted' : [ 0x22, ['unsigned char']], 'Allocate' : [ 0x23, ['unsigned char']], 'WinPERequired' : [ 0x24, ['unsigned char']], 'StartEvent' : [ 0x28, ['_KEVENT']], 'FinishedEvent' : [ 0x38, ['_KEVENT']], 'MountLock' : [ 0x48, ['_KEVENT']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Handles' : [ 0x0, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'Thread' : [ 0x4, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x8, ['array', 62, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x50, { 'ScanDpc' : [ 0x0, ['_KDPC']], 'ScanTimer' : [ 0x20, ['_KTIMER']], 'ScanActive' : [ 0x48, ['unsigned char']], 'OtherWork' : [ 0x49, ['unsigned char']], 'PendingTeardownScan' : [ 0x4a, ['unsigned char']], 'PendingPeriodicScan' : [ 0x4b, ['unsigned char']], 'PendingLowMemoryScan' : [ 0x4c, ['unsigned char']], 'PendingPowerScan' : [ 0x4d, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_IO_WORKITEM' : [ 0x20, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'Routine' : [ 0x10, ['pointer', ['void']]], 'IoObject' : [ 0x14, ['pointer', ['void']]], 'Context' : [ 0x18, ['pointer', ['void']]], 'Type' : [ 0x1c, ['unsigned long']], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned short']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x64, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_ALIGNED_AFFINITY_SUMMARY' : [ 0x40, { 'CpuSet' : [ 0x0, ['_KAFFINITY_EX']], 'SMTSet' : [ 0xc, ['_KAFFINITY_EX']], } ], '_XSTATE_CONFIGURATION' : [ 0x210, { 'EnabledFeatures' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'OptimizedSave' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Features' : [ 0x10, ['array', 64, ['_XSTATE_FEATURE']]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'ReferenceTime' : [ 0x38, ['_ETW_REF_CLOCK']], 'GlobalEntry' : [ 0x38, ['_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'IdleTimeLast' : [ 0x8, ['unsigned long long']], 'IdleTimeTotal' : [ 0x10, ['unsigned long long']], 'IdleTimeEntry' : [ 0x18, ['unsigned long long']], 'IdleAccounting' : [ 0x20, ['pointer', ['_PROC_IDLE_ACCOUNTING']]], 'Hypervisor' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'ProcHypervisorNone', 1: 'ProcHypervisorPresent', 2: 'ProcHypervisorPower'})]], 'PerfHistoryTotal' : [ 0x28, ['unsigned long']], 'ThermalConstraint' : [ 0x2c, ['unsigned char']], 'PerfHistoryCount' : [ 0x2d, ['unsigned char']], 'PerfHistorySlot' : [ 0x2e, ['unsigned char']], 'Reserved' : [ 0x2f, ['unsigned char']], 'LastSysTime' : [ 0x30, ['unsigned long']], 'WmiDispatchPtr' : [ 0x34, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0x38, ['long']], 'FFHThrottleStateInfo' : [ 0x40, ['_PPM_FFH_THROTTLE_STATE_INFO']], 'PerfActionDpc' : [ 0x60, ['_KDPC']], 'PerfActionMask' : [ 0x80, ['long']], 'IdleCheck' : [ 0x88, ['_PROC_IDLE_SNAP']], 'PerfCheck' : [ 0x98, ['_PROC_IDLE_SNAP']], 'Domain' : [ 0xa8, ['pointer', ['_PROC_PERF_DOMAIN']]], 'PerfConstraint' : [ 0xac, ['pointer', ['_PROC_PERF_CONSTRAINT']]], 'Load' : [ 0xb0, ['pointer', ['_PROC_PERF_LOAD']]], 'PerfHistory' : [ 0xb4, ['pointer', ['_PROC_HISTORY_ENTRY']]], 'Utility' : [ 0xb8, ['unsigned long']], 'OverUtilizedHistory' : [ 0xbc, ['unsigned long']], 'AffinityCount' : [ 0xc0, ['unsigned long']], 'AffinityHistory' : [ 0xc4, ['unsigned long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0xc, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], 'Tag' : [ 0x8, ['unsigned long']], } ], '_PPC_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_PCW_CALLBACK_INFORMATION' : [ 0x20, { 'AddCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'RemoveCounter' : [ 0x0, ['_PCW_COUNTER_INFORMATION']], 'EnumerateInstances' : [ 0x0, ['_PCW_MASK_INFORMATION']], 'CollectData' : [ 0x0, ['_PCW_MASK_INFORMATION']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'DOCK_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ProfileDepartureSetMode' : [ 0x10, ['pointer', ['void']]], 'ProfileDepartureUpdate' : [ 0x14, ['pointer', ['void']]], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'WorkingSetType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'SessionMaster' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'TrimmerState' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x30, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 1, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_PROC_IDLE_ACCOUNTING' : [ 0x2c0, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'BucketLimits' : [ 0x18, ['array', 16, ['unsigned long long']]], 'State' : [ 0x98, ['array', 1, ['_PROC_IDLE_STATE_ACCOUNTING']]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x84, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], 'ActivityCounter' : [ 0x78, ['unsigned long']], 'PreviousActivityCounter' : [ 0x7c, ['unsigned long']], 'WorkerTrimRequests' : [ 0x80, ['unsigned long']], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'IoPriorityBoosted' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OwnerReferenced' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'OwnerCount' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeReason' : [ 0x8c, ['pointer', ['_DIAGNOSTIC_CONTEXT']]], 'WakeTimerListEntry' : [ 0x90, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '__unnamed_1dc7' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1dc7']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_XSTATE_FEATURE' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '__unnamed_1e20' : [ 0x4, { 'UserData' : [ 0x0, ['unsigned long']], 'Next' : [ 0x0, ['unsigned long']], } ], '__unnamed_1e22' : [ 0x8, { 'Last' : [ 0x0, ['unsigned long']], 'u' : [ 0x4, ['__unnamed_1e20']], } ], '__unnamed_1e24' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_1e20']], } ], '__unnamed_1e26' : [ 0x8, { 'OldCell' : [ 0x0, ['__unnamed_1e22']], 'NewCell' : [ 0x0, ['__unnamed_1e24']], } ], '_HCELL' : [ 0xc, { 'Size' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e26']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_PROC_PERF_CONSTRAINT' : [ 0x24, { 'Prcb' : [ 0x0, ['pointer', ['_KPRCB']]], 'PerfContext' : [ 0x4, ['unsigned long']], 'PercentageCap' : [ 0x8, ['unsigned long']], 'ThermalCap' : [ 0xc, ['unsigned long']], 'TargetFrequency' : [ 0x10, ['unsigned long']], 'AcumulatedFullFrequency' : [ 0x14, ['unsigned long']], 'AcumulatedZeroFrequency' : [ 0x18, ['unsigned long']], 'FrequencyHistoryTotal' : [ 0x1c, ['unsigned long']], 'AverageFrequency' : [ 0x20, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved1' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 19, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], 'Pad0' : [ 0x14, ['unsigned long']], } ], '__unnamed_1e39' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e3d' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['unsigned short']], 'Group' : [ 0xa, ['unsigned short']], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1e3f' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1e41' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1e43' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1e45' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1e47' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e49' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4b' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1e4d' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1e39']], 'Memory' : [ 0x0, ['__unnamed_1e39']], 'Interrupt' : [ 0x0, ['__unnamed_1e3d']], 'Dma' : [ 0x0, ['__unnamed_1e3f']], 'Generic' : [ 0x0, ['__unnamed_1e39']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e41']], 'BusNumber' : [ 0x0, ['__unnamed_1e43']], 'ConfigData' : [ 0x0, ['__unnamed_1e45']], 'Memory40' : [ 0x0, ['__unnamed_1e47']], 'Memory48' : [ 0x0, ['__unnamed_1e49']], 'Memory64' : [ 0x0, ['__unnamed_1e4b']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1e4d']], } ], '_POP_THERMAL_ZONE' : [ 0x150, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], 'InfoLastUpdateTime' : [ 0xe0, ['_LARGE_INTEGER']], 'Metrics' : [ 0xe8, ['_POP_THERMAL_ZONE_METRICS']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_CM_WORKITEM' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Private' : [ 0x8, ['unsigned long']], 'WorkerRoutine' : [ 0xc, ['pointer', ['void']]], 'Parameter' : [ 0x10, ['pointer', ['void']]], } ], '_POP_THERMAL_ZONE_METRICS' : [ 0x68, { 'MetricsResource' : [ 0x0, ['_ERESOURCE']], 'ActiveCount' : [ 0x38, ['unsigned long']], 'PassiveCount' : [ 0x3c, ['unsigned long']], 'LastActiveStartTick' : [ 0x40, ['_LARGE_INTEGER']], 'AverageActiveTime' : [ 0x48, ['_LARGE_INTEGER']], 'LastPassiveStartTick' : [ 0x50, ['_LARGE_INTEGER']], 'AveragePassiveTime' : [ 0x58, ['_LARGE_INTEGER']], 'StartTickSinceLastReset' : [ 0x60, ['_LARGE_INTEGER']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 7, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x2c, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ProbeMode' : [ 0x8, ['unsigned char']], 'PagedPoolCharge' : [ 0xc, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x10, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptor' : [ 0x18, ['pointer', ['void']]], 'SecurityQos' : [ 0x1c, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x20, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_PO_DIAG_STACK_RECORD' : [ 0x8, { 'StackDepth' : [ 0x0, ['unsigned long']], 'Stack' : [ 0x4, ['array', 1, ['pointer', ['void']]]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '__unnamed_1e8a' : [ 0x4, { 'SnapSharedExportsFailed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1e8c' : [ 0xc, { 'AllSharedExportThunks' : [ 0x0, ['_VF_TARGET_ALL_SHARED_EXPORT_THUNKS']], 'Flags' : [ 0x0, ['__unnamed_1e8a']], } ], '_VF_TARGET_DRIVER' : [ 0x18, { 'TreeNode' : [ 0x0, ['_VF_AVL_TREE_NODE']], 'u1' : [ 0x8, ['__unnamed_1e8c']], 'VerifiedData' : [ 0x14, ['pointer', ['_VF_TARGET_VERIFIED_DRIVER_DATA']]], } ], '__unnamed_1e94' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1e96' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e98' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1e9a' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1e9c' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1e9e' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ea0' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1ea2' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1ea4' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1ea6' : [ 0x20, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'Flags' : [ 0x10, ['unsigned long']], 'SessionId' : [ 0x14, ['unsigned long']], 'DataLength' : [ 0x18, ['unsigned long']], 'Data' : [ 0x1c, ['array', 1, ['unsigned char']]], } ], '__unnamed_1ea8' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1e94']], 'TargetDevice' : [ 0x0, ['__unnamed_1e96']], 'InstallDevice' : [ 0x0, ['__unnamed_1e98']], 'CustomNotification' : [ 0x0, ['__unnamed_1e9a']], 'ProfileNotification' : [ 0x0, ['__unnamed_1e9c']], 'PowerNotification' : [ 0x0, ['__unnamed_1e9e']], 'VetoNotification' : [ 0x0, ['__unnamed_1ea0']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1ea2']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1ea4']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1ea6']], 'PropertyChangeNotification' : [ 0x0, ['__unnamed_1e98']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x44, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'VetoEvent', 7: 'BlockedDriverEvent', 8: 'InvalidIDEvent', 9: 'DevicePropertyChangeEvent', 10: 'DeviceInstanceRemovalEvent', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_1ea8']], } ], '_VF_SUSPECT_DRIVER_ENTRY' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_XSTATE_CONTEXT' : [ 0x20, { 'Mask' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Area' : [ 0x10, ['pointer', ['_XSAVE_AREA']]], 'Reserved2' : [ 0x14, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer', ['void']]], 'Reserved3' : [ 0x1c, ['unsigned long']], } ], '_XSAVE_FORMAT' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 8, ['_M128A']]], 'Reserved4' : [ 0x120, ['array', 192, ['unsigned char']]], 'StackControl' : [ 0x1e0, ['array', 7, ['unsigned long']]], 'Cr0NpxState' : [ 0x1fc, ['unsigned long']], } ], '_MBCB' : [ 0x88, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'MostRecentlyDirtiedPage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x48, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x68, ['_BITMAP_RANGE']], } ], '_PS_CPU_QUOTA_BLOCK' : [ 0x880, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SessionId' : [ 0x8, ['unsigned long']], 'CpuShareWeight' : [ 0xc, ['unsigned long']], 'CapturedWeightData' : [ 0x10, ['_PSP_CPU_SHARE_CAPTURED_WEIGHT_DATA']], 'DuplicateInputMarker' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x18, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x18, ['long']], 'BlockCurrentGenerationLock' : [ 0x0, ['unsigned long']], 'CyclesAccumulated' : [ 0x8, ['unsigned long long']], 'CycleCredit' : [ 0x40, ['unsigned long long']], 'BlockCurrentGeneration' : [ 0x48, ['unsigned long']], 'CpuCyclePercent' : [ 0x4c, ['unsigned long']], 'CyclesFinishedForCurrentGeneration' : [ 0x50, ['unsigned char']], 'Cpu' : [ 0x80, ['array', 32, ['_PS_PER_CPU_QUOTA_CACHE_AWARE']]], } ], '__unnamed_1ec3' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1ec3']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '__unnamed_1ef4' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_1ef4']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_PS_PER_CPU_QUOTA_CACHE_AWARE' : [ 0x40, { 'SortedListEntry' : [ 0x0, ['_LIST_ENTRY']], 'IdleOnlyListHead' : [ 0x8, ['_LIST_ENTRY']], 'CycleBaseAllowance' : [ 0x10, ['unsigned long long']], 'CyclesRemaining' : [ 0x18, ['long long']], 'CurrentGeneration' : [ 0x20, ['unsigned long']], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_PROC_IDLE_SNAP' : [ 0x10, { 'Time' : [ 0x0, ['unsigned long long']], 'Idle' : [ 0x8, ['unsigned long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'ExecuteOptions' : [ 0x0, ['unsigned char']], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'VacbArrayIndex' : [ 0x0, ['unsigned long']], 'MappingCount' : [ 0x4, ['unsigned long']], 'HighestMappedIndex' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Precise' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_POP_SYSTEM_IDLE' : [ 0x38, { 'AverageIdleness' : [ 0x0, ['long']], 'LowestIdleness' : [ 0x4, ['long']], 'Time' : [ 0x8, ['unsigned long']], 'Timeout' : [ 0xc, ['unsigned long']], 'LastUserInput' : [ 0x10, ['unsigned long']], 'Action' : [ 0x14, ['POWER_ACTION_POLICY']], 'MinState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SystemRequired' : [ 0x24, ['unsigned char']], 'IdleWorker' : [ 0x25, ['unsigned char']], 'Sampling' : [ 0x26, ['unsigned char']], 'LastTick' : [ 0x28, ['unsigned long long']], 'LastSystemRequiredTime' : [ 0x30, ['unsigned long']], } ], '_VF_TARGET_ALL_SHARED_EXPORT_THUNKS' : [ 0xc, { 'SharedExportThunks' : [ 0x0, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'PoolSharedExportThunks' : [ 0x4, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], 'OrderDependentSharedExportThunks' : [ 0x8, ['pointer', ['_VERIFIER_SHARED_EXPORT_THUNK']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x18, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'TargetAccess' : [ 0xc, ['unsigned long']], 'ObjectInfo' : [ 0x10, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x14, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1f55' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f57' : [ 0xc, { 'Level' : [ 0x0, ['unsigned short']], 'Group' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f59' : [ 0xc, { 'Group' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5b' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1f59']], 'Translated' : [ 0x0, ['__unnamed_1f57']], } ], '__unnamed_1f5d' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f5f' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f61' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f63' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f65' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f67' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1f69' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1f55']], 'Port' : [ 0x0, ['__unnamed_1f55']], 'Interrupt' : [ 0x0, ['__unnamed_1f57']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1f5b']], 'Memory' : [ 0x0, ['__unnamed_1f55']], 'Dma' : [ 0x0, ['__unnamed_1f5d']], 'DevicePrivate' : [ 0x0, ['__unnamed_1e41']], 'BusNumber' : [ 0x0, ['__unnamed_1f5f']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1f61']], 'Memory40' : [ 0x0, ['__unnamed_1f63']], 'Memory48' : [ 0x0, ['__unnamed_1f65']], 'Memory64' : [ 0x0, ['__unnamed_1f67']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1f69']], } ], '__unnamed_1f6e' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1f6e']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_1f78' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1f78']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1f82' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_1ef4']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1f82']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_VF_AVL_TREE_NODE' : [ 0x8, { 'p' : [ 0x0, ['pointer', ['void']]], 'RangeSize' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8a' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f8c' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1f8a']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x40, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'BusyReference' : [ 0x8, ['unsigned long']], 'TotalBusyCount' : [ 0xc, ['unsigned long']], 'ConservationIdleTime' : [ 0x10, ['unsigned long']], 'PerformanceIdleTime' : [ 0x14, ['unsigned long']], 'DeviceObject' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x1c, ['_LIST_ENTRY']], 'IdleType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceIdleNormal', 1: 'DeviceIdleDisk'})]], 'IdleState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'Volume' : [ 0x30, ['_LIST_ENTRY']], 'Specific' : [ 0x38, ['__unnamed_1f8c']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_ETW_WMITRACE_WORK' : [ 0xf0, { 'LoggerId' : [ 0x0, ['unsigned long']], 'LoggerName' : [ 0x8, ['array', 65, ['unsigned char']]], 'FileName' : [ 0x49, ['array', 129, ['unsigned char']]], 'MaximumFileSize' : [ 0xcc, ['unsigned long']], 'MinBuffers' : [ 0xd0, ['unsigned long']], 'MaxBuffers' : [ 0xd4, ['unsigned long']], 'BufferSize' : [ 0xd8, ['unsigned long']], 'Mode' : [ 0xdc, ['unsigned long']], 'FlushTimer' : [ 0xe0, ['unsigned long']], 'MatchAny' : [ 0x8, ['unsigned long long']], 'MatchAll' : [ 0x10, ['unsigned long long']], 'EnableProperty' : [ 0x18, ['unsigned long']], 'Guid' : [ 0x1c, ['_GUID']], 'Level' : [ 0x2c, ['unsigned char']], 'Status' : [ 0xe8, ['long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_XSAVE_AREA_HEADER' : [ 0x40, { 'Mask' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['array', 7, ['unsigned long long']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_PNP_DEVICE_COMPLETION_REQUEST' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'DeviceNode' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'Context' : [ 0xc, ['pointer', ['void']]], 'CompletionState' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'IrpPended' : [ 0x14, ['unsigned long']], 'Status' : [ 0x18, ['long']], 'Information' : [ 0x1c, ['pointer', ['void']]], 'WorkItem' : [ 0x20, ['_WORK_QUEUE_ITEM']], 'FailingDriver' : [ 0x30, ['pointer', ['_DRIVER_OBJECT']]], 'ReferenceCount' : [ 0x34, ['long']], } ], '_EVENT_FILTER_HEADER' : [ 0x18, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['array', 5, ['unsigned char']]], 'InstanceId' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long']], 'NextOffset' : [ 0x14, ['unsigned long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/ssdt_vtypes.py0000644000175000017500000001552612232063457026006 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import volatility.debug as debug import volatility.obj as obj # SSDT structures for all x86 profiles *except* Win 2003 Server ssdt_vtypes = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x40, { 'Descriptors' : [0x0, ['array', 4, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], '_SERVICE_DESCRIPTOR_ENTRY' : [ 0x10, { 'KiServiceTable' : [0x0, ['pointer', ['void']]], 'CounterBaseTable' : [0x4, ['pointer', ['unsigned long']]], 'ServiceLimit' : [0x8, ['unsigned long']], 'ArgumentTable' : [0xc, ['pointer', ['unsigned char']]], }], } # SSDT structures for Win 2003 Server x86 ssdt_vtypes_2003 = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x20, { 'Descriptors' : [0x0, ['array', 2, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], } # SSDT structures for x64 ssdt_vtypes_64 = { '_SERVICE_DESCRIPTOR_TABLE' : [ 0x40, { 'Descriptors' : [0x0, ['array', 2, ['_SERVICE_DESCRIPTOR_ENTRY']]], }], '_SERVICE_DESCRIPTOR_ENTRY' : [ 0x20, { 'KiServiceTable' : [0x0, ['pointer64', ['void']]], 'CounterBaseTable' : [0x8, ['pointer64', ['unsigned long']]], 'ServiceLimit' : [0x10, ['unsigned long long']], 'ArgumentTable' : [0x18, ['pointer64', ['unsigned char']]], }], } #### Filthy Hack for backwards compatibility def syscalls_property(x): debug.debug("Deprecation warning: Please use profile.additional['syscalls'] over profile.syscalls") return x.additional.get('syscalls', [[], []]) class WinSyscallsAttribute(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): # Filthy hack for backwards compatibilitiy profile.__class__.syscalls = property(syscalls_property) #### class AbstractSyscalls(obj.ProfileModification): syscall_module = 'No default' def modification(self, profile): module = sys.modules.get(self.syscall_module, None) profile.additional['syscalls'] = module.syscalls class WinXPSyscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.xp_sp2_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 1} class Win64SyscallVTypes(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit'} def modification(self, profile): profile.vtypes.update(ssdt_vtypes_64) class Win2003SyscallVTypes(obj.ProfileModification): before = ['WindowsVTypes'] conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2} def modification(self, profile): profile.vtypes.update(ssdt_vtypes_2003) class Win2003SP0Syscalls(AbstractSyscalls): # Win2003SP12Syscalls applies to SP0 as well, so this must be applied second before = ['Win2003SP12Syscalls'] syscall_module = 'volatility.plugins.overlays.windows.win2003_sp0_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x: x == 5, 'minor': lambda x: x == 2, 'build': lambda x: x == 3789} class Win2003SP12Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win2003_sp12_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} class Win2003SP12x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win2003_sp12_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 5, 'minor': lambda x : x == 2} class VistaSP0Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp0_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x == 6000} class VistaSP0x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp0_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x == 6000} class VistaSP12Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp12_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} class VistaSP12x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.vista_sp12_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 0, 'build': lambda x : x >= 6001} class Win7SP01Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win7_sp01_x86_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '32bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} class Win7SP01x64Syscalls(AbstractSyscalls): syscall_module = 'volatility.plugins.overlays.windows.win7_sp01_x64_syscalls' conditions = {'os': lambda x: x == 'windows', 'memory_model': lambda x: x == '64bit', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} volatility-2.3.1/volatility/plugins/overlays/windows/windows.py0000644000175000017500000010623012227253532025101 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import datetime, struct import volatility.plugins.overlays.basic as basic import volatility.plugins.kpcrscan as kpcr import volatility.plugins.kdbgscan as kdbg import volatility.timefmt as timefmt import volatility.debug as debug import volatility.obj as obj import volatility.addrspace as addrspace import volatility.exceptions as exceptions # Standard vtypes are usually autogenerated by scanning through header # files, collecting debugging symbol data etc. This file defines # fixups and improvements to the standard types. windows_overlay = { 'VOLATILITY_MAGIC' : [None, { # Profile specific values 'DTBSignature' : [ 0x0, ['VolatilityMagic', dict(value = "Volatility DTBSignature unspecified")]], 'KUSER_SHARED_DATA' : [ 0x0, ['VolatilityMagic', dict(value = 0xFFDF0000)]], 'KDBGHeader' : [ 0x0, ['VolatilityMagic', dict(value = 'Volatility KDBGHeader unspecified')]], # Configuration options 'DTB' : [ 0x0, ['VolatilityDTB', dict(configname = "DTB")]], 'KPCR' : [ 0x0, ['VolatilityMagic', dict(value = 0xffdff000, configname = "KPCR")]], 'KDBG' : [ 0x0, ['VolatilityKDBG', dict(configname = "KDBG")]], 'IA32ValidAS': [ 0x0, ['VolatilityIA32ValidAS']], 'AMD64ValidAS': [ 0x0, ['VolatilityAMD64ValidAS']], # Pool allocations are aligned to this many bytes. 'PoolAlignment': [0x0, ['VolatilityMagic', dict(value = 8)]], #hibrfil.sys values 'HibrProcPage': [0x0, ['VolatilityMagic', dict(value = 0x0)]], 'HibrEntryCount': [0x0, ['VolatilityMagic', dict(value = 0x0)]], 'MaxAddress': [0x0, ['VolatilityMaxAddress']], }], '_EPROCESS' : [ None, { 'CreateTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'ExitTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'InheritedFromUniqueProcessId' : [ None, ['unsigned int']], 'ImageFileName' : [ None, ['String', dict(length = 16)]], 'UniqueProcessId' : [ None, ['unsigned int']], }], '_ETHREAD' : [ None, { 'CreateTime' : [ None, ['ThreadCreateTimeStamp', dict(is_utc = True)]], 'ExitTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_OBJECT_SYMBOLIC_LINK' : [ None, { 'CreationTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_KUSER_SHARED_DATA' : [ None, { 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'TimeZoneBias' : [ None, ['WinTimeStamp', {}]], }], # The DTB is really an array of 2 ULONG_PTR but we only need the first one # which is the value loaded into CR3. The second one, according to procobj.c # of the wrk-v1.2, contains the PTE that maps something called hyper space. '_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long']], }], '_HANDLE_TABLE_ENTRY' : [ None, { 'Object' : [ None, ['_EX_FAST_REF']], }], '_IMAGE_SECTION_HEADER' : [ None, { 'Name' : [ 0x0, ['String', dict(length = 8)]], }], '_IMAGE_FILE_HEADER': [ None, { 'TimeDateStamp' : [None, ['UnixTimeStamp', dict(is_utc = True)]], }], '_LDR_DATA_TABLE_ENTRY': [ None, { 'TimeDateStamp' : [None, ['UnixTimeStamp', dict(is_utc = True)]], }], '_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long']]], }], '_CM_KEY_NODE' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'LastWriteTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], }], '_CM_NAME_CONTROL_BLOCK' : [ None, { 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], }], '_CHILD_LIST' : [ None, { 'List' : [ None, ['pointer', ['array', lambda x: x.Count, ['pointer', ['_CM_KEY_VALUE']]]]], }], '_CM_KEY_VALUE' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'Name' : [ None, ['String', dict(length = lambda x: x.NameLength)]], }], '_CM_KEY_INDEX' : [ None, { 'Signature' : [ None, ['String', dict(length = 2)]], 'List' : [ None, ['array', lambda x: x.Count.v() * 2, ['pointer', ['_CM_KEY_NODE']]]], }], 'PO_MEMORY_IMAGE' : [ None, { 'Signature': [ None, ['String', dict(length = 4)]], 'SystemTime' : [ None, ['WinTimeStamp', dict(is_utc = True)]], }], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ None, { 'Run' : [ None, ['array', lambda x: x.NumberOfRuns, ['_PHYSICAL_MEMORY_RUN']]], }], '_TOKEN' : [ None, { 'UserAndGroups' : [ None, ['pointer', ['array', lambda x: x.UserAndGroupCount, ['_SID_AND_ATTRIBUTES']]]], }], '_SID' : [ None, { 'SubAuthority' : [ None, ['array', lambda x: x.SubAuthorityCount, ['unsigned long']]], }], '_CLIENT_ID': [ None, { 'UniqueProcess' : [ None, ['unsigned int']], 'UniqueThread' : [ None, ['unsigned int']], }], '_MMVAD_SHORT': [ None, { # This is the location of the MMVAD type which controls how to parse the # node. It is located before the structure. 'Tag': [-4 , ['String', dict(length = 4)]], }], '_MMVAD_LONG': [ None, { # This is the location of the MMVAD type which controls how to parse the # node. It is located before the structure. 'Tag': [-4 , ['String', dict(length = 4)]], }], } class _UNICODE_STRING(obj.CType): """Class representing a _UNICODE_STRING Adds the following behavior: * The Buffer attribute is presented as a Python string rather than a pointer to an unsigned short. * The __str__ method returns the value of the Buffer. """ def v(self): """ If the claimed length of the string is acceptable, return a unicode string. Otherwise, return a NoneObject. """ data = self.dereference() if data: return unicode(data) return data def dereference(self): length = self.Length.v() if length > 0 and length <= 1024: data = self.Buffer.dereference_as('String', encoding = 'utf16', length = length) return data else: return obj.NoneObject("Buffer length {0} for _UNICODE_STRING not within bounds".format(length)) def proxied(self, _name): return str(self) def __nonzero__(self): ## Unicode strings are valid if they point at a valid memory return bool(self.Buffer and self.Length.v() > 0 and self.Length.v() <= 1024) def __format__(self, formatspec): return format(self.v(), formatspec) def __str__(self): return str(self.dereference()) def __unicode__(self): return unicode(self.dereference()) def __len__(self): return len(self.dereference()) class _LIST_ENTRY(obj.CType): """ Adds iterators for _LIST_ENTRY types """ def list_of_type(self, type, member, forward = True, head_sentinel = True): if not self.is_valid(): return ## Get the first element if forward: nxt = self.Flink.dereference() else: nxt = self.Blink.dereference() offset = self.obj_vm.profile.get_obj_offset(type, member) seen = set() if head_sentinel: # We're a header element and not to be included in the list seen.add(self.obj_offset) while nxt.is_valid() and nxt.obj_offset not in seen: ## Instantiate the object item = obj.Object(type, offset = nxt.obj_offset - offset, vm = self.obj_vm, parent = self.obj_parent, native_vm = self.obj_native_vm, name = type) seen.add(nxt.obj_offset) yield item if forward: nxt = item.m(member).Flink.dereference() else: nxt = item.m(member).Blink.dereference() def __nonzero__(self): ## List entries are valid when both Flinks and Blink are valid return bool(self.Flink) or bool(self.Blink) def __iter__(self): return self.list_of_type(self.obj_parent.obj_name, self.obj_name) class WinTimeStamp(obj.NativeType): """Class for handling Windows Time Stamps""" def __init__(self, theType, offset, vm, is_utc = False, **kwargs): self.is_utc = is_utc obj.NativeType.__init__(self, theType, offset, vm, format_string = "q", **kwargs) def windows_to_unix_time(self, windows_time): """ Converts Windows 64-bit time to UNIX time @type windows_time: Integer @param windows_time: Windows time to convert (64-bit number) @rtype Integer @return UNIX time """ if windows_time == None or windows_time == 0: unix_time = 0 else: unix_time = windows_time / 10000000 unix_time = unix_time - 11644473600 if unix_time < 0: unix_time = 0 return unix_time def as_windows_timestamp(self): return obj.NativeType.v(self) def v(self): value = self.as_windows_timestamp() return self.windows_to_unix_time(value) def __nonzero__(self): return self.v() != 0 def __str__(self): return "{0}".format(self) def as_datetime(self): try: dt = datetime.datetime.utcfromtimestamp(self.v()) if self.is_utc: # Only do dt.replace when dealing with UTC dt = dt.replace(tzinfo = timefmt.UTC()) except ValueError, e: return obj.NoneObject("Datetime conversion failure: " + str(e)) return dt def __format__(self, formatspec): """Formats the datetime according to the timefmt module""" dt = self.as_datetime() if dt != None: return format(timefmt.display_datetime(dt), formatspec) return "-" class _EPROCESS(obj.CType): """ An extensive _EPROCESS with bells and whistles """ @property def Peb(self): """ Returns a _PEB object which is using the process address space. The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically. """ process_ad = self.get_process_address_space() if process_ad: offset = self.m("Peb").v() peb = obj.Object("_PEB", offset, vm = process_ad, name = "Peb", parent = self) if peb.is_valid(): return peb return obj.NoneObject("Peb not found") def get_process_address_space(self): """ Gets a process address space for a task given in _EPROCESS """ directory_table_base = self.Pcb.DirectoryTableBase.v() try: process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS") process_as.name = "Process {0}".format(self.UniqueProcessId) return process_as def _get_modules(self, the_list, the_type): """Generator for DLLs in one of the 3 PEB lists""" if self.UniqueProcessId and the_list: for l in the_list.list_of_type("_LDR_DATA_TABLE_ENTRY", the_type): yield l def get_init_modules(self): return self._get_modules(self.Peb.Ldr.InInitializationOrderModuleList, "InInitializationOrderLinks") def get_mem_modules(self): return self._get_modules(self.Peb.Ldr.InMemoryOrderModuleList, "InMemoryOrderLinks") def get_load_modules(self): return self._get_modules(self.Peb.Ldr.InLoadOrderModuleList, "InLoadOrderLinks") def get_token(self): """Return the process's TOKEN object if its valid""" # The dereference checks if the address is valid # and returns obj.NoneObject if it fails token = self.Token.dereference_as("_TOKEN") # This check fails if the above dereference failed # or if any of the _TOKEN specific validity tests failed. if token.is_valid(): return token return obj.NoneObject("Cannot get process Token") class _TOKEN(obj.CType): """A class for Tokens""" def is_valid(self): """Override BaseObject.is_valid with some additional checks specific to _TOKEN objects.""" return obj.CType.is_valid(self) and self.TokenInUse in (0, 1) and self.SessionId < 10 def get_sids(self): """Generator for process SID strings""" if self.UserAndGroupCount < 0xFFFF: for sa in self.UserAndGroups.dereference(): sid = sa.Sid.dereference_as('_SID') for i in sid.IdentifierAuthority.Value: id_auth = i yield "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority)) def privileges(self): """Generator for privileges. @yields a tuple (value, present, enabled, default). We only yield 'present' here for consistency with the Vista+ privileges() generator. In the XP/2003 case, values will never be reported unless they're present (thus we hard-code it to True) but Vista+ can be optional due to DKOM. """ # The max size check originates from code seen in the # DisplayPrivileges function of windbg's exts.dll if self.PrivilegeCount < 1024: # This is a pointer to an array of _LUID_AND_ATTRIBUTES for luid in self.Privileges.dereference(): # The Attributes member is a flag enabled = luid.Attributes & 2 != 0 default = luid.Attributes & 1 != 0 yield luid.Luid.LowPart, True, enabled, default class _ETHREAD(obj.CType): """ A class for threads """ def owning_process(self): """Return the EPROCESS that owns this thread""" return self.ThreadsProcess.dereference() def attached_process(self): """Return the EPROCESS that this thread is currently attached to.""" return self.Tcb.ApcState.Process.dereference_as("_EPROCESS") class _HANDLE_TABLE(obj.CType): """ A class for _HANDLE_TABLE. This used to be a member of _EPROCESS but it was isolated per issue 91 so that it could be subclassed and used to service other handle tables, such as the _KDDEBUGGER_DATA64.PspCidTable. """ def get_item(self, entry, handle_value = 0): """Returns the OBJECT_HEADER of the associated handle. The parent is the _HANDLE_TABLE_ENTRY so that an object can be linked to its GrantedAccess. """ return entry.Object.dereference_as("_OBJECT_HEADER", parent = entry, handle_value = handle_value) def _make_handle_array(self, offset, level, depth = 0): """ Returns an array of _HANDLE_TABLE_ENTRY rooted at offset, and iterates over them. """ # The counts below are calculated by taking the size of a page and dividing # by the size of the data type contained within the page. For more information # see http://blogs.technet.com/b/markrussinovich/archive/2009/09/29/3283844.aspx if level > 0: count = 0x1000 / self.obj_vm.profile.get_obj_size("address") targetType = "address" else: count = 0x1000 / self.obj_vm.profile.get_obj_size("_HANDLE_TABLE_ENTRY") targetType = "_HANDLE_TABLE_ENTRY" table = obj.Object("Array", offset = offset, vm = self.obj_vm, count = count, targetType = targetType, parent = self, native_vm = self.obj_native_vm) if table: for entry in table: if not entry.is_valid(): break if level > 0: ## We need to go deeper: for h in self._make_handle_array(entry, level - 1, depth): yield h depth += 1 else: # All handle values are multiples of four, on both x86 and x64. handle_multiplier = 4 # Calculate the starting handle value for this level. handle_level_base = depth * count * handle_multiplier # The size of a handle table entry. handle_entry_size = self.obj_vm.profile.get_obj_size("_HANDLE_TABLE_ENTRY") # Finally, compute the handle value for this object. handle_value = ((entry.obj_offset - offset) / (handle_entry_size / handle_multiplier)) + handle_level_base ## OK We got to the bottom table, we just resolve ## objects here: item = self.get_item(entry, handle_value) if item == None: continue try: # New object header if item.TypeIndex != 0x0: yield item except AttributeError: if item.Type.Name: yield item def handles(self): """ A generator which yields this process's handles _HANDLE_TABLE tables are multi-level tables at the first level they are pointers to second level table, which might be pointers to third level tables etc, until the final table contains the real _OBJECT_HEADER table. This generator iterates over all the handles recursively yielding all handles. We take care of recursing into the nested tables automatically. """ # This should work equally for 32 and 64 bit systems LEVEL_MASK = 7 TableCode = self.TableCode.v() & ~LEVEL_MASK table_levels = self.TableCode.v() & LEVEL_MASK offset = TableCode for h in self._make_handle_array(offset, table_levels): yield h class _OBJECT_HEADER(obj.CType): """A Volatility object to handle Windows object headers. This object applies only to versions below windows 7. """ optional_headers = [('NameInfo', '_OBJECT_HEADER_NAME_INFO'), ('HandleInfo', '_OBJECT_HEADER_HANDLE_INFO'), ('QuotaInfo', '_OBJECT_HEADER_QUOTA_INFO')] def __init__(self, *args, **kwargs): # Usually we don't add members to objects like this, but its an # exception due to lack of better options. See Issue #135. self.HandleValue = kwargs.get("handle_value", 0) obj.CType.__init__(self, *args, **kwargs) # Create accessors for optional headers self.find_optional_headers() def find_optional_headers(self): """Find this object's optional headers.""" offset = self.obj_offset for name, objtype in self.optional_headers: if self.obj_vm.profile.has_type(objtype): header_offset = self.m(name + 'Offset').v() if header_offset: o = obj.Object(objtype, offset - header_offset, vm = self.obj_vm, native_vm = self.obj_native_vm) else: o = obj.NoneObject("Header {0} not set for object at {1:#x}".format(name, offset)) self.newattr(name, o) @property def GrantedAccess(self): if self.obj_parent: return self.obj_parent.GrantedAccess return obj.NoneObject("No parent known") def dereference_as(self, theType): """Instantiate an object from the _OBJECT_HEADER.Body""" return obj.Object(theType, offset = self.Body.obj_offset, vm = self.obj_vm, native_vm = self.obj_native_vm, parent = self) def get_object_type(self): """Return the object's type as a string""" type_obj = obj.Object("_OBJECT_TYPE", self.Type, self.obj_native_vm) return type_obj.Name.v() class _FILE_OBJECT(obj.CType): """Class for file objects""" def file_name_with_device(self): """Return the name of the file, prefixed with the name of the device object to which the file belongs""" name = "" if self.DeviceObject: object_hdr = obj.Object("_OBJECT_HEADER", self.DeviceObject - self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body"), self.obj_native_vm) if object_hdr: name = "\\Device\\{0}".format(str(object_hdr.NameInfo.Name or '')) if self.FileName: name += str(self.FileName) return name def access_string(self): ## Make a nicely formatted ACL string AccessStr = (((self.ReadAccess > 0 and "R") or '-') + ((self.WriteAccess > 0 and "W") or '-') + ((self.DeleteAccess > 0 and "D") or '-') + ((self.SharedRead > 0 and "r") or '-') + ((self.SharedWrite > 0 and "w") or '-') + ((self.SharedDelete > 0 and "d") or '-')) return AccessStr ## This is an object which provides access to the VAD tree. class _MMVAD(obj.CType): """Class factory for _MMVAD objects""" ## The actual type depends on this tag value. tag_map = {'Vadl': '_MMVAD_LONG', 'VadS': '_MMVAD_SHORT', 'Vad ': '_MMVAD_LONG', 'VadF': '_MMVAD_SHORT', 'Vadm': '_MMVAD_LONG', } ## parent is the containing _EPROCESS right now def __new__(cls, theType, offset, vm, parent = None, **args): # Don't waste time if we're based on a NULL pointer # I can't think of a better check than this... if offset < 4: return obj.NoneObject("MMVAD probably instantiated from a NULL pointer, there is no tag to read") if not vm: return obj.NoneObject("Could not find address space for _MMVAD object") ## Note that since we were called from __new__ we can return a ## completely different object here (including ## NoneObject). This also means that we can not add any ## specialist methods to the _MMVAD class. ## We must not polute Object's constructor by providing the ## members or struct_size we were instantiated with args.pop('struct_size', None) args.pop('members', None) # Start off with an _MMVAD_LONG result = obj.Object('_MMVAD_LONG', offset = offset, vm = vm, parent = parent, **args) # Get the tag and change the vad type if necessary real_type = cls.tag_map.get(str(result.Tag), None) if not real_type: return obj.NoneObject("Tag {0} not known".format(str(result.Tag))) if result.__class__.__name__ != real_type: result = obj.Object(real_type, offset = offset, vm = vm, parent = parent, **args) return result class _MMVAD_SHORT(obj.CType): """Class with convenience functions for _MMVAD_SHORT functions""" def is_valid(self): return (obj.CType.is_valid(self) and self.Start < obj.VolMagic(self.obj_vm).MaxAddress.v() and self.End < (obj.VolMagic(self.obj_vm).MaxAddress.v() << 12)) def traverse(self, visited = None): """ Traverse the VAD tree by generating all the left items, then the right items. We try to be tolerant of cycles by storing all offsets visited. """ if visited == None: visited = set() ## We try to prevent loops here if self.obj_offset in visited: return yield self for c in self.LeftChild.traverse(visited = visited): visited.add(c.obj_offset) yield c for c in self.RightChild.traverse(visited = visited): visited.add(c.obj_offset) yield c @property def Parent(self): """Returns the Parent of the MMVAD""" return self.m('Parent').dereference() @property def ControlArea(self): """Returns the ControlArea of the MMVAD""" return self.m('ControlArea') @property def FileObject(self): """Returns the FilePointer of the ControlArea of the MMVAD""" return self.ControlArea.FilePointer.dereference() @property def Start(self): """Get the starting virtual address""" return self.StartingVpn << 12 @property def End(self): """Get the ending virtual address""" return ((self.EndingVpn + 1) << 12) - 1 @property def Length(self): """Get the length of the VAD memory region""" return ((self.EndingVpn + 1) << 12) - self.Start class _MMVAD_LONG(_MMVAD_SHORT): """Subclasses _MMVAD_LONG based on _MMVAD_SHORT""" pass class _EX_FAST_REF(obj.CType): MAX_FAST_REF = 7 def dereference_as(self, theType, parent = None, **kwargs): """Use the _EX_FAST_REF.Object pointer to resolve an object of the specified type""" return obj.Object(theType, self.Object.v() & ~self.MAX_FAST_REF, self.obj_native_vm, parent = parent or self, **kwargs) class ThreadCreateTimeStamp(WinTimeStamp): """Handles ThreadCreateTimeStamps which are bit shifted WinTimeStamps""" def __init__(self, *args, **kwargs): WinTimeStamp.__init__(self, *args, **kwargs) def as_windows_timestamp(self): return obj.NativeType.v(self) >> 3 class VolatilityKPCR(obj.VolatilityMagic): """A scanner for KPCR data within an address space""" def __init__(self, *args, **kwargs): # Remove the value kwarg since overlaying one # on the other would give the value precedence kwargs.pop('value', None) obj.VolatilityMagic.__init__(self, *args, **kwargs) def generate_suggestions(self): """Returns the results of KCPRScanner for an adderss space""" scanner = kpcr.KPCRScanner() for val in scanner.scan(self.obj_vm): yield val class VolatilityMaxAddress(obj.VolatilityMagic): """The maximum address of a profile's underlying AS. On x86 this is 0xFFFFFFFF (2 ** 32) - 1 On x64 this is 0xFFFFFFFFFFFFFFFF (2 ** 64) - 1 We use a VolatilityMagic to calculate this based on the size of an address, since that's something we can already rely on being set properly for the AS. """ def generate_suggestions(self): yield 2 ** (self.obj_vm.profile.get_obj_size("address") * 8) - 1 class VolatilityKDBG(obj.VolatilityMagic): """A Scanner for KDBG data within an address space""" def generate_suggestions(self): """Generates a list of possible KDBG structure locations""" scanner = kdbg.KDBGScanner(needles = [obj.VolMagic(self.obj_vm).KDBGHeader.v()]) for val in scanner.scan(self.obj_vm): yield val class VolatilityIA32ValidAS(obj.VolatilityMagic): """An object to check that an address space is a valid IA32 Paged space""" def generate_suggestions(self): """Generates a single response of True or False depending on whether the space is a valid Windows AS""" # This constraint looks for self referential values within # the paging tables try: if self.obj_vm.pae: pde_base = 0xc0600000 pd = self.obj_vm.get_pdpi(0) & 0xffffffffff000 else: pde_base = 0xc0300000 pd = self.obj_vm.dtb if (self.obj_vm.vtop(pde_base) == pd): yield True raise StopIteration except addrspace.ASAssertionError, _e: pass debug.debug("Failed to pass the Moyix Valid IA32 AS test", 3) # This constraint verifies that _KUSER_ SHARED_DATA is shared # between user and kernel address spaces. if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)): if self.obj_vm.vtop(0xffdf0000) != None: yield True raise StopIteration debug.debug("Failed to pass the labarum_x Valid IA32 AS test", 3) yield False class VolatilityAMD64ValidAS(obj.VolatilityMagic): def generate_suggestions(self): if self.obj_vm.vtop(0xFFFFF78000000000) != None: if (self.obj_vm.vtop(0xFFFFF78000000000)) == (self.obj_vm.vtop(0x7FFE0000)): yield True raise StopIteration if obj.Object("_KUSER_SHARED_DATA", offset = 0xFFFFF78000000000, vm = self.obj_vm).Reserved1 == 0x7FFEFFFF: yield True raise StopIteration yield False class _IMAGE_DOS_HEADER(obj.CType): """DOS header""" def get_nt_header(self): """Get the NT header""" if self.e_magic != 0x5a4d: raise ValueError('e_magic {0:04X} is not a valid DOS signature.'.format(self.e_magic)) nt_header = obj.Object("_IMAGE_NT_HEADERS", offset = self.e_lfanew + self.obj_offset, vm = self.obj_vm, native_vm = self.obj_native_vm) if nt_header.Signature != 0x4550: raise ValueError('NT header signature {0:04X} is not a valid'.format(nt_header.Signature)) return nt_header class _IMAGE_NT_HEADERS(obj.CType): """PE header""" def get_sections(self, unsafe): """Get the PE sections""" sect_size = self.obj_vm.profile.get_obj_size("_IMAGE_SECTION_HEADER") start_addr = self.FileHeader.SizeOfOptionalHeader + self.OptionalHeader.obj_offset for i in range(self.FileHeader.NumberOfSections): s_addr = start_addr + (i * sect_size) sect = obj.Object("_IMAGE_SECTION_HEADER", offset = s_addr, vm = self.obj_vm, parent = self, native_vm = self.obj_native_vm) if not unsafe: sect.sanity_check_section() yield sect class _IMAGE_SECTION_HEADER(obj.CType): """PE section""" def sanity_check_section(self): """Sanity checks address boundaries""" # Note: all addresses here are RVAs image_size = self.obj_parent.OptionalHeader.SizeOfImage if self.VirtualAddress > image_size: raise exceptions.SanityCheckException('VirtualAddress {0:08x} is past the end of image.'.format(self.VirtualAddress)) if self.Misc.VirtualSize > image_size: raise exceptions.SanityCheckException('VirtualSize {0:08x} is larger than image size.'.format(self.Misc.VirtualSize)) if self.SizeOfRawData > image_size: raise exceptions.SanityCheckException('SizeOfRawData {0:08x} is larger than image size.'.format(self.SizeOfRawData)) class _CM_KEY_BODY(obj.CType): """Registry key""" def full_key_name(self): output = [] kcb = self.KeyControlBlock while kcb.ParentKcb: if kcb.NameBlock.Name == None: break output.append(str(kcb.NameBlock.Name)) kcb = kcb.ParentKcb return "\\".join(reversed(output)) class _MMVAD_FLAGS(obj.CType): """This is for _MMVAD_SHORT.u.VadFlags""" def __str__(self): return ", ".join(["%s: %s" % (name, self.m(name)) for name in sorted(self.members.keys()) if self.m(name) != 0]) class _MMVAD_FLAGS2(_MMVAD_FLAGS): """This is for _MMVAD_LONG.u2.VadFlags2""" pass class _MMSECTION_FLAGS(_MMVAD_FLAGS): """This is for _CONTROL_AREA.u.Flags""" pass class _POOL_HEADER(obj.CType): """A class for pool headers""" @property def FreePool(self): return self.PoolType.v() == 0 @property def NonPagedPool(self): return self.PoolType.v() % 2 == 1 @property def PagedPool(self): return self.PoolType.v() % 2 == 0 and self.PoolType.v() > 0 import crash_vtypes import hibernate_vtypes import kdbg_vtypes import tcpip_vtypes import ssdt_vtypes class WindowsOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses', 'WindowsVTypes'] def modification(self, profile): profile.merge_overlay(windows_overlay) class WindowsVTypes(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses'] def modification(self, profile): profile.vtypes.update(crash_vtypes.crash_vtypes) profile.vtypes.update(hibernate_vtypes.hibernate_vtypes) profile.vtypes.update(kdbg_vtypes.kdbg_vtypes) profile.vtypes.update(tcpip_vtypes.tcpip_vtypes) profile.vtypes.update(ssdt_vtypes.ssdt_vtypes) class WindowsObjectClasses(obj.ProfileModification): conditions = {'os': lambda x: x == 'windows'} before = ['BasicObjectClasses', 'WindowsVTypes', 'WindowsOverlay'] def modification(self, profile): profile.object_classes.update({ '_UNICODE_STRING': _UNICODE_STRING, '_LIST_ENTRY': _LIST_ENTRY, 'WinTimeStamp': WinTimeStamp, '_EPROCESS': _EPROCESS, '_ETHREAD': _ETHREAD, '_HANDLE_TABLE': _HANDLE_TABLE, '_OBJECT_HEADER': _OBJECT_HEADER, '_FILE_OBJECT': _FILE_OBJECT, '_MMVAD': _MMVAD, '_MMVAD_SHORT': _MMVAD_SHORT, '_MMVAD_LONG': _MMVAD_LONG, '_EX_FAST_REF': _EX_FAST_REF, 'ThreadCreateTimeStamp': ThreadCreateTimeStamp, 'IpAddress': basic.IpAddress, 'Ipv6Address': basic.Ipv6Address, 'VolatilityKPCR': VolatilityKPCR, 'VolatilityKDBG': VolatilityKDBG, 'VolatilityIA32ValidAS': VolatilityIA32ValidAS, 'VolatilityAMD64ValidAS': VolatilityAMD64ValidAS, 'VolatilityMaxAddress': VolatilityMaxAddress, '_IMAGE_DOS_HEADER': _IMAGE_DOS_HEADER, '_IMAGE_NT_HEADERS': _IMAGE_NT_HEADERS, '_IMAGE_SECTION_HEADER': _IMAGE_SECTION_HEADER, '_CM_KEY_BODY': _CM_KEY_BODY, '_MMVAD_FLAGS': _MMVAD_FLAGS, '_MMVAD_FLAGS2': _MMVAD_FLAGS2, '_MMSECTION_FLAGS': _MMSECTION_FLAGS, '_TOKEN': _TOKEN, '_POOL_HEADER': _POOL_HEADER, }) class AbstractKDBGMod(obj.ProfileModification): kdbgsize = 0x290 def modification(self, profile): signature = '\x00\x00\x00\x00\x00\x00\x00\x00' if profile.metadata.get('memory_model', '32bit') == '32bit' else '\x00\xf8\xff\xff' signature += 'KDBG' + struct.pack('. # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Windows 2003 SP1 and SP2 x64. """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAddBootEntry', # 0x66 'NtAddDriverEntry', # 0x67 'NtAdjustGroupsToken', # 0x68 'NtAlertResumeThread', # 0x69 'NtAlertThread', # 0x6a 'NtAllocateLocallyUniqueId', # 0x6b 'NtAllocateUserPhysicalPages', # 0x6c 'NtAllocateUuids', # 0x6d 'NtAreMappedFilesTheSame', # 0x6e 'NtAssignProcessToJobObject', # 0x6f 'NtCancelDeviceWakeupRequest', # 0x70 'NtCompactKeys', # 0x71 'NtCompareTokens', # 0x72 'NtCompleteConnectPort', # 0x73 'NtCompressKey', # 0x74 'NtConnectPort', # 0x75 'NtCreateDebugObject', # 0x76 'NtCreateDirectoryObject', # 0x77 'NtCreateEventPair', # 0x78 'NtCreateIoCompletion', # 0x79 'NtCreateJobObject', # 0x7a 'NtCreateJobSet', # 0x7b 'NtCreateKeyedEvent', # 0x7c 'NtCreateMailslotFile', # 0x7d 'NtCreateMutant', # 0x7e 'NtCreateNamedPipeFile', # 0x7f 'NtCreatePagingFile', # 0x80 'NtCreatePort', # 0x81 'NtCreateProcess', # 0x82 'NtCreateProfile', # 0x83 'NtCreateSemaphore', # 0x84 'NtCreateSymbolicLinkObject', # 0x85 'NtCreateTimer', # 0x86 'NtCreateToken', # 0x87 'NtCreateWaitablePort', # 0x88 'NtDebugActiveProcess', # 0x89 'NtDebugContinue', # 0x8a 'NtDeleteAtom', # 0x8b 'NtDeleteBootEntry', # 0x8c 'NtDeleteDriverEntry', # 0x8d 'NtDeleteFile', # 0x8e 'NtDeleteKey', # 0x8f 'NtDeleteObjectAuditAlarm', # 0x90 'NtDeleteValueKey', # 0x91 'NtDisplayString', # 0x92 'NtEnumerateBootEntries', # 0x93 'NtEnumerateDriverEntries', # 0x94 'NtEnumerateSystemEnvironmentValuesEx', # 0x95 'NtExtendSection', # 0x96 'NtFilterToken', # 0x97 'NtFlushInstructionCache', # 0x98 'NtFlushKey', # 0x99 'NtFlushVirtualMemory', # 0x9a 'NtFlushWriteBuffer', # 0x9b 'NtFreeUserPhysicalPages', # 0x9c 'NtGetContextThread', # 0x9d 'NtGetCurrentProcessorNumber', # 0x9e 'NtGetDevicePowerState', # 0x9f 'NtGetPlugPlayEvent', # 0xa0 'NtGetWriteWatch', # 0xa1 'NtImpersonateAnonymousToken', # 0xa2 'NtImpersonateThread', # 0xa3 'NtInitializeRegistry', # 0xa4 'NtInitiatePowerAction', # 0xa5 'NtIsSystemResumeAutomatic', # 0xa6 'NtListenPort', # 0xa7 'NtLoadDriver', # 0xa8 'NtLoadKey', # 0xa9 'NtLoadKey2', # 0xaa 'NtLoadKeyEx', # 0xab 'NtLockFile', # 0xac 'NtLockProductActivationKeys', # 0xad 'NtLockRegistryKey', # 0xae 'NtLockVirtualMemory', # 0xaf 'NtMakePermanentObject', # 0xb0 'NtMakeTemporaryObject', # 0xb1 'NtMapUserPhysicalPages', # 0xb2 'NtModifyBootEntry', # 0xb3 'NtModifyDriverEntry', # 0xb4 'NtNotifyChangeDirectoryFile', # 0xb5 'NtNotifyChangeKey', # 0xb6 'NtNotifyChangeMultipleKeys', # 0xb7 'NtOpenEventPair', # 0xb8 'NtOpenIoCompletion', # 0xb9 'NtOpenJobObject', # 0xba 'NtOpenKeyedEvent', # 0xbb 'NtOpenMutant', # 0xbc 'NtOpenObjectAuditAlarm', # 0xbd 'NtOpenProcessToken', # 0xbe 'NtOpenSemaphore', # 0xbf 'NtOpenSymbolicLinkObject', # 0xc0 'NtOpenThread', # 0xc1 'NtOpenTimer', # 0xc2 'NtPlugPlayControl', # 0xc3 'NtPrivilegeCheck', # 0xc4 'NtPrivilegeObjectAuditAlarm', # 0xc5 'NtPrivilegedServiceAuditAlarm', # 0xc6 'NtPulseEvent', # 0xc7 'NtQueryBootEntryOrder', # 0xc8 'NtQueryBootOptions', # 0xc9 'NtQueryDebugFilterState', # 0xca 'NtQueryDirectoryObject', # 0xcb 'NtQueryDriverEntryOrder', # 0xcc 'NtQueryEaFile', # 0xcd 'NtQueryFullAttributesFile', # 0xce 'NtQueryInformationAtom', # 0xcf 'NtQueryInformationJobObject', # 0xd0 'NtQueryInformationPort', # 0xd1 'NtQueryInstallUILanguage', # 0xd2 'NtQueryIntervalProfile', # 0xd3 'NtQueryIoCompletion', # 0xd4 'NtQueryMultipleValueKey', # 0xd5 'NtQueryMutant', # 0xd6 'NtQueryOpenSubKeys', # 0xd7 'NtQueryOpenSubKeysEx', # 0xd8 'NtQueryPortInformationProcess', # 0xd9 'NtQueryQuotaInformationFile', # 0xda 'NtQuerySecurityObject', # 0xdb 'NtQuerySemaphore', # 0xdc 'NtQuerySymbolicLinkObject', # 0xdd 'NtQuerySystemEnvironmentValue', # 0xde 'NtQuerySystemEnvironmentValueEx', # 0xdf 'NtQueryTimerResolution', # 0xe0 'NtRaiseException', # 0xe1 'NtRaiseHardError', # 0xe2 'NtRegisterThreadTerminatePort', # 0xe3 'NtReleaseKeyedEvent', # 0xe4 'NtRemoveProcessDebug', # 0xe5 'NtRenameKey', # 0xe6 'NtReplaceKey', # 0xe7 'NtReplyWaitReplyPort', # 0xe8 'NtRequestDeviceWakeup', # 0xe9 'NtRequestPort', # 0xea 'NtRequestWakeupLatency', # 0xeb 'NtResetEvent', # 0xec 'NtResetWriteWatch', # 0xed 'NtRestoreKey', # 0xee 'NtResumeProcess', # 0xef 'NtSaveKey', # 0xf0 'NtSaveKeyEx', # 0xf1 'NtSaveMergedKeys', # 0xf2 'NtSecureConnectPort', # 0xf3 'NtSetBootEntryOrder', # 0xf4 'NtSetBootOptions', # 0xf5 'NtSetContextThread', # 0xf6 'NtSetDebugFilterState', # 0xf7 'NtSetDefaultHardErrorPort', # 0xf8 'NtSetDefaultLocale', # 0xf9 'NtSetDefaultUILanguage', # 0xfa 'NtSetDriverEntryOrder', # 0xfb 'NtSetEaFile', # 0xfc 'NtSetHighEventPair', # 0xfd 'NtSetHighWaitLowEventPair', # 0xfe 'NtSetInformationDebugObject', # 0xff 'NtSetInformationJobObject', # 0x100 'NtSetInformationKey', # 0x101 'NtSetInformationToken', # 0x102 'NtSetIntervalProfile', # 0x103 'NtSetIoCompletion', # 0x104 'NtSetLdtEntries', # 0x105 'NtSetLowEventPair', # 0x106 'NtSetLowWaitHighEventPair', # 0x107 'NtSetQuotaInformationFile', # 0x108 'NtSetSecurityObject', # 0x109 'NtSetSystemEnvironmentValue', # 0x10a 'NtSetSystemEnvironmentValueEx', # 0x10b 'NtSetSystemInformation', # 0x10c 'NtSetSystemPowerState', # 0x10d 'NtSetSystemTime', # 0x10e 'NtSetThreadExecutionState', # 0x10f 'NtSetTimerResolution', # 0x110 'NtSetUuidSeed', # 0x111 'NtSetVolumeInformationFile', # 0x112 'NtShutdownSystem', # 0x113 'NtSignalAndWaitForSingleObject', # 0x114 'NtStartProfile', # 0x115 'NtStopProfile', # 0x116 'NtSuspendProcess', # 0x117 'NtSuspendThread', # 0x118 'NtSystemDebugControl', # 0x119 'NtTerminateJobObject', # 0x11a 'NtTestAlert', # 0x11b 'NtTranslateFilePath', # 0x11c 'NtUnloadDriver', # 0x11d 'NtUnloadKey', # 0x11e 'NtUnloadKey2', # 0x11f 'NtUnloadKeyEx', # 0x120 'NtUnlockFile', # 0x121 'NtUnlockVirtualMemory', # 0x122 'NtVdmControl', # 0x123 'NtWaitForDebugEvent', # 0x124 'NtWaitForKeyedEvent', # 0x125 'NtWaitHighEventPair', # 0x126 'NtWaitLowEventPair', # 0x127 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserPostMessage', # 0xe 'NtUserQueryWindow', # 0xf 'NtUserTranslateAccelerator', # 0x10 'NtGdiFlush', # 0x11 'NtUserRedrawWindow', # 0x12 'NtUserWindowFromPoint', # 0x13 'NtUserCallMsgFilter', # 0x14 'NtUserValidateTimerCallback', # 0x15 'NtUserBeginPaint', # 0x16 'NtUserSetTimer', # 0x17 'NtUserEndPaint', # 0x18 'NtUserSetCursor', # 0x19 'NtUserKillTimer', # 0x1a 'NtUserBuildHwndList', # 0x1b 'NtUserSelectPalette', # 0x1c 'NtUserCallNextHookEx', # 0x1d 'NtUserHideCaret', # 0x1e 'NtGdiIntersectClipRect', # 0x1f 'NtUserCallHwndLock', # 0x20 'NtUserGetProcessWindowStation', # 0x21 'NtGdiDeleteObjectApp', # 0x22 'NtUserSetWindowPos', # 0x23 'NtUserShowCaret', # 0x24 'NtUserEndDeferWindowPosEx', # 0x25 'NtUserCallHwndParamLock', # 0x26 'NtUserVkKeyScanEx', # 0x27 'NtGdiSetDIBitsToDeviceInternal', # 0x28 'NtUserCallTwoParam', # 0x29 'NtGdiGetRandomRgn', # 0x2a 'NtUserCopyAcceleratorTable', # 0x2b 'NtUserNotifyWinEvent', # 0x2c 'NtGdiExtSelectClipRgn', # 0x2d 'NtUserIsClipboardFormatAvailable', # 0x2e 'NtUserSetScrollInfo', # 0x2f 'NtGdiStretchBlt', # 0x30 'NtUserCreateCaret', # 0x31 'NtGdiRectVisible', # 0x32 'NtGdiCombineRgn', # 0x33 'NtGdiGetDCObject', # 0x34 'NtUserDispatchMessage', # 0x35 'NtUserRegisterWindowMessage', # 0x36 'NtGdiExtTextOutW', # 0x37 'NtGdiSelectFont', # 0x38 'NtGdiRestoreDC', # 0x39 'NtGdiSaveDC', # 0x3a 'NtUserGetForegroundWindow', # 0x3b 'NtUserShowScrollBar', # 0x3c 'NtUserFindExistingCursorIcon', # 0x3d 'NtGdiGetDCDword', # 0x3e 'NtGdiGetRegionData', # 0x3f 'NtGdiLineTo', # 0x40 'NtUserSystemParametersInfo', # 0x41 'NtGdiGetAppClipBox', # 0x42 'NtUserGetAsyncKeyState', # 0x43 'NtUserGetCPD', # 0x44 'NtUserRemoveProp', # 0x45 'NtGdiDoPalette', # 0x46 'NtGdiPolyPolyDraw', # 0x47 'NtUserSetCapture', # 0x48 'NtUserEnumDisplayMonitors', # 0x49 'NtGdiCreateCompatibleBitmap', # 0x4a 'NtUserSetProp', # 0x4b 'NtGdiGetTextCharsetInfo', # 0x4c 'NtUserSBGetParms', # 0x4d 'NtUserGetIconInfo', # 0x4e 'NtUserExcludeUpdateRgn', # 0x4f 'NtUserSetFocus', # 0x50 'NtGdiExtGetObjectW', # 0x51 'NtUserDeferWindowPos', # 0x52 'NtUserGetUpdateRect', # 0x53 'NtGdiCreateCompatibleDC', # 0x54 'NtUserGetClipboardSequenceNumber', # 0x55 'NtGdiCreatePen', # 0x56 'NtUserShowWindow', # 0x57 'NtUserGetKeyboardLayoutList', # 0x58 'NtGdiPatBlt', # 0x59 'NtUserMapVirtualKeyEx', # 0x5a 'NtUserSetWindowLong', # 0x5b 'NtGdiHfontCreate', # 0x5c 'NtUserMoveWindow', # 0x5d 'NtUserPostThreadMessage', # 0x5e 'NtUserDrawIconEx', # 0x5f 'NtUserGetSystemMenu', # 0x60 'NtGdiDrawStream', # 0x61 'NtUserInternalGetWindowText', # 0x62 'NtUserGetWindowDC', # 0x63 'NtGdiD3dDrawPrimitives2', # 0x64 'NtGdiInvertRgn', # 0x65 'NtGdiGetRgnBox', # 0x66 'NtGdiGetAndSetDCDword', # 0x67 'NtGdiMaskBlt', # 0x68 'NtGdiGetWidthTable', # 0x69 'NtUserScrollDC', # 0x6a 'NtUserGetObjectInformation', # 0x6b 'NtGdiCreateBitmap', # 0x6c 'NtGdiConsoleTextOut', # 0x6d 'NtUserFindWindowEx', # 0x6e 'NtGdiPolyPatBlt', # 0x6f 'NtUserUnhookWindowsHookEx', # 0x70 'NtGdiGetNearestColor', # 0x71 'NtGdiTransformPoints', # 0x72 'NtGdiGetDCPoint', # 0x73 'NtUserCheckImeHotKey', # 0x74 'NtGdiCreateDIBBrush', # 0x75 'NtGdiGetTextMetricsW', # 0x76 'NtUserCreateWindowEx', # 0x77 'NtUserSetParent', # 0x78 'NtUserGetKeyboardState', # 0x79 'NtUserToUnicodeEx', # 0x7a 'NtUserGetControlBrush', # 0x7b 'NtUserGetClassName', # 0x7c 'NtGdiAlphaBlend', # 0x7d 'NtGdiDdBlt', # 0x7e 'NtGdiOffsetRgn', # 0x7f 'NtUserDefSetText', # 0x80 'NtGdiGetTextFaceW', # 0x81 'NtGdiStretchDIBitsInternal', # 0x82 'NtUserSendInput', # 0x83 'NtUserGetThreadDesktop', # 0x84 'NtGdiCreateRectRgn', # 0x85 'NtGdiGetDIBitsInternal', # 0x86 'NtUserGetUpdateRgn', # 0x87 'NtGdiDeleteClientObj', # 0x88 'NtUserGetIconSize', # 0x89 'NtUserFillWindow', # 0x8a 'NtGdiExtCreateRegion', # 0x8b 'NtGdiComputeXformCoefficients', # 0x8c 'NtUserSetWindowsHookEx', # 0x8d 'NtUserNotifyProcessCreate', # 0x8e 'NtGdiUnrealizeObject', # 0x8f 'NtUserGetTitleBarInfo', # 0x90 'NtGdiRectangle', # 0x91 'NtUserSetThreadDesktop', # 0x92 'NtUserGetDCEx', # 0x93 'NtUserGetScrollBarInfo', # 0x94 'NtGdiGetTextExtent', # 0x95 'NtUserSetWindowFNID', # 0x96 'NtGdiSetLayout', # 0x97 'NtUserCalcMenuBar', # 0x98 'NtUserThunkedMenuItemInfo', # 0x99 'NtGdiExcludeClipRect', # 0x9a 'NtGdiCreateDIBSection', # 0x9b 'NtGdiGetDCforBitmap', # 0x9c 'NtUserDestroyCursor', # 0x9d 'NtUserDestroyWindow', # 0x9e 'NtUserCallHwndParam', # 0x9f 'NtGdiCreateDIBitmapInternal', # 0xa0 'NtUserOpenWindowStation', # 0xa1 'NtGdiDdDeleteSurfaceObject', # 0xa2 'NtGdiEnumFontClose', # 0xa3 'NtGdiEnumFontOpen', # 0xa4 'NtGdiEnumFontChunk', # 0xa5 'NtGdiDdCanCreateSurface', # 0xa6 'NtGdiDdCreateSurface', # 0xa7 'NtUserSetCursorIconData', # 0xa8 'NtGdiDdDestroySurface', # 0xa9 'NtUserCloseDesktop', # 0xaa 'NtUserOpenDesktop', # 0xab 'NtUserSetProcessWindowStation', # 0xac 'NtUserGetAtomName', # 0xad 'NtGdiDdResetVisrgn', # 0xae 'NtGdiExtCreatePen', # 0xaf 'NtGdiCreatePaletteInternal', # 0xb0 'NtGdiSetBrushOrg', # 0xb1 'NtUserBuildNameList', # 0xb2 'NtGdiSetPixel', # 0xb3 'NtUserRegisterClassExWOW', # 0xb4 'NtGdiCreatePatternBrushInternal', # 0xb5 'NtUserGetAncestor', # 0xb6 'NtGdiGetOutlineTextMetricsInternalW', # 0xb7 'NtGdiSetBitmapBits', # 0xb8 'NtUserCloseWindowStation', # 0xb9 'NtUserGetDoubleClickTime', # 0xba 'NtUserEnableScrollBar', # 0xbb 'NtGdiCreateSolidBrush', # 0xbc 'NtUserGetClassInfoEx', # 0xbd 'NtGdiCreateClientObj', # 0xbe 'NtUserUnregisterClass', # 0xbf 'NtUserDeleteMenu', # 0xc0 'NtGdiRectInRegion', # 0xc1 'NtUserScrollWindowEx', # 0xc2 'NtGdiGetPixel', # 0xc3 'NtUserSetClassLong', # 0xc4 'NtUserGetMenuBarInfo', # 0xc5 'NtGdiDdCreateSurfaceEx', # 0xc6 'NtGdiDdCreateSurfaceObject', # 0xc7 'NtGdiGetNearestPaletteIndex', # 0xc8 'NtGdiDdLockD3D', # 0xc9 'NtGdiDdUnlockD3D', # 0xca 'NtGdiGetCharWidthW', # 0xcb 'NtUserInvalidateRgn', # 0xcc 'NtUserGetClipboardOwner', # 0xcd 'NtUserSetWindowRgn', # 0xce 'NtUserBitBltSysBmp', # 0xcf 'NtGdiGetCharWidthInfo', # 0xd0 'NtUserValidateRect', # 0xd1 'NtUserCloseClipboard', # 0xd2 'NtUserOpenClipboard', # 0xd3 'NtGdiGetStockObject', # 0xd4 'NtUserSetClipboardData', # 0xd5 'NtUserEnableMenuItem', # 0xd6 'NtUserAlterWindowStyle', # 0xd7 'NtGdiFillRgn', # 0xd8 'NtUserGetWindowPlacement', # 0xd9 'NtGdiModifyWorldTransform', # 0xda 'NtGdiGetFontData', # 0xdb 'NtUserGetOpenClipboardWindow', # 0xdc 'NtUserSetThreadState', # 0xdd 'NtGdiOpenDCW', # 0xde 'NtUserTrackMouseEvent', # 0xdf 'NtGdiGetTransform', # 0xe0 'NtUserDestroyMenu', # 0xe1 'NtGdiGetBitmapBits', # 0xe2 'NtUserConsoleControl', # 0xe3 'NtUserSetActiveWindow', # 0xe4 'NtUserSetInformationThread', # 0xe5 'NtUserSetWindowPlacement', # 0xe6 'NtUserGetControlColor', # 0xe7 'NtGdiSetMetaRgn', # 0xe8 'NtGdiSetMiterLimit', # 0xe9 'NtGdiSetVirtualResolution', # 0xea 'NtGdiGetRasterizerCaps', # 0xeb 'NtUserSetWindowWord', # 0xec 'NtUserGetClipboardFormatName', # 0xed 'NtUserRealInternalGetMessage', # 0xee 'NtUserCreateLocalMemHandle', # 0xef 'NtUserAttachThreadInput', # 0xf0 'NtGdiCreateHalftonePalette', # 0xf1 'NtUserPaintMenuBar', # 0xf2 'NtUserSetKeyboardState', # 0xf3 'NtGdiCombineTransform', # 0xf4 'NtUserCreateAcceleratorTable', # 0xf5 'NtUserGetCursorFrameInfo', # 0xf6 'NtUserGetAltTabInfo', # 0xf7 'NtUserGetCaretBlinkTime', # 0xf8 'NtGdiQueryFontAssocInfo', # 0xf9 'NtUserProcessConnect', # 0xfa 'NtUserEnumDisplayDevices', # 0xfb 'NtUserEmptyClipboard', # 0xfc 'NtUserGetClipboardData', # 0xfd 'NtUserRemoveMenu', # 0xfe 'NtGdiSetBoundsRect', # 0xff 'NtUserSetInformationProcess', # 0x100 'NtGdiGetBitmapDimension', # 0x101 'NtUserConvertMemHandle', # 0x102 'NtUserDestroyAcceleratorTable', # 0x103 'NtUserGetGUIThreadInfo', # 0x104 'NtGdiCloseFigure', # 0x105 'NtUserSetWindowsHookAW', # 0x106 'NtUserSetMenuDefaultItem', # 0x107 'NtUserCheckMenuItem', # 0x108 'NtUserSetWinEventHook', # 0x109 'NtUserUnhookWinEvent', # 0x10a 'NtGdiSetupPublicCFONT', # 0x10b 'NtUserLockWindowUpdate', # 0x10c 'NtUserSetSystemMenu', # 0x10d 'NtUserThunkedMenuInfo', # 0x10e 'NtGdiBeginPath', # 0x10f 'NtGdiEndPath', # 0x110 'NtGdiFillPath', # 0x111 'NtUserCallHwnd', # 0x112 'NtUserDdeInitialize', # 0x113 'NtUserModifyUserStartupInfoFlags', # 0x114 'NtUserCountClipboardFormats', # 0x115 'NtGdiAddFontMemResourceEx', # 0x116 'NtGdiEqualRgn', # 0x117 'NtGdiGetSystemPaletteUse', # 0x118 'NtGdiRemoveFontMemResourceEx', # 0x119 'NtUserEnumDisplaySettings', # 0x11a 'NtUserPaintDesktop', # 0x11b 'NtGdiExtEscape', # 0x11c 'NtGdiSetBitmapDimension', # 0x11d 'NtGdiSetFontEnumeration', # 0x11e 'NtUserChangeClipboardChain', # 0x11f 'NtUserResolveDesktop', # 0x120 'NtUserSetClipboardViewer', # 0x121 'NtUserShowWindowAsync', # 0x122 'NtUserSetConsoleReserveKeys', # 0x123 'NtGdiCreateColorSpace', # 0x124 'NtGdiDeleteColorSpace', # 0x125 'NtUserActivateKeyboardLayout', # 0x126 'NtGdiAbortDoc', # 0x127 'NtGdiAbortPath', # 0x128 'NtGdiAddEmbFontToDC', # 0x129 'NtGdiAddFontResourceW', # 0x12a 'NtGdiAddRemoteFontToDC', # 0x12b 'NtGdiAddRemoteMMInstanceToDC', # 0x12c 'NtGdiAngleArc', # 0x12d 'NtGdiAnyLinkedFonts', # 0x12e 'NtGdiArcInternal', # 0x12f 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x130 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x131 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x132 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x133 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x134 'NtGdiCLIPOBJ_bEnum', # 0x135 'NtGdiCLIPOBJ_cEnumStart', # 0x136 'NtGdiCLIPOBJ_ppoGetPath', # 0x137 'NtGdiCancelDC', # 0x138 'NtGdiChangeGhostFont', # 0x139 'NtGdiCheckBitmapBits', # 0x13a 'NtGdiClearBitmapAttributes', # 0x13b 'NtGdiClearBrushAttributes', # 0x13c 'NtGdiColorCorrectPalette', # 0x13d 'NtGdiConvertMetafileRect', # 0x13e 'NtGdiCreateColorTransform', # 0x13f 'NtGdiCreateEllipticRgn', # 0x140 'NtGdiCreateHatchBrushInternal', # 0x141 'NtGdiCreateMetafileDC', # 0x142 'NtGdiCreateRoundRectRgn', # 0x143 'NtGdiCreateServerMetaFile', # 0x144 'NtGdiD3dContextCreate', # 0x145 'NtGdiD3dContextDestroy', # 0x146 'NtGdiD3dContextDestroyAll', # 0x147 'NtGdiD3dValidateTextureStageState', # 0x148 'NtGdiDdAddAttachedSurface', # 0x149 'NtGdiDdAlphaBlt', # 0x14a 'NtGdiDdAttachSurface', # 0x14b 'NtGdiDdBeginMoCompFrame', # 0x14c 'NtGdiDdCanCreateD3DBuffer', # 0x14d 'NtGdiDdColorControl', # 0x14e 'NtGdiDdCreateD3DBuffer', # 0x14f 'NtGdiDdCreateDirectDrawObject', # 0x150 'NtGdiDdCreateMoComp', # 0x151 'NtGdiDdDeleteDirectDrawObject', # 0x152 'NtGdiDdDestroyD3DBuffer', # 0x153 'NtGdiDdDestroyMoComp', # 0x154 'NtGdiDdEndMoCompFrame', # 0x155 'NtGdiDdFlip', # 0x156 'NtGdiDdFlipToGDISurface', # 0x157 'NtGdiDdGetAvailDriverMemory', # 0x158 'NtGdiDdGetBltStatus', # 0x159 'NtGdiDdGetDC', # 0x15a 'NtGdiDdGetDriverInfo', # 0x15b 'NtGdiDdGetDriverState', # 0x15c 'NtGdiDdGetDxHandle', # 0x15d 'NtGdiDdGetFlipStatus', # 0x15e 'NtGdiDdGetInternalMoCompInfo', # 0x15f 'NtGdiDdGetMoCompBuffInfo', # 0x160 'NtGdiDdGetMoCompFormats', # 0x161 'NtGdiDdGetMoCompGuids', # 0x162 'NtGdiDdGetScanLine', # 0x163 'NtGdiDdLock', # 0x164 'NtGdiDdQueryDirectDrawObject', # 0x165 'NtGdiDdQueryMoCompStatus', # 0x166 'NtGdiDdReenableDirectDrawObject', # 0x167 'NtGdiDdReleaseDC', # 0x168 'NtGdiDdRenderMoComp', # 0x169 'NtGdiDdSetColorKey', # 0x16a 'NtGdiDdSetExclusiveMode', # 0x16b 'NtGdiDdSetGammaRamp', # 0x16c 'NtGdiDdSetOverlayPosition', # 0x16d 'NtGdiDdUnattachSurface', # 0x16e 'NtGdiDdUnlock', # 0x16f 'NtGdiDdUpdateOverlay', # 0x170 'NtGdiDdWaitForVerticalBlank', # 0x171 'NtGdiDeleteColorTransform', # 0x172 'NtGdiDescribePixelFormat', # 0x173 'NtGdiDoBanding', # 0x174 'NtGdiDrawEscape', # 0x175 'NtGdiDvpAcquireNotification', # 0x176 'NtGdiDvpCanCreateVideoPort', # 0x177 'NtGdiDvpColorControl', # 0x178 'NtGdiDvpCreateVideoPort', # 0x179 'NtGdiDvpDestroyVideoPort', # 0x17a 'NtGdiDvpFlipVideoPort', # 0x17b 'NtGdiDvpGetVideoPortBandwidth', # 0x17c 'NtGdiDvpGetVideoPortConnectInfo', # 0x17d 'NtGdiDvpGetVideoPortField', # 0x17e 'NtGdiDvpGetVideoPortFlipStatus', # 0x17f 'NtGdiDvpGetVideoPortInputFormats', # 0x180 'NtGdiDvpGetVideoPortLine', # 0x181 'NtGdiDvpGetVideoPortOutputFormats', # 0x182 'NtGdiDvpGetVideoSignalStatus', # 0x183 'NtGdiDvpReleaseNotification', # 0x184 'NtGdiDvpUpdateVideoPort', # 0x185 'NtGdiDvpWaitForVideoPortSync', # 0x186 'NtGdiDxgGenericThunk', # 0x187 'NtGdiEllipse', # 0x188 'NtGdiEnableEudc', # 0x189 'NtGdiEndDoc', # 0x18a 'NtGdiEndPage', # 0x18b 'NtGdiEngAlphaBlend', # 0x18c 'NtGdiEngAssociateSurface', # 0x18d 'NtGdiEngBitBlt', # 0x18e 'NtGdiEngCheckAbort', # 0x18f 'NtGdiEngComputeGlyphSet', # 0x190 'NtGdiEngCopyBits', # 0x191 'NtGdiEngCreateBitmap', # 0x192 'NtGdiEngCreateClip', # 0x193 'NtGdiEngCreateDeviceBitmap', # 0x194 'NtGdiEngCreateDeviceSurface', # 0x195 'NtGdiEngCreatePalette', # 0x196 'NtGdiEngDeleteClip', # 0x197 'NtGdiEngDeletePalette', # 0x198 'NtGdiEngDeletePath', # 0x199 'NtGdiEngDeleteSurface', # 0x19a 'NtGdiEngEraseSurface', # 0x19b 'NtGdiEngFillPath', # 0x19c 'NtGdiEngGradientFill', # 0x19d 'NtGdiEngLineTo', # 0x19e 'NtGdiEngLockSurface', # 0x19f 'NtGdiEngMarkBandingSurface', # 0x1a0 'NtGdiEngPaint', # 0x1a1 'NtGdiEngPlgBlt', # 0x1a2 'NtGdiEngStretchBlt', # 0x1a3 'NtGdiEngStretchBltROP', # 0x1a4 'NtGdiEngStrokeAndFillPath', # 0x1a5 'NtGdiEngStrokePath', # 0x1a6 'NtGdiEngTextOut', # 0x1a7 'NtGdiEngTransparentBlt', # 0x1a8 'NtGdiEngUnlockSurface', # 0x1a9 'NtGdiEnumObjects', # 0x1aa 'NtGdiEudcLoadUnloadLink', # 0x1ab 'NtGdiExtFloodFill', # 0x1ac 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1ad 'NtGdiFONTOBJ_cGetGlyphs', # 0x1ae 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1af 'NtGdiFONTOBJ_pfdg', # 0x1b0 'NtGdiFONTOBJ_pifi', # 0x1b1 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1b2 'NtGdiFONTOBJ_pxoGetXform', # 0x1b3 'NtGdiFONTOBJ_vGetInfo', # 0x1b4 'NtGdiFlattenPath', # 0x1b5 'NtGdiFontIsLinked', # 0x1b6 'NtGdiForceUFIMapping', # 0x1b7 'NtGdiFrameRgn', # 0x1b8 'NtGdiFullscreenControl', # 0x1b9 'NtGdiGetBoundsRect', # 0x1ba 'NtGdiGetCharABCWidthsW', # 0x1bb 'NtGdiGetCharacterPlacementW', # 0x1bc 'NtGdiGetColorAdjustment', # 0x1bd 'NtGdiGetColorSpaceforBitmap', # 0x1be 'NtGdiGetDeviceCaps', # 0x1bf 'NtGdiGetDeviceCapsAll', # 0x1c0 'NtGdiGetDeviceGammaRamp', # 0x1c1 'NtGdiGetDeviceWidth', # 0x1c2 'NtGdiGetDhpdev', # 0x1c3 'NtGdiGetETM', # 0x1c4 'NtGdiGetEmbUFI', # 0x1c5 'NtGdiGetEmbedFonts', # 0x1c6 'NtGdiGetEudcTimeStampEx', # 0x1c7 'NtGdiGetFontResourceInfoInternalW', # 0x1c8 'NtGdiGetFontUnicodeRanges', # 0x1c9 'NtGdiGetGlyphIndicesW', # 0x1ca 'NtGdiGetGlyphIndicesWInternal', # 0x1cb 'NtGdiGetGlyphOutline', # 0x1cc 'NtGdiGetKerningPairs', # 0x1cd 'NtGdiGetLinkedUFIs', # 0x1ce 'NtGdiGetMiterLimit', # 0x1cf 'NtGdiGetMonitorID', # 0x1d0 'NtGdiGetObjectBitmapHandle', # 0x1d1 'NtGdiGetPath', # 0x1d2 'NtGdiGetPerBandInfo', # 0x1d3 'NtGdiGetRealizationInfo', # 0x1d4 'NtGdiGetServerMetaFileBits', # 0x1d5 'NtGdiGetSpoolMessage', # 0x1d6 'NtGdiGetStats', # 0x1d7 'NtGdiGetStringBitmapW', # 0x1d8 'NtGdiGetTextExtentExW', # 0x1d9 'NtGdiGetUFI', # 0x1da 'NtGdiGetUFIPathname', # 0x1db 'NtGdiGradientFill', # 0x1dc 'NtGdiHT_Get8BPPFormatPalette', # 0x1dd 'NtGdiHT_Get8BPPMaskPalette', # 0x1de 'NtGdiIcmBrushInfo', # 0x1df 'NtGdiInit', # 0x1e0 'NtGdiInitSpool', # 0x1e1 'NtGdiMakeFontDir', # 0x1e2 'NtGdiMakeInfoDC', # 0x1e3 'NtGdiMakeObjectUnXferable', # 0x1e4 'NtGdiMakeObjectXferable', # 0x1e5 'NtGdiMirrorWindowOrg', # 0x1e6 'NtGdiMonoBitmap', # 0x1e7 'NtGdiMoveTo', # 0x1e8 'NtGdiOffsetClipRgn', # 0x1e9 'NtGdiPATHOBJ_bEnum', # 0x1ea 'NtGdiPATHOBJ_bEnumClipLines', # 0x1eb 'NtGdiPATHOBJ_vEnumStart', # 0x1ec 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x1ed 'NtGdiPATHOBJ_vGetBounds', # 0x1ee 'NtGdiPathToRegion', # 0x1ef 'NtGdiPlgBlt', # 0x1f0 'NtGdiPolyDraw', # 0x1f1 'NtGdiPolyTextOutW', # 0x1f2 'NtGdiPtInRegion', # 0x1f3 'NtGdiPtVisible', # 0x1f4 'NtGdiQueryFonts', # 0x1f5 'NtGdiRemoveFontResourceW', # 0x1f6 'NtGdiRemoveMergeFont', # 0x1f7 'NtGdiResetDC', # 0x1f8 'NtGdiResizePalette', # 0x1f9 'NtGdiRoundRect', # 0x1fa 'NtGdiSTROBJ_bEnum', # 0x1fb 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x1fc 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x1fd 'NtGdiSTROBJ_dwGetCodePage', # 0x1fe 'NtGdiSTROBJ_vEnumStart', # 0x1ff 'NtGdiScaleViewportExtEx', # 0x200 'NtGdiScaleWindowExtEx', # 0x201 'GreSelectBrush', # 0x202 'NtGdiSelectClipPath', # 0x203 'NtGdiSelectPen', # 0x204 'NtGdiSetBitmapAttributes', # 0x205 'NtGdiSetBrushAttributes', # 0x206 'NtGdiSetColorAdjustment', # 0x207 'NtGdiSetColorSpace', # 0x208 'NtGdiSetDeviceGammaRamp', # 0x209 'NtGdiSetFontXform', # 0x20a 'NtGdiSetIcmMode', # 0x20b 'NtGdiSetLinkedUFIs', # 0x20c 'NtGdiSetMagicColors', # 0x20d 'NtGdiSetPUMPDOBJ', # 0x20e 'NtGdiSetPixelFormat', # 0x20f 'NtGdiSetRectRgn', # 0x210 'NtGdiSetSizeDevice', # 0x211 'NtGdiSetSystemPaletteUse', # 0x212 'NtGdiSetTextJustification', # 0x213 'NtGdiStartDoc', # 0x214 'NtGdiStartPage', # 0x215 'NtGdiStrokeAndFillPath', # 0x216 'NtGdiStrokePath', # 0x217 'NtGdiSwapBuffers', # 0x218 'NtGdiTransparentBlt', # 0x219 'NtGdiUMPDEngFreeUserMem', # 0x21a 'NtGdiUnloadPrinterDriver', # 0x21b 'EngRestoreFloatingPointState', # 0x21c 'NtGdiUpdateColors', # 0x21d 'NtGdiUpdateTransform', # 0x21e 'NtGdiWidenPath', # 0x21f 'NtGdiXFORMOBJ_bApplyXform', # 0x220 'NtGdiXFORMOBJ_iGetXform', # 0x221 'NtGdiXLATEOBJ_cGetPalette', # 0x222 'NtGdiXLATEOBJ_hGetColorTransform', # 0x223 'NtGdiXLATEOBJ_iXlate', # 0x224 'NtUserAssociateInputContext', # 0x225 'NtUserBlockInput', # 0x226 'NtUserBuildHimcList', # 0x227 'NtUserBuildPropList', # 0x228 'NtUserCallHwndOpt', # 0x229 'NtUserChangeDisplaySettings', # 0x22a 'NtUserChildWindowFromPointEx', # 0x22b 'NtUserClipCursor', # 0x22c 'NtUserCreateDesktop', # 0x22d 'NtUserCreateInputContext', # 0x22e 'NtUserCreateWindowStation', # 0x22f 'NtUserCtxDisplayIOCtl', # 0x230 'NtUserDdeGetQualityOfService', # 0x231 'NtUserDdeSetQualityOfService', # 0x232 'NtUserDestroyInputContext', # 0x233 'NtUserDisableThreadIme', # 0x234 'NtUserDragDetect', # 0x235 'NtUserDragObject', # 0x236 'NtUserDrawAnimatedRects', # 0x237 'NtUserDrawCaption', # 0x238 'NtUserDrawCaptionTemp', # 0x239 'NtUserDrawMenuBarTemp', # 0x23a 'NtUserEndMenu', # 0x23b 'NtUserEvent', # 0x23c 'NtUserFlashWindowEx', # 0x23d 'NtUserGetAppImeLevel', # 0x23e 'NtUserGetCaretPos', # 0x23f 'NtUserGetClipCursor', # 0x240 'NtUserGetClipboardViewer', # 0x241 'NtUserGetComboBoxInfo', # 0x242 'NtUserGetCursorInfo', # 0x243 'NtUserGetGuiResources', # 0x244 'NtUserGetImeHotKey', # 0x245 'NtUserGetImeInfoEx', # 0x246 'NtUserGetInternalWindowPos', # 0x247 'NtUserGetKeyNameText', # 0x248 'NtUserGetKeyboardLayoutName', # 0x249 'NtUserGetLayeredWindowAttributes', # 0x24a 'NtUserGetListBoxInfo', # 0x24b 'NtUserGetMenuIndex', # 0x24c 'NtUserGetMenuItemRect', # 0x24d 'NtUserGetMouseMovePointsEx', # 0x24e 'NtUserGetPriorityClipboardFormat', # 0x24f 'NtUserGetRawInputBuffer', # 0x250 'NtUserGetRawInputData', # 0x251 'NtUserGetRawInputDeviceInfo', # 0x252 'NtUserGetRawInputDeviceList', # 0x253 'NtUserGetRegisteredRawInputDevices', # 0x254 'NtUserGetWOWClass', # 0x255 'NtUserHardErrorControl', # 0x256 'NtUserHiliteMenuItem', # 0x257 'NtUserImpersonateDdeClientWindow', # 0x258 'NtUserInitTask', # 0x259 'NtUserInitialize', # 0x25a 'NtUserInitializeClientPfnArrays', # 0x25b 'NtUserLoadKeyboardLayoutEx', # 0x25c 'NtUserLockWindowStation', # 0x25d 'NtUserLockWorkStation', # 0x25e 'NtUserMNDragLeave', # 0x25f 'NtUserMNDragOver', # 0x260 'NtUserMenuItemFromPoint', # 0x261 'NtUserMinMaximize', # 0x262 'NtUserNotifyIMEStatus', # 0x263 'NtUserOpenInputDesktop', # 0x264 'NtUserPrintWindow', # 0x265 'NtUserQueryInformationThread', # 0x266 'NtUserQueryInputContext', # 0x267 'NtUserQuerySendMessage', # 0x268 'NtUserRealChildWindowFromPoint', # 0x269 'NtUserRealWaitMessageEx', # 0x26a 'NtUserRegisterHotKey', # 0x26b 'NtUserRegisterRawInputDevices', # 0x26c 'NtUserRegisterTasklist', # 0x26d 'NtUserRegisterUserApiHook', # 0x26e 'NtUserRemoteConnect', # 0x26f 'NtUserRemoteRedrawRectangle', # 0x270 'NtUserRemoteRedrawScreen', # 0x271 'NtUserRemoteStopScreenUpdates', # 0x272 'NtUserResolveDesktopForWOW', # 0x273 'NtUserSetAppImeLevel', # 0x274 'NtUserSetClassWord', # 0x275 'NtUserSetCursorContents', # 0x276 'NtUserSetImeHotKey', # 0x277 'NtUserSetImeInfoEx', # 0x278 'NtUserSetImeOwnerWindow', # 0x279 'NtUserSetInternalWindowPos', # 0x27a 'NtUserSetLayeredWindowAttributes', # 0x27b 'NtUserSetLogonNotifyWindow', # 0x27c 'NtUserSetMenu', # 0x27d 'NtUserSetMenuContextHelpId', # 0x27e 'NtUserSetMenuFlagRtoL', # 0x27f 'NtUserSetObjectInformation', # 0x280 'NtUserSetShellWindowEx', # 0x281 'NtUserSetSysColors', # 0x282 'NtUserSetSystemCursor', # 0x283 'NtUserSetSystemTimer', # 0x284 'NtUserSetThreadLayoutHandles', # 0x285 'NtUserSetWindowStationUser', # 0x286 'NtUserSoundSentry', # 0x287 'NtUserSwitchDesktop', # 0x288 'NtUserTestForInteractiveUser', # 0x289 'NtUserTrackPopupMenuEx', # 0x28a 'NtUserUnloadKeyboardLayout', # 0x28b 'NtUserUnlockWindowStation', # 0x28c 'NtUserUnregisterHotKey', # 0x28d 'NtUserUnregisterUserApiHook', # 0x28e 'NtUserUpdateInputContext', # 0x28f 'NtUserUpdateInstance', # 0x290 'NtUserUpdateLayeredWindow', # 0x291 'NtUserUpdatePerUserSystemParameters', # 0x292 'NtUserUserHandleGrantAccess', # 0x293 'NtUserValidateHandleSecure', # 0x294 'NtUserWaitForInputIdle', # 0x295 'NtUserWaitForMsgAndEvent', # 0x296 'NtUserSetClassLongPtr', # 0x297 'NtUserSetWindowLongPtr', # 0x298 'NtUserWin32PoolAllocationStats', # 0x299 'NtUserYieldTask', # 0x29a ], ] volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp2_x86_vtypes.py0000644000175000017500000146274411732225561027461 0ustar mikemike00000000000000ntkrnlmp_types = { '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_203f' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2041' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2045' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2049' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_204b' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_203f']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2041']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2045']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2049']], 'Others' : [ 0x0, ['__unnamed_204b']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x100, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'IoPagesCount' : [ 0x4c, ['unsigned long']], 'CurrentMcb' : [ 0x50, ['pointer', ['void']]], 'DumpStack' : [ 0x54, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x58, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_TABLE']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf4, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0xf8, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x4, ['pointer', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2072' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_2072']], } ], '__unnamed_2076' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2076']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xf0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xb8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xbc, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xc0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xc4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xe4, ['unsigned long']], 'ResumeContextCheck' : [ 0xe8, ['unsigned long']], 'ResumeContextPages' : [ 0xec, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_2093' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2095' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2097' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2099' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_209b' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_209d' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_209f' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a1' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20a3' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a5' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_20a7' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_2093']], 'TargetDevice' : [ 0x0, ['__unnamed_2095']], 'InstallDevice' : [ 0x0, ['__unnamed_2097']], 'CustomNotification' : [ 0x0, ['__unnamed_2099']], 'ProfileNotification' : [ 0x0, ['__unnamed_209b']], 'PowerNotification' : [ 0x0, ['__unnamed_209d']], 'VetoNotification' : [ 0x0, ['__unnamed_209f']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20a1']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20a3']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20a5']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20a7']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '__unnamed_20ba' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_20bc' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_20be' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_20ba']], 'Gpt' : [ 0x0, ['__unnamed_20bc']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_20be']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x2c, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x8, ['unsigned long']], 'BasePte' : [ 0xc, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x10, ['pointer', ['unsigned long']]], 'Vm' : [ 0x14, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x18, ['long']], 'TotalFreeSystemPtes' : [ 0x1c, ['long']], 'CachedPteCount' : [ 0x20, ['long']], 'PteFailures' : [ 0x24, ['unsigned long']], 'GlobalMutex' : [ 0x28, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_TABLE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_TABLE']]], 'NextTable' : [ 0x4, ['unsigned long']], 'EntryCount' : [ 0x8, ['unsigned long']], 'Range' : [ 0xc, ['array', 1, ['_PO_MEMORY_RANGE']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], '_PO_MEMORY_RANGE' : [ 0x8, { 'StartPage' : [ 0x0, ['unsigned long']], 'EndPage' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x2008, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3c0, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3c1, ['unsigned char']], 'PrcbPad0' : [ 0x3c2, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c4, ['unsigned long']], 'PrcbPad1' : [ 0x3c8, ['array', 80, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x5a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x5a4, ['unsigned long']], 'KernelTime' : [ 0x5a8, ['unsigned long']], 'UserTime' : [ 0x5ac, ['unsigned long']], 'DpcTime' : [ 0x5b0, ['unsigned long']], 'DpcTimeCount' : [ 0x5b4, ['unsigned long']], 'InterruptTime' : [ 0x5b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5bc, ['unsigned long']], 'PageColor' : [ 0x5c0, ['unsigned long']], 'SkipTick' : [ 0x5c4, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x5c5, ['unsigned char']], 'NodeColor' : [ 0x5c6, ['unsigned char']], 'PollSlot' : [ 0x5c7, ['unsigned char']], 'NodeShiftedColor' : [ 0x5c8, ['unsigned long']], 'ParentNode' : [ 0x5cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x5d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x5d4, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x5d8, ['unsigned long']], 'DpcTimeLimit' : [ 0x5dc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x5e0, ['unsigned long']], 'CcFastReadWait' : [ 0x5e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x5e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x5ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x5f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x5f8, ['long']], 'IoReadOperationCount' : [ 0x5fc, ['long']], 'IoWriteOperationCount' : [ 0x600, ['long']], 'IoOtherOperationCount' : [ 0x604, ['long']], 'IoReadTransferCount' : [ 0x608, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x610, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x618, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x620, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x624, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x628, ['unsigned long']], 'CcMapDataNoWait' : [ 0x62c, ['unsigned long']], 'CcMapDataWait' : [ 0x630, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x634, ['unsigned long']], 'CcPinReadNoWait' : [ 0x638, ['unsigned long']], 'CcPinReadWait' : [ 0x63c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x640, ['unsigned long']], 'CcMdlReadWait' : [ 0x644, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x648, ['unsigned long']], 'CcLazyWriteIos' : [ 0x64c, ['unsigned long']], 'CcLazyWritePages' : [ 0x650, ['unsigned long']], 'CcDataFlushes' : [ 0x654, ['unsigned long']], 'CcDataPages' : [ 0x658, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x65c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x660, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x664, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x668, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x66c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x670, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x674, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x678, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x67c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x680, ['unsigned long']], 'CcReadAheadIos' : [ 0x684, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x688, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x68c, ['unsigned long']], 'KeSystemCalls' : [ 0x690, ['unsigned long']], 'PrcbPad2' : [ 0x694, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x6a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x720, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1020, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1920, ['unsigned long']], 'ReverseStall' : [ 0x1924, ['long']], 'IpiFrame' : [ 0x1928, ['pointer', ['void']]], 'PrcbPad3' : [ 0x192c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1960, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x196c, ['unsigned long']], 'WorkerRoutine' : [ 0x1970, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1974, ['unsigned long']], 'PrcbPad4' : [ 0x1978, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x19a0, ['unsigned long']], 'SignalDone' : [ 0x19a4, ['pointer', ['_KPRCB']]], 'PrcbPad5' : [ 0x19a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x19e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1a08, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1a0c, ['long']], 'DpcRequestRate' : [ 0x1a10, ['unsigned long']], 'MinimumDpcRate' : [ 0x1a14, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1a18, ['unsigned char']], 'DpcThreadRequested' : [ 0x1a19, ['unsigned char']], 'DpcRoutineActive' : [ 0x1a1a, ['unsigned char']], 'DpcThreadActive' : [ 0x1a1b, ['unsigned char']], 'PrcbLock' : [ 0x1a1c, ['unsigned long']], 'DpcLastCount' : [ 0x1a20, ['unsigned long']], 'TimerHand' : [ 0x1a24, ['unsigned long']], 'TimerRequest' : [ 0x1a28, ['unsigned long']], 'PrcbPad41' : [ 0x1a2c, ['pointer', ['void']]], 'DpcEvent' : [ 0x1a30, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x1a40, ['unsigned char']], 'QuantumEnd' : [ 0x1a41, ['unsigned char']], 'PrcbPad50' : [ 0x1a42, ['unsigned char']], 'IdleSchedule' : [ 0x1a43, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1a44, ['long']], 'Sleeping' : [ 0x1a48, ['long']], 'PeriodicCount' : [ 0x1a4c, ['unsigned long']], 'PeriodicBias' : [ 0x1a50, ['unsigned long']], 'PrcbPad51' : [ 0x1a54, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x1a5c, ['long']], 'CallDpc' : [ 0x1a60, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a80, ['long']], 'ClockCheckSlot' : [ 0x1a84, ['unsigned char']], 'ClockPollCycle' : [ 0x1a85, ['unsigned char']], 'PrcbPad6' : [ 0x1a86, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a88, ['long']], 'DpcWatchdogCount' : [ 0x1a8c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a90, ['long']], 'ThreadWatchdogCount' : [ 0x1a94, ['long']], 'PrcbPad70' : [ 0x1a98, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1aa0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1aa8, ['unsigned long']], 'ReadySummary' : [ 0x1aac, ['unsigned long']], 'QueueIndex' : [ 0x1ab0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1ab4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1ab8, ['unsigned long long']], 'CycleTime' : [ 0x1ac0, ['unsigned long long']], 'PrcbPad71' : [ 0x1ac8, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1ae0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1be0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1be4, ['long']], 'MmPageFaultCount' : [ 0x1be8, ['long']], 'MmCopyOnWriteCount' : [ 0x1bec, ['long']], 'MmTransitionCount' : [ 0x1bf0, ['long']], 'MmCacheTransitionCount' : [ 0x1bf4, ['long']], 'MmDemandZeroCount' : [ 0x1bf8, ['long']], 'MmPageReadCount' : [ 0x1bfc, ['long']], 'MmPageReadIoCount' : [ 0x1c00, ['long']], 'MmCacheReadCount' : [ 0x1c04, ['long']], 'MmCacheIoCount' : [ 0x1c08, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1c0c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1c10, ['long']], 'MmMappedPagesWriteCount' : [ 0x1c14, ['long']], 'MmMappedWriteIoCount' : [ 0x1c18, ['long']], 'CachedCommit' : [ 0x1c1c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1c20, ['unsigned long']], 'HyperPte' : [ 0x1c24, ['pointer', ['void']]], 'CpuVendor' : [ 0x1c28, ['unsigned char']], 'PrcbPad8' : [ 0x1c29, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1c2c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1c39, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1c3a, ['unsigned char']], 'PrcbPad9' : [ 0x1c3b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x1c40, ['unsigned long']], 'UpdateSignature' : [ 0x1c48, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1c50, ['unsigned long long']], 'SpareField1' : [ 0x1c58, ['unsigned long long']], 'NpxSaveArea' : [ 0x1c60, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1e70, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1f38, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1f58, ['_KTIMER']], 'WheaInfo' : [ 0x1f80, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f84, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f88, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x1f90, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x1f98, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x1f9c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x1fa0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x1fa4, ['pointer', ['void']]], 'Cache' : [ 0x1fa8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1fe4, ['unsigned long']], 'CacheProcessorMask' : [ 0x1fe8, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x1ffc, ['unsigned long']], 'CoreProcessorSet' : [ 0x2000, ['unsigned long']], } ], '_KPCR' : [ 0x2128, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'FreezeCount' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'Spare02' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'OtherPlatformFill' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26b, ['unsigned char']], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'Spare' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x224, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x224, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x224, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x228, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11d8' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_11d8']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '__unnamed_11e6' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11eb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11ed' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_11f8' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_11fa' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_11f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11e6']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11ed']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_11fa']], } ], '__unnamed_1200' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1204' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1208' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_120a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_120e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1210' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1212' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1214' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1216' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1218' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_121c' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_121e' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1221' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1223' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1225' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1227' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_122b' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_122f' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1233' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1237' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_123e' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1242' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1246' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1248' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_124a' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_124e' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1252' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1256' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_125a' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_125e' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1266' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_126a' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_126c' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_126e' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1270' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1200']], 'CreatePipe' : [ 0x0, ['__unnamed_1204']], 'CreateMailslot' : [ 0x0, ['__unnamed_1208']], 'Read' : [ 0x0, ['__unnamed_120a']], 'Write' : [ 0x0, ['__unnamed_120a']], 'QueryDirectory' : [ 0x0, ['__unnamed_120e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1210']], 'QueryFile' : [ 0x0, ['__unnamed_1212']], 'SetFile' : [ 0x0, ['__unnamed_1214']], 'QueryEa' : [ 0x0, ['__unnamed_1216']], 'SetEa' : [ 0x0, ['__unnamed_1218']], 'QueryVolume' : [ 0x0, ['__unnamed_121c']], 'SetVolume' : [ 0x0, ['__unnamed_121c']], 'FileSystemControl' : [ 0x0, ['__unnamed_121e']], 'LockControl' : [ 0x0, ['__unnamed_1221']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1223']], 'QuerySecurity' : [ 0x0, ['__unnamed_1225']], 'SetSecurity' : [ 0x0, ['__unnamed_1227']], 'MountVolume' : [ 0x0, ['__unnamed_122b']], 'VerifyVolume' : [ 0x0, ['__unnamed_122b']], 'Scsi' : [ 0x0, ['__unnamed_122f']], 'QueryQuota' : [ 0x0, ['__unnamed_1233']], 'SetQuota' : [ 0x0, ['__unnamed_1218']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1237']], 'QueryInterface' : [ 0x0, ['__unnamed_123e']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1242']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1246']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1248']], 'SetLock' : [ 0x0, ['__unnamed_124a']], 'QueryId' : [ 0x0, ['__unnamed_124e']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1252']], 'UsageNotification' : [ 0x0, ['__unnamed_1256']], 'WaitWake' : [ 0x0, ['__unnamed_125a']], 'PowerSequence' : [ 0x0, ['__unnamed_125e']], 'Power' : [ 0x0, ['__unnamed_1266']], 'StartDevice' : [ 0x0, ['__unnamed_126a']], 'WMI' : [ 0x0, ['__unnamed_126c']], 'Others' : [ 0x0, ['__unnamed_126e']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1270']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_1320' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1320']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Unused1' : [ 0x32, ['unsigned char']], 'Unused2' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13d6' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13d6']], } ], '__unnamed_13ea' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ea']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_MMPTE_FLUSH_LIST' : [ 0x8c, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 33, ['pointer', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'ActualWslePages' : [ 0x2c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitGate' : [ 0x3c, ['pointer', ['_KGATE']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1424' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1426' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1429' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_142b' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_142d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1429']], 'e3' : [ 0x0, ['__unnamed_142b']], } ], '__unnamed_1432' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1424']], 'u2' : [ 0x4, ['__unnamed_1426']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_142d']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1432']], } ], '__unnamed_143c' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_143c']], } ], '_MMWSL' : [ 0x6b8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'LastVadBit' : [ 0x38, ['unsigned long']], 'MaximumLastVadBit' : [ 0x3c, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x40, ['unsigned long']], 'LastAllocationSize' : [ 0x44, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x4c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x54, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x58, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x658, ['array', 24, ['unsigned long']]], } ], '__unnamed_1454' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1456' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1458' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1456']], } ], '__unnamed_1462' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1464' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1462']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1454']], 'u1' : [ 0x20, ['__unnamed_1458']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1464']], 'LockedPages' : [ 0x40, ['long long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_149d' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a3' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14ac' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '__unnamed_14be' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14c0' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14be']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14c0']], } ], '__unnamed_14c5' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c5']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14ce' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14d0' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14ce']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14d0']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14d9' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14d9']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15ab' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15ad' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b4' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15ab']], 'Hv' : [ 0x18, ['__unnamed_15ad']], 'IdleAccounting' : [ 0x20, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x24, ['pointer', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x28, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x2c, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x30, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x38, ['unsigned long long']], 'ThermalConstraint' : [ 0x40, ['unsigned char']], 'LastBusyPercentage' : [ 0x41, ['unsigned char']], 'Flags' : [ 0x42, ['__unnamed_15b4']], 'PerfTimer' : [ 0x48, ['_KTIMER']], 'PerfDpc' : [ 0x70, ['_KDPC']], 'LastSysTime' : [ 0x90, ['unsigned long']], 'PStateMaster' : [ 0x94, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0x98, ['unsigned long']], 'CurrentPState' : [ 0x9c, ['unsigned long']], 'DesiredPState' : [ 0xa0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xa4, ['unsigned long']], 'PStateIdleTime' : [ 0xa8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xac, ['unsigned long']], 'PStateStartTime' : [ 0xb0, ['unsigned long']], 'DiaIndex' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'WmiDispatchPtr' : [ 0xbc, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], } ], '__unnamed_15bb' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15bb']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15e4' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15e4']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15f6' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15f8' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_15fc' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15f6']], 'OverUsed2' : [ 0x114, ['__unnamed_15f8']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_15fc']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16a1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16a1']], } ], '__unnamed_16a8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16a8']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f0' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f0']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_16fe' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1700' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1702' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1704' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1706' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_16fe']], 'Write' : [ 0x0, ['__unnamed_1700']], 'Event' : [ 0x0, ['__unnamed_1702']], 'Notification' : [ 0x0, ['__unnamed_1704']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_1706']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x30, ['pointer', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x34, ['_UNICODE_STRING']], 'LogFileName' : [ 0x3c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x44, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x4c, ['_UNICODE_STRING']], 'ClockType' : [ 0x54, ['unsigned long']], 'CollectionOn' : [ 0x58, ['long']], 'MaximumFileSize' : [ 0x5c, ['unsigned long']], 'LoggerMode' : [ 0x60, ['unsigned long']], 'LastFlushedBuffer' : [ 0x64, ['unsigned long']], 'FlushTimer' : [ 0x68, ['unsigned long']], 'FlushThreshold' : [ 0x6c, ['unsigned long']], 'ByteOffset' : [ 0x70, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x78, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x80, ['unsigned long']], 'BuffersAvailable' : [ 0x84, ['long']], 'NumberOfBuffers' : [ 0x88, ['long']], 'MaximumBuffers' : [ 0x8c, ['unsigned long']], 'EventsLost' : [ 0x90, ['unsigned long']], 'BuffersWritten' : [ 0x94, ['unsigned long']], 'LogBuffersLost' : [ 0x98, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x9c, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xa0, ['unsigned long']], 'BufferSize' : [ 0xa4, ['unsigned long']], 'MaximumEventSize' : [ 0xa8, ['unsigned long']], 'SequencePtr' : [ 0xac, ['pointer', ['long']]], 'LocalSequence' : [ 0xb0, ['unsigned long']], 'InstanceGuid' : [ 0xb4, ['_GUID']], 'GetCpuClock' : [ 0xc4, ['pointer', ['void']]], 'FileCounter' : [ 0xc8, ['long']], 'BufferCallback' : [ 0xcc, ['pointer', ['void']]], 'PoolType' : [ 0xd0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe8, ['unsigned char']], 'Consumers' : [ 0xec, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf4, ['unsigned long']], 'Connecting' : [ 0xf8, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x100, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x104, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x108, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x128, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x130, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x138, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x150, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x154, ['unsigned long']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushDpc' : [ 0x17c, ['_KDPC']], 'LoggerMutex' : [ 0x19c, ['_KMUTANT']], 'LoggerLock' : [ 0x1bc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1c0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1fc, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x200, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'AcceptNewEvents' : [ 0x250, ['long']], 'Flags' : [ 0x254, ['unsigned long']], 'Persistent' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x258, ['unsigned long']], 'RequestNewFie' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x25c, ['unsigned short']], 'StackTraceFilter' : [ 0x25e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f1' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f3' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f1']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17f5' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17f7' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17f5']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f3']], 'u2' : [ 0x4, ['__unnamed_17f7']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_180e' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1810' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_180e']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1810']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_1818' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_181a' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1818']], } ], '_KALPC_SECTION' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_181a']], 'SectionObject' : [ 0x4, ['pointer', ['void']]], 'Size' : [ 0x8, ['unsigned long']], 'HandleTable' : [ 0xc, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x10, ['pointer', ['void']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_1827' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_1829' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1827']], } ], '_KALPC_REGION' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1829']], 'RegionListEntry' : [ 0x4, ['_LIST_ENTRY']], 'Section' : [ 0xc, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewSize' : [ 0x18, ['unsigned long']], 'ReadOnlyView' : [ 0x1c, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x20, ['pointer', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x24, ['unsigned long']], 'ViewListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_182f' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1831' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_182f']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1831']], 'Region' : [ 0xc, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x18, ['pointer', ['void']]], 'Size' : [ 0x1c, ['unsigned long']], 'SecureViewHandle' : [ 0x20, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x24, ['pointer', ['void']]], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_1849' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_184b' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1849']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xf4, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'SequenceNo' : [ 0x10, ['unsigned long']], 'CompletionPort' : [ 0x14, ['pointer', ['void']]], 'CompletionKey' : [ 0x18, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x1c, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x20, ['pointer', ['void']]], 'StaticSecurity' : [ 0x24, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x68, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x70, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x78, ['_LIST_ENTRY']], 'Semaphore' : [ 0x80, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x80, ['pointer', ['_KEVENT']]], 'Lock' : [ 0x84, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0x88, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb8, ['_LIST_ENTRY']], 'CompletionList' : [ 0xc0, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc4, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0xc8, ['_LIST_ENTRY']], 'u1' : [ 0xd0, ['__unnamed_184b']], 'TargetQueuePort' : [ 0xd4, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xd8, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0xdc, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe0, ['unsigned long']], 'PendingQueueLength' : [ 0xe4, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xe8, ['unsigned long']], 'CanceledQueueLength' : [ 0xec, ['unsigned long']], 'WaitQueueLength' : [ 0xf0, ['unsigned long']], } ], '__unnamed_1862' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1864' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1862']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_1864']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x40, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x44, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'DataSystemVa' : [ 0x64, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x68, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x6c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x70, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18a2' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18a4' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18a2']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_18a4']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0xc, ['unsigned long']], 'TargetThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x140, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0x78, ['_ERESOURCE']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb4, ['unsigned long']], 'ObjectLocks' : [ 0xb8, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x138, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1991' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1993' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1991']], 'Private' : [ 0x0, ['__unnamed_1993']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0x5e0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x318, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x31c, ['unsigned long']], 'ViewUnLockLast' : [ 0x320, ['unsigned long']], 'WriterLock' : [ 0x324, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x328, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x32c, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x330, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x338, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x340, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x348, ['unsigned short']], 'PinnedViewCount' : [ 0x34a, ['unsigned short']], 'UseCount' : [ 0x34c, ['unsigned long']], 'ViewsPerHive' : [ 0x350, ['unsigned long']], 'FileObject' : [ 0x354, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x358, ['unsigned long']], 'ActualFileSize' : [ 0x360, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x368, ['_UNICODE_STRING']], 'FileUserName' : [ 0x370, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x378, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x380, ['unsigned long']], 'SecurityCacheSize' : [ 0x384, ['unsigned long']], 'SecurityHitHint' : [ 0x388, ['long']], 'SecurityCache' : [ 0x38c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x390, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x590, ['unsigned long']], 'UnloadEventArray' : [ 0x594, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x598, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x59c, ['unsigned char']], 'UnloadWorkItem' : [ 0x5a0, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x5a4, ['unsigned char']], 'GrowOffset' : [ 0x5a8, ['unsigned long']], 'KcbConvertListHead' : [ 0x5ac, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5b4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5bc, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5c0, ['unsigned long']], 'TrustClassEntry' : [ 0x5c4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5cc, ['unsigned long']], 'CmRm' : [ 0x5d0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5d4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5d8, ['long']], 'CreatorOwner' : [ 0x5dc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19c2' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19c8' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_19c2']], 'u4' : [ 0x38, ['__unnamed_19c8']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_19d8' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_19d8']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_19f0' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_19f0']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_19f7' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_19fd' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_19ff' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_19f7']], 'Bits' : [ 0x0, ['__unnamed_19fd']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_19ff']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x4, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x58, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x8, ['_KDPC']], 'ScanTimer' : [ 0x28, ['_KTIMER']], 'ScanActive' : [ 0x50, ['unsigned char']], 'OtherWork' : [ 0x51, ['unsigned char']], 'PendingTeardown' : [ 0x52, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a7e' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1a7e']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x24, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x20, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b64' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1b64']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd0' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bd6' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1bd8' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bda' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1bdc' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1bde' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1be0' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be2' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be4' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be6' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bd0']], 'Memory' : [ 0x0, ['__unnamed_1bd0']], 'Interrupt' : [ 0x0, ['__unnamed_1bd6']], 'Dma' : [ 0x0, ['__unnamed_1bd8']], 'Generic' : [ 0x0, ['__unnamed_1bd0']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bda']], 'BusNumber' : [ 0x0, ['__unnamed_1bdc']], 'ConfigData' : [ 0x0, ['__unnamed_1bde']], 'Memory40' : [ 0x0, ['__unnamed_1be0']], 'Memory48' : [ 0x0, ['__unnamed_1be2']], 'Memory64' : [ 0x0, ['__unnamed_1be4']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1be6']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1c2b' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c2b']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'ObjectType' : [ 0xc, ['pointer', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x10, ['unsigned long']], 'ObjectInfo' : [ 0x14, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1cbe' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc0' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc2' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc4' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1cc2']], 'Translated' : [ 0x0, ['__unnamed_1cc0']], } ], '__unnamed_1cc6' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc8' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cca' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ccc' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cce' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd2' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1cbe']], 'Port' : [ 0x0, ['__unnamed_1cbe']], 'Interrupt' : [ 0x0, ['__unnamed_1cc0']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cc4']], 'Memory' : [ 0x0, ['__unnamed_1cbe']], 'Dma' : [ 0x0, ['__unnamed_1cc6']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bda']], 'BusNumber' : [ 0x0, ['__unnamed_1cc8']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cca']], 'Memory40' : [ 0x0, ['__unnamed_1ccc']], 'Memory48' : [ 0x0, ['__unnamed_1cce']], 'Memory64' : [ 0x0, ['__unnamed_1cd0']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cd2']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1cd9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1cd9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1ced' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1ced']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cf7' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14c5']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1cf7']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1cfd' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1cff' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1cfd']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x20, ['unsigned char']], 'IdleState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x2c, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x34, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x3c, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x50, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_1cff']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x34, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'DosDevicesDirectoryHandle' : [ 0x8, ['pointer', ['void']]], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DriveMap' : [ 0x10, ['unsigned long']], 'DriveType' : [ 0x14, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1d74' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x78, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1d74']], 'TargetProcessors' : [ 0x30, ['unsigned long']], 'PStateHandler' : [ 0x34, ['pointer', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long']], 'TStateHandler' : [ 0x3c, ['pointer', ['void']]], 'TStateContext' : [ 0x40, ['unsigned long']], 'FeedbackHandler' : [ 0x44, ['pointer', ['void']]], 'DiaStats' : [ 0x48, ['pointer', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x4c, ['unsigned long']], 'State' : [ 0x50, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'FilteredCapabilities' : [ 0x50, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1dc7' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1dc9' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1dc7']], 'Button' : [ 0xc, ['__unnamed_1dc9']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x84, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], 'ResumePages' : [ 0x7c, ['unsigned long']], 'DumpHeader' : [ 0x80, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '__unnamed_1e33' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_1e33']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1e6b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e6b']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachGate' : [ 0x64, ['_KGATE']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e6c, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e70, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e74, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e78, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e7c, ['_RTL_BITMAP']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1ee4' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1ee6' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1ee4']], 'Merged' : [ 0x10, ['__unnamed_1ee6']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['void']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1eed' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1eed']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c5']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1cf7']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f11' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1f15' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_1f11']], 'u2' : [ 0x24, ['__unnamed_1f15']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x78, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x228, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1fd5' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1fd7' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_1fd5']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1fd7']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1fe9' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1fe9']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp12_x64_syscalls.py0000644000175000017500000011600312227253532030017 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: MHL @license: GNU General Public License 2.0 @contact: michael.ligh@mnin.org This file provides support for Vista SP1 and SP2 x64 """ syscalls = [ [ 'NtMapUserPhysicalPagesScatter', # 0x0 'NtWaitForSingleObject', # 0x1 'NtCallbackReturn', # 0x2 'NtReadFile', # 0x3 'NtDeviceIoControlFile', # 0x4 'NtWriteFile', # 0x5 'NtRemoveIoCompletion', # 0x6 'NtReleaseSemaphore', # 0x7 'NtReplyWaitReceivePort', # 0x8 'NtReplyPort', # 0x9 'NtSetInformationThread', # 0xa 'NtSetEvent', # 0xb 'NtClose', # 0xc 'NtQueryObject', # 0xd 'NtQueryInformationFile', # 0xe 'NtOpenKey', # 0xf 'NtEnumerateValueKey', # 0x10 'NtFindAtom', # 0x11 'NtQueryDefaultLocale', # 0x12 'NtQueryKey', # 0x13 'NtQueryValueKey', # 0x14 'NtAllocateVirtualMemory', # 0x15 'NtQueryInformationProcess', # 0x16 'NtWaitForMultipleObjects32', # 0x17 'NtWriteFileGather', # 0x18 'NtSetInformationProcess', # 0x19 'NtCreateKey', # 0x1a 'NtFreeVirtualMemory', # 0x1b 'NtImpersonateClientOfPort', # 0x1c 'NtReleaseMutant', # 0x1d 'NtQueryInformationToken', # 0x1e 'NtRequestWaitReplyPort', # 0x1f 'NtQueryVirtualMemory', # 0x20 'NtOpenThreadToken', # 0x21 'NtQueryInformationThread', # 0x22 'NtOpenProcess', # 0x23 'NtSetInformationFile', # 0x24 'NtMapViewOfSection', # 0x25 'NtAccessCheckAndAuditAlarm', # 0x26 'NtUnmapViewOfSection', # 0x27 'NtReplyWaitReceivePortEx', # 0x28 'NtTerminateProcess', # 0x29 'NtSetEventBoostPriority', # 0x2a 'NtReadFileScatter', # 0x2b 'NtOpenThreadTokenEx', # 0x2c 'NtOpenProcessTokenEx', # 0x2d 'NtQueryPerformanceCounter', # 0x2e 'NtEnumerateKey', # 0x2f 'NtOpenFile', # 0x30 'NtDelayExecution', # 0x31 'NtQueryDirectoryFile', # 0x32 'NtQuerySystemInformation', # 0x33 'NtOpenSection', # 0x34 'NtQueryTimer', # 0x35 'NtFsControlFile', # 0x36 'NtWriteVirtualMemory', # 0x37 'NtCloseObjectAuditAlarm', # 0x38 'NtDuplicateObject', # 0x39 'NtQueryAttributesFile', # 0x3a 'NtClearEvent', # 0x3b 'NtReadVirtualMemory', # 0x3c 'NtOpenEvent', # 0x3d 'NtAdjustPrivilegesToken', # 0x3e 'NtDuplicateToken', # 0x3f 'NtContinue', # 0x40 'NtQueryDefaultUILanguage', # 0x41 'NtQueueApcThread', # 0x42 'NtYieldExecution', # 0x43 'NtAddAtom', # 0x44 'NtCreateEvent', # 0x45 'NtQueryVolumeInformationFile', # 0x46 'NtCreateSection', # 0x47 'NtFlushBuffersFile', # 0x48 'NtApphelpCacheControl', # 0x49 'NtCreateProcessEx', # 0x4a 'NtCreateThread', # 0x4b 'NtIsProcessInJob', # 0x4c 'NtProtectVirtualMemory', # 0x4d 'NtQuerySection', # 0x4e 'NtResumeThread', # 0x4f 'NtTerminateThread', # 0x50 'NtReadRequestData', # 0x51 'NtCreateFile', # 0x52 'NtQueryEvent', # 0x53 'NtWriteRequestData', # 0x54 'NtOpenDirectoryObject', # 0x55 'NtAccessCheckByTypeAndAuditAlarm', # 0x56 'NtQuerySystemTime', # 0x57 'NtWaitForMultipleObjects', # 0x58 'NtSetInformationObject', # 0x59 'NtCancelIoFile', # 0x5a 'NtTraceEvent', # 0x5b 'NtPowerInformation', # 0x5c 'NtSetValueKey', # 0x5d 'NtCancelTimer', # 0x5e 'NtSetTimer', # 0x5f 'NtAcceptConnectPort', # 0x60 'NtAccessCheck', # 0x61 'NtAccessCheckByType', # 0x62 'NtAccessCheckByTypeResultList', # 0x63 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x64 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x65 'NtAcquireCMFViewOwnership', # 0x66 'NtAddBootEntry', # 0x67 'NtAddDriverEntry', # 0x68 'NtAdjustGroupsToken', # 0x69 'NtAlertResumeThread', # 0x6a 'NtAlertThread', # 0x6b 'NtAllocateLocallyUniqueId', # 0x6c 'NtAllocateUserPhysicalPages', # 0x6d 'NtAllocateUuids', # 0x6e 'NtAlpcAcceptConnectPort', # 0x6f 'NtAlpcCancelMessage', # 0x70 'NtAlpcConnectPort', # 0x71 'NtAlpcCreatePort', # 0x72 'NtAlpcCreatePortSection', # 0x73 'NtAlpcCreateResourceReserve', # 0x74 'NtAlpcCreateSectionView', # 0x75 'NtAlpcCreateSecurityContext', # 0x76 'NtAlpcDeletePortSection', # 0x77 'NtAlpcDeleteResourceReserve', # 0x78 'NtAlpcDeleteSectionView', # 0x79 'NtAlpcDeleteSecurityContext', # 0x7a 'NtAlpcDisconnectPort', # 0x7b 'NtAlpcImpersonateClientOfPort', # 0x7c 'NtAlpcOpenSenderProcess', # 0x7d 'NtAlpcOpenSenderThread', # 0x7e 'NtAlpcQueryInformation', # 0x7f 'NtAlpcQueryInformationMessage', # 0x80 'NtAlpcRevokeSecurityContext', # 0x81 'NtAlpcSendWaitReceivePort', # 0x82 'NtAlpcSetInformation', # 0x83 'NtAreMappedFilesTheSame', # 0x84 'NtAssignProcessToJobObject', # 0x85 'NtCancelDeviceWakeupRequest', # 0x86 'NtCancelIoFileEx', # 0x87 'NtCancelSynchronousIoFile', # 0x88 'NtCommitComplete', # 0x89 'NtCommitEnlistment', # 0x8a 'NtCommitTransaction', # 0x8b 'NtCompactKeys', # 0x8c 'NtCompareTokens', # 0x8d 'NtCompleteConnectPort', # 0x8e 'NtCompressKey', # 0x8f 'NtConnectPort', # 0x90 'NtCreateDebugObject', # 0x91 'NtCreateDirectoryObject', # 0x92 'NtCreateEnlistment', # 0x93 'NtCreateEventPair', # 0x94 'NtCreateIoCompletion', # 0x95 'NtCreateJobObject', # 0x96 'NtCreateJobSet', # 0x97 'NtCreateKeyTransacted', # 0x98 'NtCreateKeyedEvent', # 0x99 'NtCreateMailslotFile', # 0x9a 'NtCreateMutant', # 0x9b 'NtCreateNamedPipeFile', # 0x9c 'NtCreatePagingFile', # 0x9d 'NtCreatePort', # 0x9e 'NtCreatePrivateNamespace', # 0x9f 'NtCreateProcess', # 0xa0 'NtCreateProfile', # 0xa1 'NtCreateResourceManager', # 0xa2 'NtCreateSemaphore', # 0xa3 'NtCreateSymbolicLinkObject', # 0xa4 'NtCreateThreadEx', # 0xa5 'NtCreateTimer', # 0xa6 'NtCreateToken', # 0xa7 'NtCreateTransaction', # 0xa8 'NtCreateTransactionManager', # 0xa9 'NtCreateUserProcess', # 0xaa 'NtCreateWaitablePort', # 0xab 'NtCreateWorkerFactory', # 0xac 'NtDebugActiveProcess', # 0xad 'NtDebugContinue', # 0xae 'NtDeleteAtom', # 0xaf 'NtDeleteBootEntry', # 0xb0 'NtDeleteDriverEntry', # 0xb1 'NtDeleteFile', # 0xb2 'NtDeleteKey', # 0xb3 'NtDeleteObjectAuditAlarm', # 0xb4 'NtDeletePrivateNamespace', # 0xb5 'NtDeleteValueKey', # 0xb6 'NtDisplayString', # 0xb7 'NtEnumerateBootEntries', # 0xb8 'NtEnumerateDriverEntries', # 0xb9 'NtEnumerateSystemEnvironmentValuesEx', # 0xba 'NtEnumerateTransactionObject', # 0xbb 'NtExtendSection', # 0xbc 'NtFilterToken', # 0xbd 'NtFlushInstallUILanguage', # 0xbe 'NtFlushInstructionCache', # 0xbf 'NtFlushKey', # 0xc0 'NtFlushProcessWriteBuffers', # 0xc1 'NtFlushVirtualMemory', # 0xc2 'NtFlushWriteBuffer', # 0xc3 'NtFreeUserPhysicalPages', # 0xc4 'NtFreezeRegistry', # 0xc5 'NtFreezeTransactions', # 0xc6 'NtGetContextThread', # 0xc7 'NtGetCurrentProcessorNumber', # 0xc8 'NtGetDevicePowerState', # 0xc9 'NtGetMUIRegistryInfo', # 0xca 'NtGetNextProcess', # 0xcb 'NtGetNextThread', # 0xcc 'NtGetNlsSectionPtr', # 0xcd 'NtGetNotificationResourceManager', # 0xce 'NtGetPlugPlayEvent', # 0xcf 'NtGetWriteWatch', # 0xd0 'NtImpersonateAnonymousToken', # 0xd1 'NtImpersonateThread', # 0xd2 'NtInitializeNlsFiles', # 0xd3 'NtInitializeRegistry', # 0xd4 'NtInitiatePowerAction', # 0xd5 'NtIsSystemResumeAutomatic', # 0xd6 'NtIsUILanguageComitted', # 0xd7 'NtListenPort', # 0xd8 'NtLoadDriver', # 0xd9 'NtLoadKey', # 0xda 'NtLoadKey2', # 0xdb 'NtLoadKeyEx', # 0xdc 'NtLockFile', # 0xdd 'NtLockProductActivationKeys', # 0xde 'NtLockRegistryKey', # 0xdf 'NtLockVirtualMemory', # 0xe0 'NtMakePermanentObject', # 0xe1 'NtMakeTemporaryObject', # 0xe2 'NtMapCMFModule', # 0xe3 'NtMapUserPhysicalPages', # 0xe4 'NtModifyBootEntry', # 0xe5 'NtModifyDriverEntry', # 0xe6 'NtNotifyChangeDirectoryFile', # 0xe7 'NtNotifyChangeKey', # 0xe8 'NtNotifyChangeMultipleKeys', # 0xe9 'NtOpenEnlistment', # 0xea 'NtOpenEventPair', # 0xeb 'NtOpenIoCompletion', # 0xec 'NtOpenJobObject', # 0xed 'NtOpenKeyTransacted', # 0xee 'NtOpenKeyedEvent', # 0xef 'NtOpenMutant', # 0xf0 'NtOpenObjectAuditAlarm', # 0xf1 'NtOpenPrivateNamespace', # 0xf2 'NtOpenProcessToken', # 0xf3 'NtOpenResourceManager', # 0xf4 'NtOpenSemaphore', # 0xf5 'NtOpenSession', # 0xf6 'NtOpenSymbolicLinkObject', # 0xf7 'NtOpenThread', # 0xf8 'NtOpenTimer', # 0xf9 'NtOpenTransaction', # 0xfa 'NtOpenTransactionManager', # 0xfb 'NtPlugPlayControl', # 0xfc 'NtPrePrepareComplete', # 0xfd 'NtPrePrepareEnlistment', # 0xfe 'NtPrepareComplete', # 0xff 'NtPrepareEnlistment', # 0x100 'NtPrivilegeCheck', # 0x101 'NtPrivilegeObjectAuditAlarm', # 0x102 'NtPrivilegedServiceAuditAlarm', # 0x103 'NtPropagationComplete', # 0x104 'NtPropagationFailed', # 0x105 'NtPulseEvent', # 0x106 'NtQueryBootEntryOrder', # 0x107 'NtQueryBootOptions', # 0x108 'NtQueryDebugFilterState', # 0x109 'NtQueryDirectoryObject', # 0x10a 'NtQueryDriverEntryOrder', # 0x10b 'NtQueryEaFile', # 0x10c 'NtQueryFullAttributesFile', # 0x10d 'NtQueryInformationAtom', # 0x10e 'NtQueryInformationEnlistment', # 0x10f 'NtQueryInformationJobObject', # 0x110 'NtQueryInformationPort', # 0x111 'NtQueryInformationResourceManager', # 0x112 'NtQueryInformationTransaction', # 0x113 'NtQueryInformationTransactionManager', # 0x114 'NtQueryInformationWorkerFactory', # 0x115 'NtQueryInstallUILanguage', # 0x116 'NtQueryIntervalProfile', # 0x117 'NtQueryIoCompletion', # 0x118 'NtQueryLicenseValue', # 0x119 'NtQueryMultipleValueKey', # 0x11a 'NtQueryMutant', # 0x11b 'NtQueryOpenSubKeys', # 0x11c 'NtQueryOpenSubKeysEx', # 0x11d 'NtQueryPortInformationProcess', # 0x11e 'NtQueryQuotaInformationFile', # 0x11f 'NtQuerySecurityObject', # 0x120 'NtQuerySemaphore', # 0x121 'NtQuerySymbolicLinkObject', # 0x122 'NtQuerySystemEnvironmentValue', # 0x123 'NtQuerySystemEnvironmentValueEx', # 0x124 'NtQueryTimerResolution', # 0x125 'NtRaiseException', # 0x126 'NtRaiseHardError', # 0x127 'NtReadOnlyEnlistment', # 0x128 'NtRecoverEnlistment', # 0x129 'NtRecoverResourceManager', # 0x12a 'NtRecoverTransactionManager', # 0x12b 'NtRegisterProtocolAddressInformation', # 0x12c 'NtRegisterThreadTerminatePort', # 0x12d 'NtReleaseCMFViewOwnership', # 0x12e 'NtReleaseKeyedEvent', # 0x12f 'NtReleaseWorkerFactoryWorker', # 0x130 'NtRemoveIoCompletionEx', # 0x131 'NtRemoveProcessDebug', # 0x132 'NtRenameKey', # 0x133 'NtRenameTransactionManager', # 0x134 'NtReplaceKey', # 0x135 'NtReplacePartitionUnit', # 0x136 'NtReplyWaitReplyPort', # 0x137 'NtRequestDeviceWakeup', # 0x138 'NtRequestPort', # 0x139 'NtRequestWakeupLatency', # 0x13a 'NtResetEvent', # 0x13b 'NtResetWriteWatch', # 0x13c 'NtRestoreKey', # 0x13d 'NtResumeProcess', # 0x13e 'NtRollbackComplete', # 0x13f 'NtRollbackEnlistment', # 0x140 'NtRollbackTransaction', # 0x141 'NtRollforwardTransactionManager', # 0x142 'NtSaveKey', # 0x143 'NtSaveKeyEx', # 0x144 'NtSaveMergedKeys', # 0x145 'NtSecureConnectPort', # 0x146 'NtSetBootEntryOrder', # 0x147 'NtSetBootOptions', # 0x148 'NtSetContextThread', # 0x149 'NtSetDebugFilterState', # 0x14a 'NtSetDefaultHardErrorPort', # 0x14b 'NtSetDefaultLocale', # 0x14c 'NtSetDefaultUILanguage', # 0x14d 'NtSetDriverEntryOrder', # 0x14e 'NtSetEaFile', # 0x14f 'NtSetHighEventPair', # 0x150 'NtSetHighWaitLowEventPair', # 0x151 'NtSetInformationDebugObject', # 0x152 'NtSetInformationEnlistment', # 0x153 'NtSetInformationJobObject', # 0x154 'NtSetInformationKey', # 0x155 'NtSetInformationResourceManager', # 0x156 'NtSetInformationToken', # 0x157 'NtSetInformationTransaction', # 0x158 'NtSetInformationTransactionManager', # 0x159 'NtSetInformationWorkerFactory', # 0x15a 'NtSetIntervalProfile', # 0x15b 'NtSetIoCompletion', # 0x15c 'NtSetLdtEntries', # 0x15d 'NtSetLowEventPair', # 0x15e 'NtSetLowWaitHighEventPair', # 0x15f 'NtSetQuotaInformationFile', # 0x160 'NtSetSecurityObject', # 0x161 'NtSetSystemEnvironmentValue', # 0x162 'NtSetSystemEnvironmentValueEx', # 0x163 'NtSetSystemInformation', # 0x164 'NtSetSystemPowerState', # 0x165 'NtSetSystemTime', # 0x166 'NtSetThreadExecutionState', # 0x167 'NtSetTimerResolution', # 0x168 'NtSetUuidSeed', # 0x169 'NtSetVolumeInformationFile', # 0x16a 'NtShutdownSystem', # 0x16b 'NtShutdownWorkerFactory', # 0x16c 'NtSignalAndWaitForSingleObject', # 0x16d 'NtSinglePhaseReject', # 0x16e 'NtStartProfile', # 0x16f 'NtStopProfile', # 0x170 'NtSuspendProcess', # 0x171 'NtSuspendThread', # 0x172 'NtSystemDebugControl', # 0x173 'NtTerminateJobObject', # 0x174 'NtTestAlert', # 0x175 'NtThawRegistry', # 0x176 'NtThawTransactions', # 0x177 'NtTraceControl', # 0x178 'NtTranslateFilePath', # 0x179 'NtUnloadDriver', # 0x17a 'NtUnloadKey', # 0x17b 'NtUnloadKey2', # 0x17c 'NtUnloadKeyEx', # 0x17d 'NtUnlockFile', # 0x17e 'NtUnlockVirtualMemory', # 0x17f 'NtVdmControl', # 0x180 'NtWaitForDebugEvent', # 0x181 'NtWaitForKeyedEvent', # 0x182 'NtWaitForWorkViaWorkerFactory', # 0x183 'NtWaitHighEventPair', # 0x184 'NtWaitLowEventPair', # 0x185 'NtWorkerFactoryWorkerReady', # 0x186 ], [ 'NtUserGetThreadState', # 0x0 'NtUserPeekMessage', # 0x1 'NtUserCallOneParam', # 0x2 'NtUserGetKeyState', # 0x3 'NtUserInvalidateRect', # 0x4 'NtUserCallNoParam', # 0x5 'NtUserGetMessage', # 0x6 'NtUserMessageCall', # 0x7 'NtGdiBitBlt', # 0x8 'NtGdiGetCharSet', # 0x9 'NtUserGetDC', # 0xa 'NtGdiSelectBitmap', # 0xb 'NtUserWaitMessage', # 0xc 'NtUserTranslateMessage', # 0xd 'NtUserGetProp', # 0xe 'NtUserPostMessage', # 0xf 'NtUserQueryWindow', # 0x10 'NtUserTranslateAccelerator', # 0x11 'NtGdiFlush', # 0x12 'NtUserRedrawWindow', # 0x13 'NtUserWindowFromPoint', # 0x14 'NtUserCallMsgFilter', # 0x15 'NtUserValidateTimerCallback', # 0x16 'NtUserBeginPaint', # 0x17 'NtUserSetTimer', # 0x18 'NtUserEndPaint', # 0x19 'NtUserSetCursor', # 0x1a 'NtUserKillTimer', # 0x1b 'NtUserBuildHwndList', # 0x1c 'NtUserSelectPalette', # 0x1d 'NtUserCallNextHookEx', # 0x1e 'NtUserHideCaret', # 0x1f 'NtGdiIntersectClipRect', # 0x20 'NtUserCallHwndLock', # 0x21 'NtUserGetProcessWindowStation', # 0x22 'NtGdiDeleteObjectApp', # 0x23 'NtUserSetWindowPos', # 0x24 'NtUserShowCaret', # 0x25 'NtUserEndDeferWindowPosEx', # 0x26 'NtUserCallHwndParamLock', # 0x27 'NtUserVkKeyScanEx', # 0x28 'NtGdiSetDIBitsToDeviceInternal', # 0x29 'NtUserCallTwoParam', # 0x2a 'NtGdiGetRandomRgn', # 0x2b 'NtUserCopyAcceleratorTable', # 0x2c 'NtUserNotifyWinEvent', # 0x2d 'NtGdiExtSelectClipRgn', # 0x2e 'NtUserIsClipboardFormatAvailable', # 0x2f 'NtUserSetScrollInfo', # 0x30 'NtGdiStretchBlt', # 0x31 'NtUserCreateCaret', # 0x32 'NtGdiRectVisible', # 0x33 'NtGdiCombineRgn', # 0x34 'NtGdiGetDCObject', # 0x35 'NtUserDispatchMessage', # 0x36 'NtUserRegisterWindowMessage', # 0x37 'NtGdiExtTextOutW', # 0x38 'NtGdiSelectFont', # 0x39 'NtGdiRestoreDC', # 0x3a 'NtGdiSaveDC', # 0x3b 'NtUserGetForegroundWindow', # 0x3c 'NtUserShowScrollBar', # 0x3d 'NtUserFindExistingCursorIcon', # 0x3e 'NtGdiGetDCDword', # 0x3f 'NtGdiGetRegionData', # 0x40 'NtGdiLineTo', # 0x41 'NtUserSystemParametersInfo', # 0x42 'NtGdiGetAppClipBox', # 0x43 'NtUserGetAsyncKeyState', # 0x44 'NtUserGetCPD', # 0x45 'NtUserRemoveProp', # 0x46 'NtGdiDoPalette', # 0x47 'NtGdiPolyPolyDraw', # 0x48 'NtUserSetCapture', # 0x49 'NtUserEnumDisplayMonitors', # 0x4a 'NtGdiCreateCompatibleBitmap', # 0x4b 'NtUserSetProp', # 0x4c 'NtGdiGetTextCharsetInfo', # 0x4d 'NtUserSBGetParms', # 0x4e 'NtUserGetIconInfo', # 0x4f 'NtUserExcludeUpdateRgn', # 0x50 'NtUserSetFocus', # 0x51 'NtGdiExtGetObjectW', # 0x52 'NtUserDeferWindowPos', # 0x53 'NtUserGetUpdateRect', # 0x54 'NtGdiCreateCompatibleDC', # 0x55 'NtUserGetClipboardSequenceNumber', # 0x56 'NtGdiCreatePen', # 0x57 'NtUserShowWindow', # 0x58 'NtUserGetKeyboardLayoutList', # 0x59 'NtGdiPatBlt', # 0x5a 'NtUserMapVirtualKeyEx', # 0x5b 'NtUserSetWindowLong', # 0x5c 'NtGdiHfontCreate', # 0x5d 'NtUserMoveWindow', # 0x5e 'NtUserPostThreadMessage', # 0x5f 'NtUserDrawIconEx', # 0x60 'NtUserGetSystemMenu', # 0x61 'NtGdiDrawStream', # 0x62 'NtUserInternalGetWindowText', # 0x63 'NtUserGetWindowDC', # 0x64 'NtGdiD3dDrawPrimitives2', # 0x65 'NtGdiInvertRgn', # 0x66 'NtGdiGetRgnBox', # 0x67 'NtGdiGetAndSetDCDword', # 0x68 'NtGdiMaskBlt', # 0x69 'NtGdiGetWidthTable', # 0x6a 'NtUserScrollDC', # 0x6b 'NtUserGetObjectInformation', # 0x6c 'NtGdiCreateBitmap', # 0x6d 'NtGdiConsoleTextOut', # 0x6e 'NtUserFindWindowEx', # 0x6f 'NtGdiPolyPatBlt', # 0x70 'NtUserUnhookWindowsHookEx', # 0x71 'NtGdiGetNearestColor', # 0x72 'NtGdiTransformPoints', # 0x73 'NtGdiGetDCPoint', # 0x74 'NtUserCheckImeHotKey', # 0x75 'NtGdiCreateDIBBrush', # 0x76 'NtGdiGetTextMetricsW', # 0x77 'NtUserCreateWindowEx', # 0x78 'NtUserSetParent', # 0x79 'NtUserGetKeyboardState', # 0x7a 'NtUserToUnicodeEx', # 0x7b 'NtUserGetControlBrush', # 0x7c 'NtUserGetClassName', # 0x7d 'NtGdiAlphaBlend', # 0x7e 'NtGdiDdBlt', # 0x7f 'NtGdiOffsetRgn', # 0x80 'NtUserDefSetText', # 0x81 'NtGdiGetTextFaceW', # 0x82 'NtGdiStretchDIBitsInternal', # 0x83 'NtUserSendInput', # 0x84 'NtUserGetThreadDesktop', # 0x85 'NtGdiCreateRectRgn', # 0x86 'NtGdiGetDIBitsInternal', # 0x87 'NtUserGetUpdateRgn', # 0x88 'NtGdiDeleteClientObj', # 0x89 'NtUserGetIconSize', # 0x8a 'NtUserFillWindow', # 0x8b 'NtGdiExtCreateRegion', # 0x8c 'NtGdiComputeXformCoefficients', # 0x8d 'NtUserSetWindowsHookEx', # 0x8e 'NtUserNotifyProcessCreate', # 0x8f 'NtGdiUnrealizeObject', # 0x90 'NtUserGetTitleBarInfo', # 0x91 'NtGdiRectangle', # 0x92 'NtUserSetThreadDesktop', # 0x93 'NtUserGetDCEx', # 0x94 'NtUserGetScrollBarInfo', # 0x95 'NtGdiGetTextExtent', # 0x96 'NtUserSetWindowFNID', # 0x97 'NtGdiSetLayout', # 0x98 'NtUserCalcMenuBar', # 0x99 'NtUserThunkedMenuItemInfo', # 0x9a 'NtGdiExcludeClipRect', # 0x9b 'NtGdiCreateDIBSection', # 0x9c 'NtGdiGetDCforBitmap', # 0x9d 'NtUserDestroyCursor', # 0x9e 'NtUserDestroyWindow', # 0x9f 'NtUserCallHwndParam', # 0xa0 'NtGdiCreateDIBitmapInternal', # 0xa1 'NtUserOpenWindowStation', # 0xa2 'NtGdiDdDeleteSurfaceObject', # 0xa3 'NtGdiEnumFontClose', # 0xa4 'NtGdiEnumFontOpen', # 0xa5 'NtGdiEnumFontChunk', # 0xa6 'NtGdiDdCanCreateSurface', # 0xa7 'NtGdiDdCreateSurface', # 0xa8 'NtUserSetCursorIconData', # 0xa9 'NtGdiDdDestroySurface', # 0xaa 'NtUserCloseDesktop', # 0xab 'NtUserOpenDesktop', # 0xac 'NtUserSetProcessWindowStation', # 0xad 'NtUserGetAtomName', # 0xae 'NtGdiDdResetVisrgn', # 0xaf 'NtGdiExtCreatePen', # 0xb0 'NtGdiCreatePaletteInternal', # 0xb1 'NtGdiSetBrushOrg', # 0xb2 'NtUserBuildNameList', # 0xb3 'NtGdiSetPixel', # 0xb4 'NtUserRegisterClassExWOW', # 0xb5 'NtGdiCreatePatternBrushInternal', # 0xb6 'NtUserGetAncestor', # 0xb7 'NtGdiGetOutlineTextMetricsInternalW', # 0xb8 'NtGdiSetBitmapBits', # 0xb9 'NtUserCloseWindowStation', # 0xba 'NtUserGetDoubleClickTime', # 0xbb 'NtUserEnableScrollBar', # 0xbc 'NtGdiCreateSolidBrush', # 0xbd 'NtUserGetClassInfoEx', # 0xbe 'NtGdiCreateClientObj', # 0xbf 'NtUserUnregisterClass', # 0xc0 'NtUserDeleteMenu', # 0xc1 'NtGdiRectInRegion', # 0xc2 'NtUserScrollWindowEx', # 0xc3 'NtGdiGetPixel', # 0xc4 'NtUserSetClassLong', # 0xc5 'NtUserGetMenuBarInfo', # 0xc6 'NtGdiDdCreateSurfaceEx', # 0xc7 'NtGdiDdCreateSurfaceObject', # 0xc8 'NtGdiGetNearestPaletteIndex', # 0xc9 'NtGdiDdLockD3D', # 0xca 'NtGdiDdUnlockD3D', # 0xcb 'NtGdiGetCharWidthW', # 0xcc 'NtUserInvalidateRgn', # 0xcd 'NtUserGetClipboardOwner', # 0xce 'NtUserSetWindowRgn', # 0xcf 'NtUserBitBltSysBmp', # 0xd0 'NtGdiGetCharWidthInfo', # 0xd1 'NtUserValidateRect', # 0xd2 'NtUserCloseClipboard', # 0xd3 'NtUserOpenClipboard', # 0xd4 'NtGdiGetStockObject', # 0xd5 'NtUserSetClipboardData', # 0xd6 'NtUserEnableMenuItem', # 0xd7 'NtUserAlterWindowStyle', # 0xd8 'NtGdiFillRgn', # 0xd9 'NtUserGetWindowPlacement', # 0xda 'NtGdiModifyWorldTransform', # 0xdb 'NtGdiGetFontData', # 0xdc 'NtUserGetOpenClipboardWindow', # 0xdd 'NtUserSetThreadState', # 0xde 'NtGdiOpenDCW', # 0xdf 'NtUserTrackMouseEvent', # 0xe0 'NtGdiGetTransform', # 0xe1 'NtUserDestroyMenu', # 0xe2 'NtGdiGetBitmapBits', # 0xe3 'NtUserConsoleControl', # 0xe4 'NtUserSetActiveWindow', # 0xe5 'NtUserSetInformationThread', # 0xe6 'NtUserSetWindowPlacement', # 0xe7 'NtUserGetControlColor', # 0xe8 'NtGdiSetMetaRgn', # 0xe9 'NtGdiSetMiterLimit', # 0xea 'NtGdiSetVirtualResolution', # 0xeb 'NtGdiGetRasterizerCaps', # 0xec 'NtUserSetWindowWord', # 0xed 'NtUserGetClipboardFormatName', # 0xee 'NtUserRealInternalGetMessage', # 0xef 'NtUserCreateLocalMemHandle', # 0xf0 'NtUserAttachThreadInput', # 0xf1 'NtGdiCreateHalftonePalette', # 0xf2 'NtUserPaintMenuBar', # 0xf3 'NtUserSetKeyboardState', # 0xf4 'NtGdiCombineTransform', # 0xf5 'NtUserCreateAcceleratorTable', # 0xf6 'NtUserGetCursorFrameInfo', # 0xf7 'NtUserGetAltTabInfo', # 0xf8 'NtUserGetCaretBlinkTime', # 0xf9 'NtGdiQueryFontAssocInfo', # 0xfa 'NtUserProcessConnect', # 0xfb 'NtUserEnumDisplayDevices', # 0xfc 'NtUserEmptyClipboard', # 0xfd 'NtUserGetClipboardData', # 0xfe 'NtUserRemoveMenu', # 0xff 'NtGdiSetBoundsRect', # 0x100 'NtUserSetInformationProcess', # 0x101 'NtGdiGetBitmapDimension', # 0x102 'NtUserConvertMemHandle', # 0x103 'NtUserDestroyAcceleratorTable', # 0x104 'NtUserGetGUIThreadInfo', # 0x105 'NtGdiCloseFigure', # 0x106 'NtUserSetWindowsHookAW', # 0x107 'NtUserSetMenuDefaultItem', # 0x108 'NtUserCheckMenuItem', # 0x109 'NtUserSetWinEventHook', # 0x10a 'NtUserUnhookWinEvent', # 0x10b 'NtGdiSetupPublicCFONT', # 0x10c 'NtUserLockWindowUpdate', # 0x10d 'NtUserSetSystemMenu', # 0x10e 'NtUserThunkedMenuInfo', # 0x10f 'NtGdiBeginPath', # 0x110 'NtGdiEndPath', # 0x111 'NtGdiFillPath', # 0x112 'NtUserCallHwnd', # 0x113 'NtUserDdeInitialize', # 0x114 'NtUserModifyUserStartupInfoFlags', # 0x115 'NtUserCountClipboardFormats', # 0x116 'NtGdiAddFontMemResourceEx', # 0x117 'NtGdiEqualRgn', # 0x118 'NtGdiGetSystemPaletteUse', # 0x119 'NtGdiRemoveFontMemResourceEx', # 0x11a 'NtUserEnumDisplaySettings', # 0x11b 'NtUserPaintDesktop', # 0x11c 'NtGdiExtEscape', # 0x11d 'NtGdiSetBitmapDimension', # 0x11e 'NtGdiSetFontEnumeration', # 0x11f 'NtUserChangeClipboardChain', # 0x120 'NtUserResolveDesktop', # 0x121 'NtUserSetClipboardViewer', # 0x122 'NtUserShowWindowAsync', # 0x123 'NtUserSetConsoleReserveKeys', # 0x124 'NtGdiCreateColorSpace', # 0x125 'NtGdiDeleteColorSpace', # 0x126 'NtUserActivateKeyboardLayout', # 0x127 'NtGdiAbortDoc', # 0x128 'NtGdiAbortPath', # 0x129 'NtGdiAddEmbFontToDC', # 0x12a 'NtGdiAddFontResourceW', # 0x12b 'NtGdiAddRemoteFontToDC', # 0x12c 'NtGdiAddRemoteMMInstanceToDC', # 0x12d 'NtGdiAngleArc', # 0x12e 'NtGdiAnyLinkedFonts', # 0x12f 'NtGdiArcInternal', # 0x130 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x131 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x132 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x133 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x134 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x135 'NtGdiCLIPOBJ_bEnum', # 0x136 'NtGdiCLIPOBJ_cEnumStart', # 0x137 'NtGdiCLIPOBJ_ppoGetPath', # 0x138 'NtGdiCancelDC', # 0x139 'NtGdiChangeGhostFont', # 0x13a 'NtGdiCheckBitmapBits', # 0x13b 'NtGdiClearBitmapAttributes', # 0x13c 'NtGdiClearBrushAttributes', # 0x13d 'NtGdiColorCorrectPalette', # 0x13e 'NtGdiConfigureOPMProtectedOutput', # 0x13f 'NtGdiConvertMetafileRect', # 0x140 'NtGdiCreateColorTransform', # 0x141 'NtGdiCreateEllipticRgn', # 0x142 'NtGdiCreateHatchBrushInternal', # 0x143 'NtGdiCreateMetafileDC', # 0x144 'NtGdiCreateOPMProtectedOutputs', # 0x145 'NtGdiCreateRoundRectRgn', # 0x146 'NtGdiCreateServerMetaFile', # 0x147 'NtGdiD3dContextCreate', # 0x148 'NtGdiD3dContextDestroy', # 0x149 'NtGdiD3dContextDestroyAll', # 0x14a 'NtGdiD3dValidateTextureStageState', # 0x14b 'NtGdiDDCCIGetCapabilitiesString', # 0x14c 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x14d 'NtGdiDDCCIGetTimingReport', # 0x14e 'NtGdiDDCCIGetVCPFeature', # 0x14f 'NtGdiDDCCISaveCurrentSettings', # 0x150 'NtGdiDDCCISetVCPFeature', # 0x151 'NtGdiDdAddAttachedSurface', # 0x152 'NtGdiDdAlphaBlt', # 0x153 'NtGdiDdAttachSurface', # 0x154 'NtGdiDdBeginMoCompFrame', # 0x155 'NtGdiDdCanCreateD3DBuffer', # 0x156 'NtGdiDdColorControl', # 0x157 'NtGdiDdCreateD3DBuffer', # 0x158 'NtGdiDdCreateDirectDrawObject', # 0x159 'NtGdiDdCreateMoComp', # 0x15a 'NtGdiDdDDICheckExclusiveOwnership', # 0x15b 'NtGdiDdDDICheckMonitorPowerState', # 0x15c 'NtGdiDdDDICheckOcclusion', # 0x15d 'NtGdiDdDDICloseAdapter', # 0x15e 'NtGdiDdDDICreateAllocation', # 0x15f 'NtGdiDdDDICreateContext', # 0x160 'NtGdiDdDDICreateDCFromMemory', # 0x161 'NtGdiDdDDICreateDevice', # 0x162 'NtGdiDdDDICreateOverlay', # 0x163 'NtGdiDdDDICreateSynchronizationObject', # 0x164 'NtGdiDdDDIDestroyAllocation', # 0x165 'NtGdiDdDDIDestroyContext', # 0x166 'NtGdiDdDDIDestroyDCFromMemory', # 0x167 'NtGdiDdDDIDestroyDevice', # 0x168 'NtGdiDdDDIDestroyOverlay', # 0x169 'NtGdiDdDDIDestroySynchronizationObject', # 0x16a 'NtGdiDdDDIEscape', # 0x16b 'NtGdiDdDDIFlipOverlay', # 0x16c 'NtGdiDdDDIGetContextSchedulingPriority', # 0x16d 'NtGdiDdDDIGetDeviceState', # 0x16e 'NtGdiDdDDIGetDisplayModeList', # 0x16f 'NtGdiDdDDIGetMultisampleMethodList', # 0x170 'NtGdiDdDDIGetPresentHistory', # 0x171 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x172 'NtGdiDdDDIGetRuntimeData', # 0x173 'NtGdiDdDDIGetScanLine', # 0x174 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x175 'NtGdiDdDDIInvalidateActiveVidPn', # 0x176 'NtGdiDdDDILock', # 0x177 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x178 'NtGdiDdDDIOpenAdapterFromHdc', # 0x179 'NtGdiDdDDIOpenResource', # 0x17a 'NtGdiDdDDIPollDisplayChildren', # 0x17b 'NtGdiDdDDIPresent', # 0x17c 'NtGdiDdDDIQueryAdapterInfo', # 0x17d 'NtGdiDdDDIQueryAllocationResidency', # 0x17e 'NtGdiDdDDIQueryResourceInfo', # 0x17f 'NtGdiDdDDIQueryStatistics', # 0x180 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x181 'NtGdiDdDDIRender', # 0x182 'NtGdiDdDDISetAllocationPriority', # 0x183 'NtGdiDdDDISetContextSchedulingPriority', # 0x184 'NtGdiDdDDISetDisplayMode', # 0x185 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x186 'NtGdiDdDDISetGammaRamp', # 0x187 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x188 'NtGdiDdDDISetQueuedLimit', # 0x189 'NtGdiDdDDISetVidPnSourceOwner', # 0x18a 'NtGdiDdDDISharedPrimaryLockNotification', # 0x18b 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x18c 'NtGdiDdDDISignalSynchronizationObject', # 0x18d 'NtGdiDdDDIUnlock', # 0x18e 'NtGdiDdDDIUpdateOverlay', # 0x18f 'NtGdiDdDDIWaitForIdle', # 0x190 'NtGdiDdDDIWaitForSynchronizationObject', # 0x191 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x192 'NtGdiDdDeleteDirectDrawObject', # 0x193 'NtGdiDdDestroyD3DBuffer', # 0x194 'NtGdiDdDestroyMoComp', # 0x195 'NtGdiDdEndMoCompFrame', # 0x196 'NtGdiDdFlip', # 0x197 'NtGdiDdFlipToGDISurface', # 0x198 'NtGdiDdGetAvailDriverMemory', # 0x199 'NtGdiDdGetBltStatus', # 0x19a 'NtGdiDdGetDC', # 0x19b 'NtGdiDdGetDriverInfo', # 0x19c 'NtGdiDdGetDriverState', # 0x19d 'NtGdiDdGetDxHandle', # 0x19e 'NtGdiDdGetFlipStatus', # 0x19f 'NtGdiDdGetInternalMoCompInfo', # 0x1a0 'NtGdiDdGetMoCompBuffInfo', # 0x1a1 'NtGdiDdGetMoCompFormats', # 0x1a2 'NtGdiDdGetMoCompGuids', # 0x1a3 'NtGdiDdGetScanLine', # 0x1a4 'NtGdiDdLock', # 0x1a5 'NtGdiDdQueryDirectDrawObject', # 0x1a6 'NtGdiDdQueryMoCompStatus', # 0x1a7 'NtGdiDdReenableDirectDrawObject', # 0x1a8 'NtGdiDdReleaseDC', # 0x1a9 'NtGdiDdRenderMoComp', # 0x1aa 'NtGdiDdSetColorKey', # 0x1ab 'NtGdiDdSetExclusiveMode', # 0x1ac 'NtGdiDdSetGammaRamp', # 0x1ad 'NtGdiDdSetOverlayPosition', # 0x1ae 'NtGdiDdUnattachSurface', # 0x1af 'NtGdiDdUnlock', # 0x1b0 'NtGdiDdUpdateOverlay', # 0x1b1 'NtGdiDdWaitForVerticalBlank', # 0x1b2 'NtGdiDeleteColorTransform', # 0x1b3 'NtGdiDescribePixelFormat', # 0x1b4 'NtGdiDestroyOPMProtectedOutput', # 0x1b5 'NtGdiDestroyPhysicalMonitor', # 0x1b6 'NtGdiDoBanding', # 0x1b7 'NtGdiDrawEscape', # 0x1b8 'NtGdiDvpAcquireNotification', # 0x1b9 'NtGdiDvpCanCreateVideoPort', # 0x1ba 'NtGdiDvpColorControl', # 0x1bb 'NtGdiDvpCreateVideoPort', # 0x1bc 'NtGdiDvpDestroyVideoPort', # 0x1bd 'NtGdiDvpFlipVideoPort', # 0x1be 'NtGdiDvpGetVideoPortBandwidth', # 0x1bf 'NtGdiDvpGetVideoPortConnectInfo', # 0x1c0 'NtGdiDvpGetVideoPortField', # 0x1c1 'NtGdiDvpGetVideoPortFlipStatus', # 0x1c2 'NtGdiDvpGetVideoPortInputFormats', # 0x1c3 'NtGdiDvpGetVideoPortLine', # 0x1c4 'NtGdiDvpGetVideoPortOutputFormats', # 0x1c5 'NtGdiDvpGetVideoSignalStatus', # 0x1c6 'NtGdiDvpReleaseNotification', # 0x1c7 'NtGdiDvpUpdateVideoPort', # 0x1c8 'NtGdiDvpWaitForVideoPortSync', # 0x1c9 'NtGdiDwmGetDirtyRgn', # 0x1ca 'NtGdiDwmGetSurfaceData', # 0x1cb 'NtGdiDxgGenericThunk', # 0x1cc 'NtGdiEllipse', # 0x1cd 'NtGdiEnableEudc', # 0x1ce 'NtGdiEndDoc', # 0x1cf 'NtGdiEndPage', # 0x1d0 'NtGdiEngAlphaBlend', # 0x1d1 'NtGdiEngAssociateSurface', # 0x1d2 'NtGdiEngBitBlt', # 0x1d3 'NtGdiEngCheckAbort', # 0x1d4 'NtGdiEngComputeGlyphSet', # 0x1d5 'NtGdiEngCopyBits', # 0x1d6 'NtGdiEngCreateBitmap', # 0x1d7 'NtGdiEngCreateClip', # 0x1d8 'NtGdiEngCreateDeviceBitmap', # 0x1d9 'NtGdiEngCreateDeviceSurface', # 0x1da 'NtGdiEngCreatePalette', # 0x1db 'NtGdiEngDeleteClip', # 0x1dc 'NtGdiEngDeletePalette', # 0x1dd 'NtGdiEngDeletePath', # 0x1de 'NtGdiEngDeleteSurface', # 0x1df 'NtGdiEngEraseSurface', # 0x1e0 'NtGdiEngFillPath', # 0x1e1 'NtGdiEngGradientFill', # 0x1e2 'NtGdiEngLineTo', # 0x1e3 'NtGdiEngLockSurface', # 0x1e4 'NtGdiEngMarkBandingSurface', # 0x1e5 'NtGdiEngPaint', # 0x1e6 'NtGdiEngPlgBlt', # 0x1e7 'NtGdiEngStretchBlt', # 0x1e8 'NtGdiEngStretchBltROP', # 0x1e9 'NtGdiEngStrokeAndFillPath', # 0x1ea 'NtGdiEngStrokePath', # 0x1eb 'NtGdiEngTextOut', # 0x1ec 'NtGdiEngTransparentBlt', # 0x1ed 'NtGdiEngUnlockSurface', # 0x1ee 'NtGdiEnumObjects', # 0x1ef 'NtGdiEudcLoadUnloadLink', # 0x1f0 'NtGdiExtFloodFill', # 0x1f1 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x1f2 'NtGdiFONTOBJ_cGetGlyphs', # 0x1f3 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x1f4 'NtGdiFONTOBJ_pfdg', # 0x1f5 'NtGdiFONTOBJ_pifi', # 0x1f6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x1f7 'NtGdiFONTOBJ_pxoGetXform', # 0x1f8 'NtGdiFONTOBJ_vGetInfo', # 0x1f9 'NtGdiFlattenPath', # 0x1fa 'NtGdiFontIsLinked', # 0x1fb 'NtGdiForceUFIMapping', # 0x1fc 'NtGdiFrameRgn', # 0x1fd 'NtGdiFullscreenControl', # 0x1fe 'NtGdiGetBoundsRect', # 0x1ff 'NtGdiGetCOPPCompatibleOPMInformation', # 0x200 'NtGdiGetCertificate', # 0x201 'NtGdiGetCertificateSize', # 0x202 'NtGdiGetCharABCWidthsW', # 0x203 'NtGdiGetCharacterPlacementW', # 0x204 'NtGdiGetColorAdjustment', # 0x205 'NtGdiGetColorSpaceforBitmap', # 0x206 'NtGdiGetDeviceCaps', # 0x207 'NtGdiGetDeviceCapsAll', # 0x208 'NtGdiGetDeviceGammaRamp', # 0x209 'NtGdiGetDeviceWidth', # 0x20a 'NtGdiGetDhpdev', # 0x20b 'NtGdiGetETM', # 0x20c 'NtGdiGetEmbUFI', # 0x20d 'NtGdiGetEmbedFonts', # 0x20e 'NtGdiGetEudcTimeStampEx', # 0x20f 'NtGdiGetFontResourceInfoInternalW', # 0x210 'NtGdiGetFontUnicodeRanges', # 0x211 'NtGdiGetGlyphIndicesW', # 0x212 'NtGdiGetGlyphIndicesWInternal', # 0x213 'NtGdiGetGlyphOutline', # 0x214 'NtGdiGetKerningPairs', # 0x215 'NtGdiGetLinkedUFIs', # 0x216 'NtGdiGetMiterLimit', # 0x217 'NtGdiGetMonitorID', # 0x218 'NtGdiGetNumberOfPhysicalMonitors', # 0x219 'NtGdiGetOPMInformation', # 0x21a 'NtGdiGetOPMRandomNumber', # 0x21b 'NtGdiGetObjectBitmapHandle', # 0x21c 'NtGdiGetPath', # 0x21d 'NtGdiGetPerBandInfo', # 0x21e 'NtGdiGetPhysicalMonitorDescription', # 0x21f 'NtGdiGetPhysicalMonitors', # 0x220 'NtGdiGetRealizationInfo', # 0x221 'NtGdiGetServerMetaFileBits', # 0x222 'NtGdiGetSpoolMessage', # 0x223 'NtGdiGetStats', # 0x224 'NtGdiGetStringBitmapW', # 0x225 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0x226 'NtGdiGetTextExtentExW', # 0x227 'NtGdiGetUFI', # 0x228 'NtGdiGetUFIPathname', # 0x229 'NtGdiGradientFill', # 0x22a 'NtGdiHT_Get8BPPFormatPalette', # 0x22b 'NtGdiHT_Get8BPPMaskPalette', # 0x22c 'NtGdiIcmBrushInfo', # 0x22d 'NtGdiInit', # 0x22e 'NtGdiInitSpool', # 0x22f 'NtGdiMakeFontDir', # 0x230 'NtGdiMakeInfoDC', # 0x231 'NtGdiMakeObjectUnXferable', # 0x232 'NtGdiMakeObjectXferable', # 0x233 'NtGdiMirrorWindowOrg', # 0x234 'NtGdiMonoBitmap', # 0x235 'NtGdiMoveTo', # 0x236 'NtGdiOffsetClipRgn', # 0x237 'NtGdiPATHOBJ_bEnum', # 0x238 'NtGdiPATHOBJ_bEnumClipLines', # 0x239 'NtGdiPATHOBJ_vEnumStart', # 0x23a 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x23b 'NtGdiPATHOBJ_vGetBounds', # 0x23c 'NtGdiPathToRegion', # 0x23d 'NtGdiPlgBlt', # 0x23e 'NtGdiPolyDraw', # 0x23f 'NtGdiPolyTextOutW', # 0x240 'NtGdiPtInRegion', # 0x241 'NtGdiPtVisible', # 0x242 'NtGdiQueryFonts', # 0x243 'NtGdiRemoveFontResourceW', # 0x244 'NtGdiRemoveMergeFont', # 0x245 'NtGdiResetDC', # 0x246 'NtGdiResizePalette', # 0x247 'NtGdiRoundRect', # 0x248 'NtGdiSTROBJ_bEnum', # 0x249 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x24a 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x24b 'NtGdiSTROBJ_dwGetCodePage', # 0x24c 'NtGdiSTROBJ_vEnumStart', # 0x24d 'NtGdiScaleViewportExtEx', # 0x24e 'NtGdiScaleWindowExtEx', # 0x24f 'NtGdiSelectBrush', # 0x250 'NtGdiSelectClipPath', # 0x251 'NtGdiSelectPen', # 0x252 'NtGdiSetBitmapAttributes', # 0x253 'NtGdiSetBrushAttributes', # 0x254 'NtGdiSetColorAdjustment', # 0x255 'NtGdiSetColorSpace', # 0x256 'NtGdiSetDeviceGammaRamp', # 0x257 'NtGdiSetFontXform', # 0x258 'NtGdiSetIcmMode', # 0x259 'NtGdiSetLinkedUFIs', # 0x25a 'NtGdiSetMagicColors', # 0x25b 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x25c 'NtGdiSetPUMPDOBJ', # 0x25d 'NtGdiSetPixelFormat', # 0x25e 'NtGdiSetRectRgn', # 0x25f 'NtGdiSetSizeDevice', # 0x260 'NtGdiSetSystemPaletteUse', # 0x261 'NtGdiSetTextJustification', # 0x262 'NtGdiStartDoc', # 0x263 'NtGdiStartPage', # 0x264 'NtGdiStrokeAndFillPath', # 0x265 'NtGdiStrokePath', # 0x266 'NtGdiSwapBuffers', # 0x267 'NtGdiTransparentBlt', # 0x268 'NtGdiUMPDEngFreeUserMem', # 0x269 'NtGdiUnloadPrinterDriver', # 0x26a 'NtGdiUnmapMemFont', # 0x26b 'NtGdiUpdateColors', # 0x26c 'NtGdiUpdateTransform', # 0x26d 'NtGdiWidenPath', # 0x26e 'NtGdiXFORMOBJ_bApplyXform', # 0x26f 'NtGdiXFORMOBJ_iGetXform', # 0x270 'NtGdiXLATEOBJ_cGetPalette', # 0x271 'NtGdiXLATEOBJ_hGetColorTransform', # 0x272 'NtGdiXLATEOBJ_iXlate', # 0x273 'NtUserAddClipboardFormatListener', # 0x274 'NtUserAssociateInputContext', # 0x275 'NtUserBlockInput', # 0x276 'NtUserBuildHimcList', # 0x277 'NtUserBuildPropList', # 0x278 'NtUserCallHwndOpt', # 0x279 'NtUserChangeDisplaySettings', # 0x27a 'NtUserCheckAccessForIntegrityLevel', # 0x27b 'NtUserCheckDesktopByThreadId', # 0x27c 'NtUserCheckWindowThreadDesktop', # 0x27d 'NtUserChildWindowFromPointEx', # 0x27e 'NtUserClipCursor', # 0x27f 'NtUserCreateDesktopEx', # 0x280 'NtUserCreateInputContext', # 0x281 'NtUserCreateWindowStation', # 0x282 'NtUserCtxDisplayIOCtl', # 0x283 'NtUserDestroyInputContext', # 0x284 'NtUserDisableThreadIme', # 0x285 'NtUserDoSoundConnect', # 0x286 'NtUserDoSoundDisconnect', # 0x287 'NtUserDragDetect', # 0x288 'NtUserDragObject', # 0x289 'NtUserDrawAnimatedRects', # 0x28a 'NtUserDrawCaption', # 0x28b 'NtUserDrawCaptionTemp', # 0x28c 'NtUserDrawMenuBarTemp', # 0x28d 'NtUserDwmGetDxRgn', # 0x28e 'NtUserDwmHintDxUpdate', # 0x28f 'NtUserDwmStartRedirection', # 0x290 'NtUserDwmStopRedirection', # 0x291 'NtUserEndMenu', # 0x292 'NtUserEvent', # 0x293 'NtUserFlashWindowEx', # 0x294 'NtUserFrostCrashedWindow', # 0x295 'NtUserGetAppImeLevel', # 0x296 'NtUserGetCaretPos', # 0x297 'NtUserGetClipCursor', # 0x298 'NtUserGetClipboardViewer', # 0x299 'NtUserGetComboBoxInfo', # 0x29a 'NtUserGetCursorInfo', # 0x29b 'NtUserGetGuiResources', # 0x29c 'NtUserGetImeHotKey', # 0x29d 'NtUserGetImeInfoEx', # 0x29e 'NtUserGetInternalWindowPos', # 0x29f 'NtUserGetKeyNameText', # 0x2a0 'NtUserGetKeyboardLayoutName', # 0x2a1 'NtUserGetLayeredWindowAttributes', # 0x2a2 'NtUserGetListBoxInfo', # 0x2a3 'NtUserGetMenuIndex', # 0x2a4 'NtUserGetMenuItemRect', # 0x2a5 'NtUserGetMouseMovePointsEx', # 0x2a6 'NtUserGetPriorityClipboardFormat', # 0x2a7 'NtUserGetRawInputBuffer', # 0x2a8 'NtUserGetRawInputData', # 0x2a9 'NtUserGetRawInputDeviceInfo', # 0x2aa 'NtUserGetRawInputDeviceList', # 0x2ab 'NtUserGetRegisteredRawInputDevices', # 0x2ac 'NtUserGetUpdatedClipboardFormats', # 0x2ad 'NtUserGetWOWClass', # 0x2ae 'NtUserGetWindowMinimizeRect', # 0x2af 'NtUserGetWindowRgnEx', # 0x2b0 'NtUserGhostWindowFromHungWindow', # 0x2b1 'NtUserHardErrorControl', # 0x2b2 'NtUserHiliteMenuItem', # 0x2b3 'NtUserHungWindowFromGhostWindow', # 0x2b4 'NtUserImpersonateDdeClientWindow', # 0x2b5 'NtUserInitTask', # 0x2b6 'NtUserInitialize', # 0x2b7 'NtUserInitializeClientPfnArrays', # 0x2b8 'NtUserInternalGetWindowIcon', # 0x2b9 'NtUserLoadKeyboardLayoutEx', # 0x2ba 'NtUserLockWindowStation', # 0x2bb 'NtUserLockWorkStation', # 0x2bc 'NtUserLogicalToPhysicalPoint', # 0x2bd 'NtUserMNDragLeave', # 0x2be 'NtUserMNDragOver', # 0x2bf 'NtUserMenuItemFromPoint', # 0x2c0 'NtUserMinMaximize', # 0x2c1 'NtUserNotifyIMEStatus', # 0x2c2 'NtUserOpenInputDesktop', # 0x2c3 'NtUserOpenThreadDesktop', # 0x2c4 'NtUserPaintMonitor', # 0x2c5 'NtUserPhysicalToLogicalPoint', # 0x2c6 'NtUserPrintWindow', # 0x2c7 'NtUserQueryInformationThread', # 0x2c8 'NtUserQueryInputContext', # 0x2c9 'NtUserQuerySendMessage', # 0x2ca 'NtUserRealChildWindowFromPoint', # 0x2cb 'NtUserRealWaitMessageEx', # 0x2cc 'NtUserRegisterErrorReportingDialog', # 0x2cd 'NtUserRegisterHotKey', # 0x2ce 'NtUserRegisterRawInputDevices', # 0x2cf 'NtUserRegisterSessionPort', # 0x2d0 'NtUserRegisterTasklist', # 0x2d1 'NtUserRegisterUserApiHook', # 0x2d2 'NtUserRemoteConnect', # 0x2d3 'NtUserRemoteRedrawRectangle', # 0x2d4 'NtUserRemoteRedrawScreen', # 0x2d5 'NtUserRemoteStopScreenUpdates', # 0x2d6 'NtUserRemoveClipboardFormatListener', # 0x2d7 'NtUserResolveDesktopForWOW', # 0x2d8 'NtUserSetAppImeLevel', # 0x2d9 'NtUserSetClassWord', # 0x2da 'NtUserSetCursorContents', # 0x2db 'NtUserSetImeHotKey', # 0x2dc 'NtUserSetImeInfoEx', # 0x2dd 'NtUserSetImeOwnerWindow', # 0x2de 'NtUserSetInternalWindowPos', # 0x2df 'NtUserSetLayeredWindowAttributes', # 0x2e0 'NtUserSetMenu', # 0x2e1 'NtUserSetMenuContextHelpId', # 0x2e2 'NtUserSetMenuFlagRtoL', # 0x2e3 'NtUserSetMirrorRendering', # 0x2e4 'NtUserSetObjectInformation', # 0x2e5 'NtUserSetProcessDPIAware', # 0x2e6 'NtUserSetShellWindowEx', # 0x2e7 'NtUserSetSysColors', # 0x2e8 'NtUserSetSystemCursor', # 0x2e9 'NtUserSetSystemTimer', # 0x2ea 'NtUserSetThreadLayoutHandles', # 0x2eb 'NtUserSetWindowRgnEx', # 0x2ec 'NtUserSetWindowStationUser', # 0x2ed 'NtUserShowSystemCursor', # 0x2ee 'NtUserSoundSentry', # 0x2ef 'NtUserSwitchDesktop', # 0x2f0 'NtUserTestForInteractiveUser', # 0x2f1 'NtUserTrackPopupMenuEx', # 0x2f2 'NtUserUnloadKeyboardLayout', # 0x2f3 'NtUserUnlockWindowStation', # 0x2f4 'NtUserUnregisterHotKey', # 0x2f5 'NtUserUnregisterSessionPort', # 0x2f6 'NtUserUnregisterUserApiHook', # 0x2f7 'NtUserUpdateInputContext', # 0x2f8 'NtUserUpdateInstance', # 0x2f9 'NtUserUpdateLayeredWindow', # 0x2fa 'NtUserUpdatePerUserSystemParameters', # 0x2fb 'NtUserUpdateWindowTransform', # 0x2fc 'NtUserUserHandleGrantAccess', # 0x2fd 'NtUserValidateHandleSecure', # 0x2fe 'NtUserWaitForInputIdle', # 0x2ff 'NtUserWaitForMsgAndEvent', # 0x300 'NtUserWin32PoolAllocationStats', # 0x301 'NtUserWindowFromPhysicalPoint', # 0x302 'NtUserYieldTask', # 0x303 'NtUserSetClassLongPtr', # 0x304 'NtUserSetWindowLongPtr', # 0x305 ], ] volatility-2.3.1/volatility/plugins/overlays/windows/win2003_sp2_x64_vtypes.py0000644000175000017500000122370611732225561027422 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1015' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1015']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '__unnamed_1026' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1026']], 'QuadPart' : [ 0x0, ['long long']], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_KPRCB' : [ 0x2480, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned char']], 'NestingLevel' : [ 0x5, ['unsigned char']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'UserRsp' : [ 0x20, ['unsigned long long']], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'InitialApicId' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned char']], 'PrcbPad0x' : [ 0x645, ['array', 3, ['unsigned char']]], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'PrcbPad00' : [ 0x650, ['array', 4, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PPPagedLookasideList' : [ 0xb80, ['array', 32, ['_PP_LOOKASIDE_LIST']]], 'PacketBarrier' : [ 0xd80, ['unsigned long long']], 'DeferredReadyListHead' : [ 0xd88, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0xd90, ['long']], 'MmCopyOnWriteCount' : [ 0xd94, ['long']], 'MmTransitionCount' : [ 0xd98, ['long']], 'MmCacheTransitionCount' : [ 0xd9c, ['long']], 'MmDemandZeroCount' : [ 0xda0, ['long']], 'MmPageReadCount' : [ 0xda4, ['long']], 'MmPageReadIoCount' : [ 0xda8, ['long']], 'MmCacheReadCount' : [ 0xdac, ['long']], 'MmCacheIoCount' : [ 0xdb0, ['long']], 'MmDirtyPagesWriteCount' : [ 0xdb4, ['long']], 'MmDirtyWriteIoCount' : [ 0xdb8, ['long']], 'MmMappedPagesWriteCount' : [ 0xdbc, ['long']], 'MmMappedWriteIoCount' : [ 0xdc0, ['long']], 'LookasideIrpFloat' : [ 0xdc4, ['long']], 'KeSystemCalls' : [ 0xdc8, ['unsigned long']], 'IoReadOperationCount' : [ 0xdcc, ['long']], 'IoWriteOperationCount' : [ 0xdd0, ['long']], 'IoOtherOperationCount' : [ 0xdd4, ['long']], 'IoReadTransferCount' : [ 0xdd8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0xde0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0xde8, ['_LARGE_INTEGER']], 'KeContextSwitches' : [ 0xdf0, ['unsigned long']], 'PrcbPad2' : [ 0xdf4, ['array', 12, ['unsigned char']]], 'TargetSet' : [ 0xe00, ['unsigned long long']], 'IpiFrozen' : [ 0xe08, ['unsigned long']], 'PrcbPad3' : [ 0xe0c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0xe80, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x1e80, ['unsigned long long']], 'PrcbPad4' : [ 0x1e88, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x1f00, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1f40, ['pointer64', ['void']]], 'SavedRsp' : [ 0x1f48, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1f50, ['long']], 'DpcRequestRate' : [ 0x1f54, ['unsigned long']], 'MinimumDpcRate' : [ 0x1f58, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1f5c, ['unsigned char']], 'DpcThreadRequested' : [ 0x1f5d, ['unsigned char']], 'DpcRoutineActive' : [ 0x1f5e, ['unsigned char']], 'DpcThreadActive' : [ 0x1f5f, ['unsigned char']], 'TimerHand' : [ 0x1f60, ['unsigned long long']], 'TimerRequest' : [ 0x1f60, ['unsigned long long']], 'TickOffset' : [ 0x1f68, ['long']], 'MasterOffset' : [ 0x1f6c, ['long']], 'DpcLastCount' : [ 0x1f70, ['unsigned long']], 'ThreadDpcEnable' : [ 0x1f74, ['unsigned char']], 'QuantumEnd' : [ 0x1f75, ['unsigned char']], 'PrcbPad50' : [ 0x1f76, ['unsigned char']], 'IdleSchedule' : [ 0x1f77, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1f78, ['long']], 'PrcbPad40' : [ 0x1f7c, ['long']], 'DpcThread' : [ 0x1f80, ['pointer64', ['void']]], 'DpcEvent' : [ 0x1f88, ['_KEVENT']], 'CallDpc' : [ 0x1fa0, ['_KDPC']], 'PrcbPad7' : [ 0x1fe0, ['array', 4, ['unsigned long long']]], 'WaitListHead' : [ 0x2000, ['_LIST_ENTRY']], 'ReadySummary' : [ 0x2010, ['unsigned long']], 'QueueIndex' : [ 0x2014, ['unsigned long']], 'DispatcherReadyListHead' : [ 0x2018, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x2218, ['unsigned long']], 'KernelTime' : [ 0x221c, ['unsigned long']], 'UserTime' : [ 0x2220, ['unsigned long']], 'DpcTime' : [ 0x2224, ['unsigned long']], 'InterruptTime' : [ 0x2228, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x222c, ['unsigned long']], 'SkipTick' : [ 0x2230, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x2231, ['unsigned char']], 'PollSlot' : [ 0x2232, ['unsigned char']], 'PrcbPad8' : [ 0x2233, ['array', 13, ['unsigned char']]], 'ParentNode' : [ 0x2240, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x2248, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x2250, ['pointer64', ['_KPRCB']]], 'Sleeping' : [ 0x2258, ['long']], 'PrcbPad90' : [ 0x225c, ['array', 1, ['unsigned long']]], 'DebugDpcTime' : [ 0x2260, ['unsigned long']], 'PageColor' : [ 0x2264, ['unsigned long']], 'NodeColor' : [ 0x2268, ['unsigned long']], 'NodeShiftedColor' : [ 0x226c, ['unsigned long']], 'SecondaryColorMask' : [ 0x2270, ['unsigned long']], 'PrcbPad9' : [ 0x2274, ['array', 12, ['unsigned char']]], 'CcFastReadNoWait' : [ 0x2280, ['unsigned long']], 'CcFastReadWait' : [ 0x2284, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x2288, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x228c, ['unsigned long']], 'CcCopyReadWait' : [ 0x2290, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x2294, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x2298, ['unsigned long']], 'KeDcacheFlushCount' : [ 0x229c, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x22a0, ['unsigned long']], 'KeFirstLevelTbFills' : [ 0x22a4, ['unsigned long']], 'KeFloatingEmulationCount' : [ 0x22a8, ['unsigned long']], 'KeIcacheFlushCount' : [ 0x22ac, ['unsigned long']], 'KeSecondLevelTbFills' : [ 0x22b0, ['unsigned long']], 'VendorString' : [ 0x22b4, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x22c1, ['array', 2, ['unsigned char']]], 'FeatureBits' : [ 0x22c4, ['unsigned long']], 'UpdateSignature' : [ 0x22c8, ['_LARGE_INTEGER']], 'PowerState' : [ 0x22d0, ['_PROCESSOR_POWER_STATE']], 'Cache' : [ 0x2440, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x247c, ['unsigned long']], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned char']], 'Expedite' : [ 0x3, ['unsigned char']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x200, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Fill' : [ 0x0, ['array', 432, ['unsigned char']]], 'Current' : [ 0x1b0, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x1d8, ['_KERNEL_STACK_SEGMENT']], } ], '_KTHREAD' : [ 0x308, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListHead' : [ 0x18, ['_LIST_ENTRY']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'ApcQueueable' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned char']], 'DeferredProcessor' : [ 0x75, ['unsigned char']], 'AdjustReason' : [ 0x76, ['unsigned char']], 'AdjustIncrement' : [ 0x77, ['unsigned char']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'Alertable' : [ 0x90, ['unsigned char']], 'WaitNext' : [ 0x91, ['unsigned char']], 'WaitReason' : [ 0x92, ['unsigned char']], 'Priority' : [ 0x93, ['unsigned char']], 'EnableStackSwap' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'SystemAffinityActive' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'CallbackStack' : [ 0x1d0, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x1d8, ['unsigned char']], 'IdealProcessor' : [ 0x1d9, ['unsigned char']], 'Preempted' : [ 0x1da, ['unsigned char']], 'ProcessReadyQueue' : [ 0x1db, ['unsigned char']], 'KernelStackResident' : [ 0x1dc, ['unsigned char']], 'BasePriority' : [ 0x1dd, ['unsigned char']], 'PriorityDecrement' : [ 0x1de, ['unsigned char']], 'Saturation' : [ 0x1df, ['unsigned char']], 'UserAffinity' : [ 0x1e0, ['unsigned long long']], 'Process' : [ 0x1e8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x1f0, ['unsigned long long']], 'ApcStatePointer' : [ 0x1f8, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x208, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x208, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x233, ['unsigned char']], 'SuspendCount' : [ 0x234, ['unsigned char']], 'UserIdealProcessor' : [ 0x235, ['unsigned char']], 'CalloutActive' : [ 0x236, ['unsigned char']], 'CodePatchInProgress' : [ 0x237, ['unsigned char']], 'Win32Thread' : [ 0x238, ['pointer64', ['void']]], 'StackBase' : [ 0x240, ['pointer64', ['void']]], 'SuspendApc' : [ 0x248, ['_KAPC']], 'SuspendApcFill0' : [ 0x248, ['array', 1, ['unsigned char']]], 'Quantum' : [ 0x249, ['unsigned char']], 'SuspendApcFill1' : [ 0x248, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x24b, ['unsigned char']], 'SuspendApcFill2' : [ 0x248, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x24c, ['unsigned long']], 'SuspendApcFill3' : [ 0x248, ['array', 64, ['unsigned char']]], 'TlsArray' : [ 0x288, ['pointer64', ['void']]], 'SuspendApcFill4' : [ 0x248, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x290, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x248, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x29b, ['unsigned char']], 'UserTime' : [ 0x29c, ['unsigned long']], 'SuspendSemaphore' : [ 0x2a0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2a0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2bc, ['unsigned long']], 'ThreadListEntry' : [ 0x2c0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2d0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2d8, ['long long']], 'WriteOperationCount' : [ 0x2e0, ['long long']], 'OtherOperationCount' : [ 0x2e8, ['long long']], 'ReadTransferCount' : [ 0x2f0, ['long long']], 'WriteTransferCount' : [ 0x2f8, ['long long']], 'OtherTransferCount' : [ 0x300, ['long long']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_ETHREAD' : [ 0x410, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x308, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x310, ['_LARGE_INTEGER']], 'LpcReplyChain' : [ 0x310, ['_LIST_ENTRY']], 'KeyedWaitChain' : [ 0x310, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x320, ['long']], 'OfsChain' : [ 0x320, ['pointer64', ['void']]], 'PostBlockList' : [ 0x328, ['_LIST_ENTRY']], 'TerminationPort' : [ 0x338, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x338, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x338, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x340, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x348, ['_LIST_ENTRY']], 'Cid' : [ 0x358, ['_CLIENT_ID']], 'LpcReplySemaphore' : [ 0x368, ['_KSEMAPHORE']], 'KeyedWaitSemaphore' : [ 0x368, ['_KSEMAPHORE']], 'LpcReplyMessage' : [ 0x388, ['pointer64', ['void']]], 'LpcWaitingOnPort' : [ 0x388, ['pointer64', ['void']]], 'ImpersonationInfo' : [ 0x390, ['pointer64', ['_PS_IMPERSONATION_INFORMATION']]], 'IrpList' : [ 0x398, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3a8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3b0, ['pointer64', ['_DEVICE_OBJECT']]], 'ThreadsProcess' : [ 0x3b8, ['pointer64', ['_EPROCESS']]], 'StartAddress' : [ 0x3c0, ['pointer64', ['void']]], 'Win32StartAddress' : [ 0x3c8, ['pointer64', ['void']]], 'LpcReceivedMessageId' : [ 0x3c8, ['unsigned long']], 'ThreadListEntry' : [ 0x3d0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x3e0, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x3e8, ['_EX_PUSH_LOCK']], 'LpcReplyMessageId' : [ 0x3f0, ['unsigned long']], 'ReadClusterSize' : [ 0x3f4, ['unsigned long']], 'GrantedAccess' : [ 0x3f8, ['unsigned long']], 'CrossThreadFlags' : [ 0x3fc, ['unsigned long']], 'Terminated' : [ 0x3fc, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeadThread' : [ 0x3fc, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x3fc, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x3fc, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x3fc, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x3fc, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x3fc, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x3fc, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x3fc, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x400, ['unsigned long']], 'ActiveExWorker' : [ 0x400, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x400, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x400, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x400, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x404, ['unsigned long']], 'LpcReceivedMsgIdValid' : [ 0x404, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'LpcExitThreadCalled' : [ 0x404, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'AddressSpaceOwner' : [ 0x404, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x404, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x404, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x404, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x405, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ApcNeeded' : [ 0x405, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ForwardClusterOnly' : [ 0x408, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x409, ['unsigned char']], 'ActiveFaultCount' : [ 0x40a, ['unsigned char']], } ], '_EPROCESS' : [ 0x3e0, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xb8, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xc8, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd0, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xd8, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf0, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x108, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x120, ['unsigned long long']], 'PeakVirtualSize' : [ 0x128, ['unsigned long long']], 'VirtualSize' : [ 0x130, ['unsigned long long']], 'SessionProcessLinks' : [ 0x138, ['_LIST_ENTRY']], 'DebugPort' : [ 0x148, ['pointer64', ['void']]], 'ExceptionPort' : [ 0x150, ['pointer64', ['void']]], 'ObjectTable' : [ 0x158, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x160, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x168, ['unsigned long long']], 'AddressCreationLock' : [ 0x170, ['_KGUARDED_MUTEX']], 'HyperSpaceLock' : [ 0x1a8, ['unsigned long long']], 'ForkInProgress' : [ 0x1b0, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x1b8, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x1c0, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1c8, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1d0, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1d8, ['unsigned long long']], 'Win32Process' : [ 0x1e0, ['pointer64', ['void']]], 'Job' : [ 0x1e8, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1f0, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1f8, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x200, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x208, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x210, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x218, ['pointer64', ['void']]], 'LdtInformation' : [ 0x220, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x228, ['pointer64', ['void']]], 'VdmObjects' : [ 0x230, ['pointer64', ['void']]], 'DeviceMap' : [ 0x238, ['pointer64', ['void']]], 'Spare0' : [ 0x240, ['array', 3, ['pointer64', ['void']]]], 'PageDirectoryPte' : [ 0x258, ['_HARDWARE_PTE']], 'Filler' : [ 0x258, ['unsigned long long']], 'Session' : [ 0x260, ['pointer64', ['void']]], 'ImageFileName' : [ 0x268, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x278, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x288, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x290, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x2a0, ['pointer64', ['void']]], 'Wow64Process' : [ 0x2a8, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x2b0, ['unsigned long']], 'GrantedAccess' : [ 0x2b4, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x2b8, ['unsigned long']], 'LastThreadExitStatus' : [ 0x2bc, ['long']], 'Peb' : [ 0x2c0, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x2c8, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2d0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2d8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2e0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2e8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2f0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2f8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x300, ['unsigned long long']], 'CommitChargePeak' : [ 0x308, ['unsigned long long']], 'AweInfo' : [ 0x310, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x318, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x320, ['_MMSUPPORT']], 'Spares' : [ 0x378, ['array', 2, ['unsigned long']]], 'ModifiedPageCount' : [ 0x380, ['unsigned long']], 'JobStatus' : [ 0x384, ['unsigned long']], 'Flags' : [ 0x388, ['unsigned long']], 'CreateReported' : [ 0x388, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x388, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x388, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x388, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x388, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x388, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x388, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x388, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x388, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x388, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x388, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x388, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x388, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'SessionCreationUnderway' : [ 0x388, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x388, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x388, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x388, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x388, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x388, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x388, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x388, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x388, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x388, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x388, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'CreateFailed' : [ 0x388, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x388, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'Spare1' : [ 0x388, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'Spare2' : [ 0x388, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x38c, ['long']], 'NextPageColor' : [ 0x390, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x392, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x393, ['unsigned char']], 'SubSystemVersion' : [ 0x392, ['unsigned short']], 'PriorityClass' : [ 0x394, ['unsigned char']], 'VadRoot' : [ 0x398, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3d8, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_TYPE' : [ 0x2c0, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 4, ['_ERESOURCE']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '__unnamed_115f' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_115f']], } ], '__unnamed_116a' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'ReadStatus' : [ 0x0, ['long']], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_116c' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_116f' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1171' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_116f']], } ], '__unnamed_1179' : [ 0x8, { 'EntireFrame' : [ 0x0, ['unsigned long long']], 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 57, native_type='unsigned long long')]], 'InPageError' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'VerifierAllocation' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 60, native_type='unsigned long long')]], 'Priority' : [ 0x0, ['BitField', dict(start_bit = 60, end_bit = 63, native_type='unsigned long long')]], 'MustBeCached' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_116a']], 'PteAddress' : [ 0x8, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x10, ['__unnamed_116c']], 'u3' : [ 0x18, ['__unnamed_1171']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned long']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_1179']], } ], '__unnamed_1180' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_1183' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_1188' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x50, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_1188']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '_MMPTE_FLUSH_LIST' : [ 0xa8, { 'Count' : [ 0x0, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 20, ['pointer64', ['void']]]], } ], '__unnamed_119a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'u' : [ 0x8, ['__unnamed_119a']], 'StartingSector' : [ 0xc, ['unsigned long']], 'NumberOfFullSectors' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x18, ['pointer64', ['_MMPTE']]], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'PtesInSubsection' : [ 0x24, ['unsigned long']], 'NextSubsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], } ], '_MMPAGING_FILE' : [ 0x78, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'CurrentUsage' : [ 0x20, ['unsigned long long']], 'PeakUsage' : [ 0x28, ['unsigned long long']], 'HighestPage' : [ 0x30, ['unsigned long long']], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x40, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x50, ['_UNICODE_STRING']], 'Bitmap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'ReferenceCount' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '_KPROCESS' : [ 0xb8, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['array', 2, ['unsigned long long']]], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'Reserved1' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], } ], '_KEXCEPTION_FRAME' : [ 0x180, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'ExceptionRecord' : [ 0xf0, ['array', 64, ['unsigned char']]], 'MxCsr' : [ 0x130, ['unsigned long long']], 'Rbp' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'R12' : [ 0x158, ['unsigned long long']], 'R13' : [ 0x160, ['unsigned long long']], 'R14' : [ 0x168, ['unsigned long long']], 'R15' : [ 0x170, ['unsigned long long']], 'Return' : [ 0x178, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStamp' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill1' : [ 0x172, ['array', 3, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['array', 1, ['unsigned short']]], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_1240' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_1240']], } ], '__unnamed_1247' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_1247']], } ], '_SHARED_CACHE_MAP' : [ 0x1b8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObject' : [ 0x60, ['pointer64', ['_FILE_OBJECT']]], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'VacbPushLock' : [ 0x148, ['_EX_PUSH_LOCK']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b0, ['pointer64', ['void']]], } ], '_FILE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], } ], '__unnamed_126d' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_126d']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '__unnamed_1282' : [ 0x10, { 'FreeListsInUseUlong' : [ 0x0, ['array', 4, ['unsigned long']]], 'FreeListsInUseBytes' : [ 0x0, ['array', 16, ['unsigned char']]], } ], '__unnamed_1284' : [ 0x2, { 'FreeListsInUseTerminate' : [ 0x0, ['unsigned short']], 'DecommitCount' : [ 0x0, ['unsigned short']], } ], '_HEAP' : [ 0xae8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'ForceFlags' : [ 0x18, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x1c, ['unsigned long']], 'SegmentReserve' : [ 0x20, ['unsigned long long']], 'SegmentCommit' : [ 0x28, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0x30, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0x38, ['unsigned long long']], 'TotalFreeSize' : [ 0x40, ['unsigned long long']], 'MaximumAllocationSize' : [ 0x48, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0x50, ['unsigned short']], 'HeaderValidateLength' : [ 0x52, ['unsigned short']], 'HeaderValidateCopy' : [ 0x58, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0x60, ['unsigned short']], 'MaximumTagIndex' : [ 0x62, ['unsigned short']], 'TagEntries' : [ 0x68, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRSegments' : [ 0x70, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'UnusedUnCommittedRanges' : [ 0x78, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AlignRound' : [ 0x80, ['unsigned long long']], 'AlignMask' : [ 0x88, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x90, ['_LIST_ENTRY']], 'Segments' : [ 0xa0, ['array', 64, ['pointer64', ['_HEAP_SEGMENT']]]], 'u' : [ 0x2a0, ['__unnamed_1282']], 'u2' : [ 0x2b0, ['__unnamed_1284']], 'AllocatorBackTraceIndex' : [ 0x2b2, ['unsigned short']], 'NonDedicatedListLength' : [ 0x2b4, ['unsigned long']], 'LargeBlocksIndex' : [ 0x2b8, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x2c0, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x2c8, ['array', 128, ['_LIST_ENTRY']]], 'LockVariable' : [ 0xac8, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xad0, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0xad8, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0xae0, ['unsigned short']], 'FrontEndHeapType' : [ 0xae2, ['unsigned char']], 'LastSegmentIndex' : [ 0xae3, ['unsigned char']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x68, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'Signature' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'Heap' : [ 0x18, ['pointer64', ['_HEAP']]], 'LargestUnCommittedRange' : [ 0x20, ['unsigned long long']], 'BaseAddress' : [ 0x28, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x30, ['unsigned long']], 'FirstEntry' : [ 0x38, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x48, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x4c, ['unsigned long']], 'UnCommittedRanges' : [ 0x50, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'AllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'LastEntryInSegment' : [ 0x60, ['pointer64', ['_HEAP_ENTRY']]], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'Bucket' : [ 0x0, ['pointer64', ['void']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'FreeThreshold' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_TOKEN' : [ 0xd0, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'AuditPolicy' : [ 0x38, ['_SEP_AUDIT_POLICY']], 'ModifiedId' : [ 0x40, ['_LUID']], 'SessionId' : [ 0x48, ['unsigned long']], 'UserAndGroupCount' : [ 0x4c, ['unsigned long']], 'RestrictedSidCount' : [ 0x50, ['unsigned long']], 'PrivilegeCount' : [ 0x54, ['unsigned long']], 'VariableLength' : [ 0x58, ['unsigned long']], 'DynamicCharged' : [ 0x5c, ['unsigned long']], 'DynamicAvailable' : [ 0x60, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x64, ['unsigned long']], 'UserAndGroups' : [ 0x68, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x70, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x78, ['pointer64', ['void']]], 'Privileges' : [ 0x80, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'DynamicPart' : [ 0x88, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0x90, ['pointer64', ['_ACL']]], 'TokenType' : [ 0x98, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0x9c, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xa0, ['unsigned char']], 'TokenInUse' : [ 0xa1, ['unsigned char']], 'ProxyData' : [ 0xa8, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xb0, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xb8, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc0, ['_LUID']], 'VariablePart' : [ 0xc8, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], 'pDeviceMap' : [ 0x18, ['pointer64', ['_DEVICE_MAP']]], } ], '_TEB' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['pointer64', ['void']]]], 'SubProcessTag' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_HEAP_UCR_SEGMENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UCR_SEGMENT']]], 'ReservedSize' : [ 0x8, ['unsigned long long']], 'CommittedSize' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerThreads' : [ 0x30, ['array', 2, ['_OWNER_ENTRY']]], 'ContentionCount' : [ 0x50, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x54, ['unsigned short']], 'NumberOfExclusiveWaiters' : [ 0x56, ['unsigned short']], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x98, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], } ], '_HEAP_UNCOMMMTTED_RANGE' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_HEAP_UNCOMMMTTED_RANGE']]], 'Address' : [ 0x8, ['unsigned long long']], 'Size' : [ 0x10, ['unsigned long long']], 'filler' : [ 0x18, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x1e0, { 'Nodes' : [ 0x0, ['array', 2, ['unsigned long']]], 'Resources' : [ 0x8, ['array', 2, ['unsigned long']]], 'Threads' : [ 0x10, ['array', 2, ['unsigned long']]], 'TimeAcquire' : [ 0x18, ['long long']], 'TimeRelease' : [ 0x20, ['long long']], 'BytesAllocated' : [ 0x28, ['unsigned long long']], 'ResourceDatabase' : [ 0x30, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabase' : [ 0x38, ['pointer64', ['_LIST_ENTRY']]], 'AllocationFailures' : [ 0x40, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x44, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x48, ['unsigned long']], 'NodesSearched' : [ 0x4c, ['unsigned long']], 'MaxNodesSearched' : [ 0x50, ['unsigned long']], 'SequenceNumber' : [ 0x54, ['unsigned long']], 'RecursionDepthLimit' : [ 0x58, ['unsigned long']], 'SearchedNodesLimit' : [ 0x5c, ['unsigned long']], 'DepthLimitHits' : [ 0x60, ['unsigned long']], 'SearchLimitHits' : [ 0x64, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x68, ['unsigned long']], 'OutOfOrderReleases' : [ 0x6c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x70, ['unsigned long']], 'TotalReleases' : [ 0x74, ['unsigned long']], 'RootNodesDeleted' : [ 0x78, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x7c, ['unsigned long']], 'PoolTrimCounter' : [ 0x80, ['unsigned long']], 'FreeResourceList' : [ 0x88, ['_LIST_ENTRY']], 'FreeThreadList' : [ 0x98, ['_LIST_ENTRY']], 'FreeNodeList' : [ 0xa8, ['_LIST_ENTRY']], 'FreeResourceCount' : [ 0xb8, ['unsigned long']], 'FreeThreadCount' : [ 0xbc, ['unsigned long']], 'FreeNodeCount' : [ 0xc0, ['unsigned long']], 'Instigator' : [ 0xc8, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0xd0, ['unsigned long']], 'Participant' : [ 0xd8, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x1d8, ['unsigned long']], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'BufferSpinLock' : [ 0x0, ['unsigned long long']], 'StartTime' : [ 0x8, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x10, ['pointer64', ['void']]], 'LoggerSemaphore' : [ 0x18, ['_KSEMAPHORE']], 'LoggerThread' : [ 0x38, ['pointer64', ['_ETHREAD']]], 'LoggerEvent' : [ 0x40, ['_KEVENT']], 'FlushEvent' : [ 0x58, ['_KEVENT']], 'LoggerStatus' : [ 0x70, ['long']], 'LoggerId' : [ 0x74, ['unsigned long']], 'BuffersAvailable' : [ 0x78, ['long']], 'UsePerfClock' : [ 0x7c, ['unsigned long']], 'WriteFailureLimit' : [ 0x80, ['unsigned long']], 'BuffersDirty' : [ 0x84, ['long']], 'BuffersInUse' : [ 0x88, ['long']], 'SwitchingInProgress' : [ 0x8c, ['unsigned long']], 'FreeList' : [ 0x90, ['_SLIST_HEADER']], 'FlushList' : [ 0xa0, ['_SLIST_HEADER']], 'WaitList' : [ 0xb0, ['_SLIST_HEADER']], 'GlobalList' : [ 0xc0, ['_SLIST_HEADER']], 'ProcessorBuffers' : [ 0xd0, ['pointer64', ['pointer64', ['_WMI_BUFFER_HEADER']]]], 'LoggerName' : [ 0xd8, ['_UNICODE_STRING']], 'LogFileName' : [ 0xe8, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0xf8, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x108, ['_UNICODE_STRING']], 'EndPageMarker' : [ 0x118, ['pointer64', ['unsigned char']]], 'CollectionOn' : [ 0x120, ['long']], 'KernelTraceOn' : [ 0x124, ['unsigned long']], 'PerfLogInTransition' : [ 0x128, ['long']], 'RequestFlag' : [ 0x12c, ['unsigned long']], 'EnableFlags' : [ 0x130, ['unsigned long']], 'MaximumFileSize' : [ 0x134, ['unsigned long']], 'LoggerMode' : [ 0x138, ['unsigned long']], 'LoggerModeFlags' : [ 0x138, ['_WMI_LOGGER_MODE']], 'Wow' : [ 0x13c, ['unsigned long']], 'LastFlushedBuffer' : [ 0x140, ['unsigned long']], 'RefCount' : [ 0x144, ['unsigned long']], 'FlushTimer' : [ 0x148, ['unsigned long']], 'FirstBufferOffset' : [ 0x150, ['_LARGE_INTEGER']], 'ByteOffset' : [ 0x158, ['_LARGE_INTEGER']], 'BufferAgeLimit' : [ 0x160, ['_LARGE_INTEGER']], 'MaximumBuffers' : [ 0x168, ['unsigned long']], 'MinimumBuffers' : [ 0x16c, ['unsigned long']], 'EventsLost' : [ 0x170, ['unsigned long']], 'BuffersWritten' : [ 0x174, ['unsigned long']], 'LogBuffersLost' : [ 0x178, ['unsigned long']], 'RealTimeBuffersLost' : [ 0x17c, ['unsigned long']], 'BufferSize' : [ 0x180, ['unsigned long']], 'NumberOfBuffers' : [ 0x184, ['long']], 'SequencePtr' : [ 0x188, ['pointer64', ['long']]], 'InstanceGuid' : [ 0x190, ['_GUID']], 'LoggerHeader' : [ 0x1a0, ['pointer64', ['void']]], 'GetCpuClock' : [ 0x1a8, ['pointer64', ['void']]], 'ClientSecurityContext' : [ 0x1b0, ['_SECURITY_CLIENT_CONTEXT']], 'LoggerExtension' : [ 0x1f8, ['pointer64', ['void']]], 'ReleaseQueue' : [ 0x200, ['long']], 'EnableFlagExtension' : [ 0x204, ['_TRACE_ENABLE_FLAG_EXTENSION']], 'LocalSequence' : [ 0x208, ['unsigned long']], 'MaximumIrql' : [ 0x20c, ['unsigned long']], 'EnableFlagArray' : [ 0x210, ['pointer64', ['unsigned long']]], 'LoggerMutex' : [ 0x218, ['_KMUTANT']], 'MutexCount' : [ 0x250, ['long']], 'FileCounter' : [ 0x254, ['long']], 'BufferCallback' : [ 0x258, ['pointer64', ['void']]], 'CallbackContext' : [ 0x260, ['pointer64', ['void']]], 'PoolType' : [ 0x268, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceSystemTime' : [ 0x270, ['_LARGE_INTEGER']], 'ReferenceTimeStamp' : [ 0x278, ['_LARGE_INTEGER']], } ], '_SEGMENT_OBJECT' : [ 0x48, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'LargeControlArea' : [ 0x30, ['pointer64', ['_LARGE_CONTROL_AREA']]], 'MmSectionFlags' : [ 0x38, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x40, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '__unnamed_13b7' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_13b7']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], } ], '_HANDLE_TABLE' : [ 0x70, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleTableLock' : [ 0x18, ['array', 4, ['_EX_PUSH_LOCK']]], 'HandleTableList' : [ 0x38, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x48, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x50, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x58, ['long']], 'FirstFree' : [ 0x5c, ['unsigned long']], 'LastFree' : [ 0x60, ['unsigned long']], 'NextHandleNeedingPool' : [ 0x64, ['unsigned long']], 'HandleCount' : [ 0x68, ['long']], 'Flags' : [ 0x6c, ['unsigned long']], 'StrictFIFO' : [ 0x6c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_MMSUPPORT' : [ 0x58, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimTime' : [ 0x10, ['_LARGE_INTEGER']], 'Flags' : [ 0x18, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x1c, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x20, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x24, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x28, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x2c, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'NextEstimationSlot' : [ 0x3c, ['unsigned long']], 'NextAgingSlot' : [ 0x40, ['unsigned long']], 'EstimatedAvailable' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'WorkingSetMutex' : [ 0x50, ['_EX_PUSH_LOCK']], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'SubsectionStatic' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 9, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 20, native_type='unsigned long')]], 'SectorEndOffset' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 32, native_type='unsigned long')]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['unsigned short']]], } ], '_EPROCESS_QUOTA_BLOCK' : [ 0x78, { 'QuotaEntry' : [ 0x0, ['array', 3, ['_EPROCESS_QUOTA_ENTRY']]], 'QuotaList' : [ 0x60, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x70, ['unsigned long']], 'ProcessCount' : [ 0x74, ['unsigned long']], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EVENT_COUNTER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_SLIST_ENTRY']], 'RefCount' : [ 0x10, ['unsigned long']], 'Event' : [ 0x18, ['_KEVENT']], } ], '_EJOB' : [ 0x220, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'UIRestrictionsClass' : [ 0x10c, ['unsigned long']], 'SecurityLimitFlags' : [ 0x110, ['unsigned long']], 'Token' : [ 0x118, ['pointer64', ['void']]], 'Filter' : [ 0x120, ['pointer64', ['_PS_JOB_TOKEN_FILTER']]], 'EndOfJobTimeAction' : [ 0x128, ['unsigned long']], 'CompletionPort' : [ 0x130, ['pointer64', ['void']]], 'CompletionKey' : [ 0x138, ['pointer64', ['void']]], 'SessionId' : [ 0x140, ['unsigned long']], 'SchedulingClass' : [ 0x144, ['unsigned long']], 'ReadOperationCount' : [ 0x148, ['unsigned long long']], 'WriteOperationCount' : [ 0x150, ['unsigned long long']], 'OtherOperationCount' : [ 0x158, ['unsigned long long']], 'ReadTransferCount' : [ 0x160, ['unsigned long long']], 'WriteTransferCount' : [ 0x168, ['unsigned long long']], 'OtherTransferCount' : [ 0x170, ['unsigned long long']], 'IoInfo' : [ 0x178, ['_IO_COUNTERS']], 'ProcessMemoryLimit' : [ 0x1a8, ['unsigned long long']], 'JobMemoryLimit' : [ 0x1b0, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x1b8, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x1c0, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x1c8, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x1d0, ['_KGUARDED_MUTEX']], 'JobSetLinks' : [ 0x208, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x218, ['unsigned long']], 'JobFlags' : [ 0x21c, ['unsigned long']], } ], '_LARGE_CONTROL_AREA' : [ 0x68, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfSystemCacheViews' : [ 0x24, ['unsigned long']], 'NumberOfUserReferences' : [ 0x28, ['unsigned long']], 'u' : [ 0x2c, ['__unnamed_13b7']], 'FilePointer' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'WaitingForDeletion' : [ 0x38, ['pointer64', ['_EVENT_COUNTER']]], 'ModifiedWriteCount' : [ 0x40, ['unsigned short']], 'FlushInProgressCount' : [ 0x42, ['unsigned short']], 'WritableUserReferences' : [ 0x44, ['unsigned long']], 'StartingFrame' : [ 0x48, ['unsigned long long']], 'UserGlobalList' : [ 0x50, ['_LIST_ENTRY']], 'SessionId' : [ 0x60, ['unsigned long']], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_PS_JOB_TOKEN_FILTER' : [ 0x38, { 'CapturedSidCount' : [ 0x0, ['unsigned long']], 'CapturedSids' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedSidsLength' : [ 0x10, ['unsigned long']], 'CapturedGroupCount' : [ 0x14, ['unsigned long']], 'CapturedGroups' : [ 0x18, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'CapturedGroupsLength' : [ 0x20, ['unsigned long']], 'CapturedPrivilegeCount' : [ 0x24, ['unsigned long']], 'CapturedPrivileges' : [ 0x28, ['pointer64', ['_LUID_AND_ATTRIBUTES']]], 'CapturedPrivilegesLength' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'Reserved' : [ 0x78, ['array', 2, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Writable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'ImageMappedInSystemSpace' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'filler' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_TRACE_ENABLE_FLAG_EXTENSION' : [ 0x4, { 'Offset' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned char']], 'Flag' : [ 0x3, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x30, { 'Name' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x10, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x18, ['unsigned long']], 'CmHiveFlags' : [ 0x1c, ['unsigned long']], 'CmHive2' : [ 0x20, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x28, ['unsigned char']], 'ThreadStarted' : [ 0x29, ['unsigned char']], 'Allocate' : [ 0x2a, ['unsigned char']], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_PS_IMPERSONATION_INFORMATION' : [ 0x10, { 'Token' : [ 0x0, ['pointer64', ['void']]], 'CopyOnOpen' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], 'ImpersonationLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], } ], '__unnamed_1472' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], } ], '__unnamed_1474' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1478' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x1c0, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'State' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x38, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0x88, ['unsigned long']], 'CompletionStatus' : [ 0x8c, ['long']], 'PendingIrp' : [ 0x90, ['pointer64', ['_IRP']]], 'Flags' : [ 0x98, ['unsigned long']], 'UserFlags' : [ 0x9c, ['unsigned long']], 'Problem' : [ 0xa0, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xa8, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xb0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xb8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc0, ['_UNICODE_STRING']], 'ServiceName' : [ 0xd0, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xe0, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xe8, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xf0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xf4, ['unsigned long']], 'ChildInterfaceType' : [ 0xf8, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xfc, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x100, ['unsigned short']], 'RemovalPolicy' : [ 0x102, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x103, ['unsigned char']], 'TargetDeviceNotify' : [ 0x108, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x118, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x128, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x138, ['unsigned short']], 'QueryTranslatorMask' : [ 0x13a, ['unsigned short']], 'NoArbiterMask' : [ 0x13c, ['unsigned short']], 'QueryArbiterMask' : [ 0x13e, ['unsigned short']], 'OverUsed1' : [ 0x140, ['__unnamed_1472']], 'OverUsed2' : [ 0x148, ['__unnamed_1474']], 'BootResources' : [ 0x150, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x158, ['unsigned long']], 'DockInfo' : [ 0x160, ['__unnamed_1478']], 'DisableableDepends' : [ 0x180, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x188, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x198, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x1a8, ['unsigned long']], 'PreviousParent' : [ 0x1b0, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x1b8, ['unsigned long']], } ], '__unnamed_147d' : [ 0x68, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], 'Resource' : [ 0x0, ['_ERESOURCE']], } ], '_HEAP_LOCK' : [ 0x68, { 'Lock' : [ 0x0, ['__unnamed_147d']], } ], '_PEB64' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'SparePtr2' : [ 0x48, ['unsigned long long']], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_KPCR' : [ 0x2600, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'PerfGlobalGroupMask' : [ 0x10, ['pointer64', ['void']]], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_MMCOLOR_TABLES' : [ 0x18, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long long']], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '__unnamed_14ad' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1d80, { 'GlobalVirtualAddress' : [ 0x0, ['pointer64', ['_MM_SESSION_SPACE']]], 'ReferenceCount' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_14ad']], 'SessionId' : [ 0x10, ['unsigned long']], 'ProcessList' : [ 0x18, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x28, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x30, ['unsigned long long']], 'NonPagablePages' : [ 0x38, ['unsigned long long']], 'CommittedPages' : [ 0x40, ['unsigned long long']], 'PagedPoolStart' : [ 0x48, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x50, ['pointer64', ['void']]], 'PagedPoolBasePde' : [ 0x58, ['pointer64', ['_MMPTE']]], 'Color' : [ 0x60, ['unsigned long']], 'ResidentProcessCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'LastProcess' : [ 0xa8, ['pointer64', ['_EPROCESS']]], 'ProcessReferenceToSession' : [ 0xb0, ['long']], 'WsListEntry' : [ 0xb8, ['_LIST_ENTRY']], 'Lookaside' : [ 0x100, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb80, ['_MMSESSION']], 'PagedPoolMutex' : [ 0xbe8, ['_KGUARDED_MUTEX']], 'PagedPoolInfo' : [ 0xc20, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc60, ['_MMSUPPORT']], 'Wsle' : [ 0xcb8, ['pointer64', ['_MMWSLE']]], 'Win32KDriverUnload' : [ 0xcc0, ['pointer64', ['void']]], 'PagedPool' : [ 0xcc8, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1d10, ['_MMPTE']], 'SpecialPoolFirstPte' : [ 0x1d18, ['pointer64', ['_MMPTE']]], 'SpecialPoolLastPte' : [ 0x1d20, ['pointer64', ['_MMPTE']]], 'NextPdeForSpecialPoolExpansion' : [ 0x1d28, ['pointer64', ['_MMPTE']]], 'LastPdeForSpecialPoolExpansion' : [ 0x1d30, ['pointer64', ['_MMPTE']]], 'SpecialPagesInUse' : [ 0x1d38, ['unsigned long long']], 'ImageLoadingCount' : [ 0x1d40, ['long']], } ], '_PEB' : [ 0x358, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'SparePtr2' : [ 0x48, ['pointer64', ['void']]], 'EnvironmentUpdateCount' : [ 0x50, ['unsigned long']], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'ReadOnlySharedMemoryHeap' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['pointer64', ['void']]]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'PreviousSize' : [ 0xa, ['unsigned short']], 'SmallTagIndex' : [ 0xc, ['unsigned char']], 'Flags' : [ 0xd, ['unsigned char']], 'UnusedBytes' : [ 0xe, ['unsigned char']], 'SegmentIndex' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '__unnamed_14dd' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], 'LastByte' : [ 0x0, ['_LARGE_INTEGER']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa8, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'WriteOffset' : [ 0x10, ['_LARGE_INTEGER']], 'u' : [ 0x18, ['__unnamed_14dd']], 'Irp' : [ 0x28, ['pointer64', ['_IRP']]], 'LastPageToWrite' : [ 0x30, ['unsigned long long']], 'PagingListHead' : [ 0x38, ['pointer64', ['_MMMOD_WRITER_LISTHEAD']]], 'CurrentList' : [ 0x40, ['pointer64', ['_LIST_ENTRY']]], 'PagingFile' : [ 0x48, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x50, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x58, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x60, ['pointer64', ['_ERESOURCE']]], 'IssueTime' : [ 0x68, ['_LARGE_INTEGER']], 'Mdl' : [ 0x70, ['_MDL']], 'Page' : [ 0xa0, ['array', 1, ['unsigned long long']]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_TEB32' : [ 0xfbc, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 40, ['unsigned char']]], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 14, ['unsigned long']]], 'SubProcessTag' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'InDbgPrint' : [ 0xf74, ['unsigned char']], 'FreeStackOnTermination' : [ 0xf75, ['unsigned char']], 'HasFiberData' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SparePointer1' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'SoftPatchPtr2' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'SafeThunkCall' : [ 0xfb8, ['unsigned char']], 'BooleanSpare' : [ 0xfb9, ['array', 3, ['unsigned char']]], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_EPROCESS_QUOTA_ENTRY' : [ 0x20, { 'Usage' : [ 0x0, ['unsigned long long']], 'Limit' : [ 0x8, ['unsigned long long']], 'Peak' : [ 0x10, ['unsigned long long']], 'Return' : [ 0x18, ['unsigned long long']], } ], '__unnamed_1502' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1502']], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'Reserved1' : [ 0x0, ['unsigned long long']], 'Reserved2' : [ 0x8, ['unsigned long long']], 'Reserved3' : [ 0x10, ['_LARGE_INTEGER']], 'Alignment' : [ 0x18, ['pointer64', ['void']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Entry' : [ 0x18, ['_LIST_ENTRY']], 'ReferenceCount' : [ 0x0, ['long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'UsePerfClock' : [ 0xc, ['unsigned long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['_WMI_CLIENT_CONTEXT']], 'State' : [ 0x2c, ['_WMI_BUFFER_STATE']], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'InstanceGuid' : [ 0x38, ['_GUID']], 'LoggerContext' : [ 0x38, ['pointer64', ['void']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_PROCESSOR_POWER_STATE' : [ 0x170, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'Idle0KernelTimeLimit' : [ 0x8, ['unsigned long']], 'Idle0LastTime' : [ 0xc, ['unsigned long']], 'IdleHandlers' : [ 0x10, ['pointer64', ['void']]], 'IdleState' : [ 0x18, ['pointer64', ['void']]], 'IdleHandlersCount' : [ 0x20, ['unsigned long']], 'LastCheck' : [ 0x28, ['unsigned long long']], 'IdleTimes' : [ 0x30, ['PROCESSOR_IDLE_TIMES']], 'IdleTime1' : [ 0x50, ['unsigned long']], 'PromotionCheck' : [ 0x54, ['unsigned long']], 'IdleTime2' : [ 0x58, ['unsigned long']], 'CurrentThrottle' : [ 0x5c, ['unsigned char']], 'ThermalThrottleLimit' : [ 0x5d, ['unsigned char']], 'CurrentThrottleIndex' : [ 0x5e, ['unsigned char']], 'ThermalThrottleIndex' : [ 0x5f, ['unsigned char']], 'LastKernelUserTime' : [ 0x60, ['unsigned long']], 'LastIdleThreadKernelTime' : [ 0x64, ['unsigned long']], 'PackageIdleStartTime' : [ 0x68, ['unsigned long']], 'PackageIdleTime' : [ 0x6c, ['unsigned long']], 'DebugCount' : [ 0x70, ['unsigned long']], 'LastSysTime' : [ 0x74, ['unsigned long']], 'TotalIdleStateTime' : [ 0x78, ['array', 3, ['unsigned long long']]], 'TotalIdleTransitions' : [ 0x90, ['array', 3, ['unsigned long']]], 'PreviousC3StateTime' : [ 0xa0, ['unsigned long long']], 'KneeThrottleIndex' : [ 0xa8, ['unsigned char']], 'ThrottleLimitIndex' : [ 0xa9, ['unsigned char']], 'PerfStatesCount' : [ 0xaa, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xab, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0xac, ['unsigned char']], 'EnableIdleAccounting' : [ 0xad, ['unsigned char']], 'LastC3Percentage' : [ 0xae, ['unsigned char']], 'LastAdjustedBusyPercentage' : [ 0xaf, ['unsigned char']], 'PromotionCount' : [ 0xb0, ['unsigned long']], 'DemotionCount' : [ 0xb4, ['unsigned long']], 'ErrorCount' : [ 0xb8, ['unsigned long']], 'RetryCount' : [ 0xbc, ['unsigned long']], 'Flags' : [ 0xc0, ['unsigned long']], 'PerfCounterFrequency' : [ 0xc8, ['_LARGE_INTEGER']], 'PerfTickCount' : [ 0xd0, ['unsigned long']], 'PerfTimer' : [ 0xd8, ['_KTIMER']], 'PerfDpc' : [ 0x118, ['_KDPC']], 'PerfStates' : [ 0x158, ['pointer64', ['PROCESSOR_PERF_STATE']]], 'PerfSetThrottle' : [ 0x160, ['pointer64', ['void']]], 'LastC3KernelUserTime' : [ 0x168, ['unsigned long']], 'LastPackageIdleTime' : [ 0x16c, ['unsigned long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'Modified' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned short')]], 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 11, native_type='unsigned short')]], 'RemovalRequested' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned short')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 14, native_type='unsigned short')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned short')]], 'ParityError' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], } ], '_IO_COUNTERS' : [ 0x30, { 'ReadOperationCount' : [ 0x0, ['unsigned long long']], 'WriteOperationCount' : [ 0x8, ['unsigned long long']], 'OtherOperationCount' : [ 0x10, ['unsigned long long']], 'ReadTransferCount' : [ 0x18, ['unsigned long long']], 'WriteTransferCount' : [ 0x20, ['unsigned long long']], 'OtherTransferCount' : [ 0x28, ['unsigned long long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x80, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'BeingTrimmed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'SessionLeader' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Available0' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'GrowWsleHash' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'AcquiredUnsafe' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Available' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'PROCESSOR_PERF_STATE' : [ 0x20, { 'PercentFrequency' : [ 0x0, ['unsigned char']], 'MinCapacity' : [ 0x1, ['unsigned char']], 'Power' : [ 0x2, ['unsigned short']], 'IncreaseLevel' : [ 0x4, ['unsigned char']], 'DecreaseLevel' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'IncreaseTime' : [ 0x8, ['unsigned long']], 'DecreaseTime' : [ 0xc, ['unsigned long']], 'IncreaseCount' : [ 0x10, ['unsigned long']], 'DecreaseCount' : [ 0x14, ['unsigned long']], 'PerformanceTime' : [ 0x18, ['unsigned long long']], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'IdleHandlerReserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MMMOD_WRITER_LISTHEAD' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Event' : [ 0x10, ['_KEVENT']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_POP_THERMAL_ZONE' : [ 0x120, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc0, ['pointer64', ['_IRP']]], 'Info' : [ 0xc8, ['_THERMAL_INFORMATION']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_PROCESSOR_POWER_POLICY' : [ 0x4c, { 'Revision' : [ 0x0, ['unsigned long']], 'DynamicThrottle' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'DisableCStates' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'PolicyCount' : [ 0xc, ['unsigned long']], 'Policy' : [ 0x10, ['array', 3, ['_PROCESSOR_POWER_POLICY_INFO']]], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_TEB64' : [ 0x17d8, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 28, ['unsigned char']]], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['unsigned short']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 14, ['unsigned long long']]], 'SubProcessTag' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'InDbgPrint' : [ 0x1744, ['unsigned char']], 'FreeStackOnTermination' : [ 0x1745, ['unsigned char']], 'HasFiberData' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SparePointer1' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'SoftPatchPtr2' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'SafeThunkCall' : [ 0x17d0, ['unsigned char']], 'BooleanSpare' : [ 0x17d1, ['array', 3, ['unsigned char']]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CMHIVE' : [ 0xab8, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x578, ['array', 3, ['pointer64', ['void']]]], 'NotifyList' : [ 0x590, ['_LIST_ENTRY']], 'HiveList' : [ 0x5a0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5b0, ['_EX_PUSH_LOCK']], 'ViewLock' : [ 0x5b8, ['pointer64', ['_KGUARDED_MUTEX']]], 'WriterLock' : [ 0x5c0, ['_EX_PUSH_LOCK']], 'FlusherLock' : [ 0x5c8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x5d0, ['_EX_PUSH_LOCK']], 'LRUViewListHead' : [ 0x5d8, ['_LIST_ENTRY']], 'PinViewListHead' : [ 0x5e8, ['_LIST_ENTRY']], 'FileObject' : [ 0x5f8, ['pointer64', ['_FILE_OBJECT']]], 'FileFullPath' : [ 0x600, ['_UNICODE_STRING']], 'FileUserName' : [ 0x610, ['_UNICODE_STRING']], 'MappedViews' : [ 0x620, ['unsigned short']], 'PinnedViews' : [ 0x622, ['unsigned short']], 'UseCount' : [ 0x624, ['unsigned long']], 'SecurityCount' : [ 0x628, ['unsigned long']], 'SecurityCacheSize' : [ 0x62c, ['unsigned long']], 'SecurityHitHint' : [ 0x630, ['long']], 'SecurityCache' : [ 0x638, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x640, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEvent' : [ 0xa40, ['pointer64', ['_KEVENT']]], 'RootKcb' : [ 0xa48, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xa50, ['unsigned char']], 'UnloadWorkItem' : [ 0xa58, ['pointer64', ['_WORK_QUEUE_ITEM']]], 'GrowOnlyMode' : [ 0xa60, ['unsigned char']], 'GrowOffset' : [ 0xa64, ['unsigned long']], 'KcbConvertListHead' : [ 0xa68, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xa78, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xa88, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xa90, ['unsigned long']], 'TrustClassEntry' : [ 0xa98, ['_LIST_ENTRY']], 'FlushCount' : [ 0xaa8, ['unsigned long']], 'CreatorOwner' : [ 0xab0, ['pointer64', ['_KTHREAD']]], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_HHIVE' : [ 0x578, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'Log' : [ 0x72, ['unsigned char']], 'DirtyFlag' : [ 0x73, ['unsigned char']], 'HiveFlags' : [ 0x74, ['unsigned long']], 'LogSize' : [ 0x78, ['unsigned long']], 'RefreshCount' : [ 0x7c, ['unsigned long']], 'StorageTypeCount' : [ 0x80, ['unsigned long']], 'Version' : [ 0x84, ['unsigned long']], 'Storage' : [ 0x88, ['array', 2, ['_DUAL']]], } ], '_PAGEFAULT_HISTORY' : [ 0x28, { 'CurrentIndex' : [ 0x0, ['unsigned long']], 'MaxIndex' : [ 0x4, ['unsigned long']], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['pointer64', ['void']]], 'WatchInfo' : [ 0x18, ['array', 1, ['_PROCESS_WS_WATCH_INFORMATION']]], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_WMI_BUFFER_STATE' : [ 0x4, { 'Free' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'InUse' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Flush' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '_MMFREE_POOL_ENTRY' : [ 0x28, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Size' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long']], 'Owner' : [ 0x20, ['pointer64', ['_MMFREE_POOL_ENTRY']]], } ], '__unnamed_15d3' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15d3']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x8, { 'PolicyElements' : [ 0x0, ['_SEP_AUDIT_POLICY_CATEGORIES']], 'PolicyOverlay' : [ 0x0, ['_SEP_AUDIT_POLICY_OVERLAY']], 'Overlay' : [ 0x0, ['unsigned long long']], } ], '_PEB32' : [ 0x230, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'SparePtr2' : [ 0x24, ['unsigned long']], 'EnvironmentUpdateCount' : [ 0x28, ['unsigned long']], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'ReadOnlySharedMemoryHeap' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_VIEW_OF_FILE' : [ 0x40, { 'LRUViewList' : [ 0x0, ['_LIST_ENTRY']], 'PinViewList' : [ 0x10, ['_LIST_ENTRY']], 'FileOffset' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'ViewAddress' : [ 0x28, ['pointer64', ['unsigned long long']]], 'Bcb' : [ 0x30, ['pointer64', ['void']]], 'UseCount' : [ 0x38, ['unsigned long']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x378, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['unsigned short']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'TraceLogging' : [ 0x2f0, ['unsigned long']], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'Wow64SharedInformation' : [ 0x334, ['array', 16, ['unsigned long']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'UseDefaultObject' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x3, ['unsigned char']], 'InvalidAttributes' : [ 0x4, ['unsigned long']], 'GenericMapping' : [ 0x8, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x18, ['unsigned long']], 'SecurityRequired' : [ 0x1c, ['unsigned char']], 'MaintainHandleCount' : [ 0x1d, ['unsigned char']], 'MaintainTypeList' : [ 0x1e, ['unsigned char']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_WMI_LOGGER_MODE' : [ 0x4, { 'SequentialFile' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CircularFile' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'AppendFile' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'RealTime' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'DelayOpenFile' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'BufferOnly' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'PrivateLogger' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'AddHeader' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'UseExisting' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'UseGlobalSequence' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'UseLocalSequence' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'Unused2' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '__unnamed_162d' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_1633' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x68, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], 'ControlArea' : [ 0x30, ['pointer64', ['_CONTROL_AREA']]], 'FirstPrototypePte' : [ 0x38, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x40, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x48, ['__unnamed_1188']], 'u3' : [ 0x50, ['__unnamed_162d']], 'u4' : [ 0x60, ['__unnamed_1633']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['unsigned long']], 'RunningDeAllocs' : [ 0xc, ['unsigned long']], 'TotalPages' : [ 0x10, ['unsigned long']], 'TotalBigPages' : [ 0x14, ['unsigned long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['void']]], 'PendingFreeDepth' : [ 0x30, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_MM_PAGED_POOL_INFO' : [ 0x40, { 'PagedPoolAllocationMap' : [ 0x0, ['pointer64', ['_RTL_BITMAP']]], 'EndOfPagedPoolBitmap' : [ 0x8, ['pointer64', ['_RTL_BITMAP']]], 'FirstPteForPagedPool' : [ 0x10, ['pointer64', ['_MMPTE']]], 'LastPteForPagedPool' : [ 0x18, ['pointer64', ['_MMPTE']]], 'NextPdeForPagedPoolExpansion' : [ 0x20, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x28, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x38, ['unsigned long long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['unsigned short']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_MMSESSION' : [ 0x68, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewStart' : [ 0x40, ['pointer64', ['unsigned char']]], 'SystemSpaceViewTable' : [ 0x48, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x50, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x54, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x58, ['unsigned long']], 'BitmapFailures' : [ 0x5c, ['unsigned long']], 'SystemSpaceBitMap' : [ 0x60, ['pointer64', ['_RTL_BITMAP']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY_OVERLAY' : [ 0x8, { 'PolicyBits' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 36, native_type='unsigned long long')]], 'SetBit' : [ 0x0, ['BitField', dict(start_bit = 36, end_bit = 37, native_type='unsigned long long')]], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'NumberOfPages' : [ 0xc, ['unsigned long']], 'QuotaObject' : [ 0x10, ['pointer64', ['void']]], } ], '_PROCESS_WS_WATCH_INFORMATION' : [ 0x10, { 'FaultingPc' : [ 0x0, ['pointer64', ['void']]], 'FaultingVa' : [ 0x8, ['pointer64', ['void']]], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'Active' : [ 0x48, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x48, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x48, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x48, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_PCI_PDO_EXTENSION' : [ 0x120, { 'Next' : [ 0x0, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'Slot' : [ 0x38, ['_PCI_SLOT_NUMBER']], 'PhysicalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentFdoExtension' : [ 0x48, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'SecondaryExtension' : [ 0x50, ['_SINGLE_LIST_ENTRY']], 'BusInterfaceReferenceCount' : [ 0x58, ['unsigned long']], 'AgpInterfaceReferenceCount' : [ 0x5c, ['unsigned long']], 'VendorId' : [ 0x60, ['unsigned short']], 'DeviceId' : [ 0x62, ['unsigned short']], 'SubsystemVendorId' : [ 0x64, ['unsigned short']], 'SubsystemId' : [ 0x66, ['unsigned short']], 'RevisionId' : [ 0x68, ['unsigned char']], 'ProgIf' : [ 0x69, ['unsigned char']], 'SubClass' : [ 0x6a, ['unsigned char']], 'BaseClass' : [ 0x6b, ['unsigned char']], 'AdditionalResourceCount' : [ 0x6c, ['unsigned char']], 'AdjustedInterruptLine' : [ 0x6d, ['unsigned char']], 'InterruptPin' : [ 0x6e, ['unsigned char']], 'RawInterruptLine' : [ 0x6f, ['unsigned char']], 'CapabilitiesPtr' : [ 0x70, ['unsigned char']], 'SavedLatencyTimer' : [ 0x71, ['unsigned char']], 'SavedCacheLineSize' : [ 0x72, ['unsigned char']], 'HeaderType' : [ 0x73, ['unsigned char']], 'NotPresent' : [ 0x74, ['unsigned char']], 'ReportedMissing' : [ 0x75, ['unsigned char']], 'ExpectedWritebackFailure' : [ 0x76, ['unsigned char']], 'NoTouchPmeEnable' : [ 0x77, ['unsigned char']], 'LegacyDriver' : [ 0x78, ['unsigned char']], 'UpdateHardware' : [ 0x79, ['unsigned char']], 'MovedDevice' : [ 0x7a, ['unsigned char']], 'DisablePowerDown' : [ 0x7b, ['unsigned char']], 'NeedsHotPlugConfiguration' : [ 0x7c, ['unsigned char']], 'IDEInNativeMode' : [ 0x7d, ['unsigned char']], 'BIOSAllowsIDESwitchToNativeMode' : [ 0x7e, ['unsigned char']], 'IoSpaceUnderNativeIdeControl' : [ 0x7f, ['unsigned char']], 'OnDebugPath' : [ 0x80, ['unsigned char']], 'IoSpaceNotRequired' : [ 0x81, ['unsigned char']], 'PowerState' : [ 0x88, ['PCI_POWER_STATE']], 'Dependent' : [ 0xd8, ['PCI_HEADER_TYPE_DEPENDENT']], 'HackFlags' : [ 0xe0, ['unsigned long long']], 'Resources' : [ 0xe8, ['pointer64', ['PCI_FUNCTION_RESOURCES']]], 'BridgeFdoExtension' : [ 0xf0, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'NextBridge' : [ 0xf8, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'NextHashEntry' : [ 0x100, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'Lock' : [ 0x108, ['_PCI_LOCK']], 'PowerCapabilities' : [ 0x118, ['_PCI_PMC']], 'TargetAgpCapabilityId' : [ 0x11a, ['unsigned char']], 'CommandEnables' : [ 0x11c, ['unsigned short']], 'InitialCommand' : [ 0x11e, ['unsigned short']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '__unnamed_16a5' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_16a7' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_16a5']], 'Merged' : [ 0x10, ['__unnamed_16a7']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '__unnamed_16d2' : [ 0x5, { 'Acquired' : [ 0x0, ['unsigned char']], 'CacheLineSize' : [ 0x1, ['unsigned char']], 'LatencyTimer' : [ 0x2, ['unsigned char']], 'EnablePERR' : [ 0x3, ['unsigned char']], 'EnableSERR' : [ 0x4, ['unsigned char']], } ], '_PCI_FDO_EXTENSION' : [ 0x130, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], 'PhysicalDeviceObject' : [ 0x38, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalDeviceObject' : [ 0x40, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDeviceObject' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'ChildListLock' : [ 0x50, ['_KEVENT']], 'ChildPdoList' : [ 0x68, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'BusRootFdoExtension' : [ 0x70, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ParentFdoExtension' : [ 0x78, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'ChildBridgePdoList' : [ 0x80, ['pointer64', ['_PCI_PDO_EXTENSION']]], 'PciBusInterface' : [ 0x88, ['pointer64', ['_PCI_BUS_INTERFACE_STANDARD']]], 'MaxSubordinateBus' : [ 0x90, ['unsigned char']], 'BusHandler' : [ 0x98, ['pointer64', ['_BUS_HANDLER']]], 'BaseBus' : [ 0xa0, ['unsigned char']], 'Fake' : [ 0xa1, ['unsigned char']], 'ChildDelete' : [ 0xa2, ['unsigned char']], 'Scanned' : [ 0xa3, ['unsigned char']], 'ArbitersInitialized' : [ 0xa4, ['unsigned char']], 'BrokenVideoHackApplied' : [ 0xa5, ['unsigned char']], 'Hibernated' : [ 0xa6, ['unsigned char']], 'PowerState' : [ 0xa8, ['PCI_POWER_STATE']], 'SecondaryExtension' : [ 0xf8, ['_SINGLE_LIST_ENTRY']], 'ChildWaitWakeCount' : [ 0x100, ['unsigned long']], 'PreservedConfig' : [ 0x108, ['pointer64', ['_PCI_COMMON_CONFIG']]], 'Lock' : [ 0x110, ['_PCI_LOCK']], 'HotPlugParameters' : [ 0x120, ['__unnamed_16d2']], 'BusHackFlags' : [ 0x128, ['unsigned long']], } ], '__unnamed_16d6' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_16d8' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_16da' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_16dc' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_16de' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_16e0' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_16e2' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_16d6']], 'Port' : [ 0x0, ['__unnamed_16d6']], 'Interrupt' : [ 0x0, ['__unnamed_16d8']], 'Memory' : [ 0x0, ['__unnamed_16d6']], 'Dma' : [ 0x0, ['__unnamed_16da']], 'DevicePrivate' : [ 0x0, ['__unnamed_16dc']], 'BusNumber' : [ 0x0, ['__unnamed_16de']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_16e0']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_16e2']], } ], '_SYSPTES_HEADER' : [ 0x18, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0xb0, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_PCI_BUS_INTERFACE_STANDARD' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ReadConfig' : [ 0x20, ['pointer64', ['void']]], 'WriteConfig' : [ 0x28, ['pointer64', ['void']]], 'PinToLine' : [ 0x30, ['pointer64', ['void']]], 'LineToPin' : [ 0x38, ['pointer64', ['void']]], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'Level' : [ 0x20, ['unsigned long']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_SEP_AUDIT_POLICY_CATEGORIES' : [ 0x8, { 'System' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'Logon' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'ObjectAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'PrivilegeUse' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'DetailedTracking' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'PolicyChange' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'AccountManagement' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 28, native_type='unsigned long')]], 'DirectoryServiceAccess' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], 'AccountLogon' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '__unnamed_1726' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_172b' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_172d' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_172b']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1735' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1737' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1735']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1726']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_172d']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1737']], } ], '_PCI_LOCK' : [ 0x10, { 'Atom' : [ 0x0, ['unsigned long long']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '__unnamed_1744' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1744']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '__unnamed_174a' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyInitiatePowerActionAPI', 4: 'PolicySetPowerStateAPI', 5: 'PolicyImmediateDozeS4', 6: 'PolicySystemIdle'})]], 'Flags' : [ 0x4, ['unsigned char']], 'Spare' : [ 0x5, ['array', 3, ['unsigned char']]], 'Battery' : [ 0x8, ['__unnamed_174a']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_PCI_PMC' : [ 0x2, { 'Version' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'PMEClock' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Rsvd1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'DeviceSpecificInitialization' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Support' : [ 0x1, ['_PM_SUPPORT']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '__unnamed_1764' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1764']], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '__unnamed_176c' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_176c']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f0, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockQueuedSpinLock', 7: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['unsigned long']], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x48, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'WakeNeeded' : [ 0x18, ['unsigned char']], 'OrderLevel' : [ 0x19, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'Node' : [ 0x28, ['pointer64', ['void']]], 'DeviceName' : [ 0x30, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x38, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x40, ['unsigned long']], 'ActiveChild' : [ 0x44, ['unsigned long']], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '__unnamed_1795' : [ 0x4, { 'Spare' : [ 0x0, ['array', 4, ['unsigned char']]], } ], '__unnamed_1797' : [ 0x4, { 'PrimaryBus' : [ 0x0, ['unsigned char']], 'SecondaryBus' : [ 0x1, ['unsigned char']], 'SubordinateBus' : [ 0x2, ['unsigned char']], 'SubtractiveDecode' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsaBitSet' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'VgaBitSet' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'WeChangedBusNumbers' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'IsaBitRequired' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], } ], 'PCI_HEADER_TYPE_DEPENDENT' : [ 0x4, { 'type0' : [ 0x0, ['__unnamed_1795']], 'type1' : [ 0x0, ['__unnamed_1797']], 'type2' : [ 0x0, ['__unnamed_1797']], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_KINTERRUPT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'ServiceContext' : [ 0x20, ['pointer64', ['void']]], 'SpinLock' : [ 0x28, ['unsigned long long']], 'TickCount' : [ 0x30, ['unsigned long']], 'ActualLock' : [ 0x38, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x40, ['pointer64', ['void']]], 'Vector' : [ 0x48, ['unsigned long']], 'Irql' : [ 0x4c, ['unsigned char']], 'SynchronizeIrql' : [ 0x4d, ['unsigned char']], 'FloatingSave' : [ 0x4e, ['unsigned char']], 'Connected' : [ 0x4f, ['unsigned char']], 'Number' : [ 0x50, ['unsigned char']], 'ShareVector' : [ 0x51, ['unsigned char']], 'Mode' : [ 0x54, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'ServiceCount' : [ 0x58, ['unsigned long']], 'DispatchCount' : [ 0x5c, ['unsigned long']], 'TrapFrame' : [ 0x60, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x68, ['pointer64', ['void']]], 'DispatchCode' : [ 0x70, ['array', 4, ['unsigned long']]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_PCI_ARBITER_INSTANCE' : [ 0x190, { 'Header' : [ 0x0, ['PCI_SECONDARY_EXTENSION']], 'Interface' : [ 0x18, ['pointer64', ['_PCI_INTERFACE']]], 'BusFdoExtension' : [ 0x20, ['pointer64', ['_PCI_FDO_EXTENSION']]], 'InstanceName' : [ 0x28, ['array', 24, ['unsigned short']]], 'CommonInstance' : [ 0x58, ['_ARBITER_INSTANCE']], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_PCI_MJ_DISPATCH_TABLE' : [ 0x40, { 'PnpIrpMaximumMinorFunction' : [ 0x0, ['unsigned long']], 'PnpIrpDispatchTable' : [ 0x8, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'PowerIrpMaximumMinorFunction' : [ 0x10, ['unsigned long']], 'PowerIrpDispatchTable' : [ 0x18, ['pointer64', ['_PCI_MN_DISPATCH_TABLE']]], 'SystemControlIrpDispatchStyle' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'SystemControlIrpDispatchFunction' : [ 0x28, ['pointer64', ['void']]], 'OtherIrpDispatchStyle' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'OtherIrpDispatchFunction' : [ 0x38, ['pointer64', ['void']]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_17da' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_17de' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_17da']], 'Bits' : [ 0x4, ['__unnamed_17de']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY' : [ 0x140, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], } ], '_WMI_CLIENT_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_MMWSL' : [ 0x80, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NonDirectCount' : [ 0x1c, ['unsigned long']], 'HashTable' : [ 0x20, ['pointer64', ['_MMWSLE_HASH']]], 'HashTableSize' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'HashTableStart' : [ 0x30, ['pointer64', ['void']]], 'HighestPermittedHashAddress' : [ 0x38, ['pointer64', ['void']]], 'NumberOfImageWaiters' : [ 0x40, ['unsigned long']], 'VadBitMapHint' : [ 0x44, ['unsigned long']], 'HighestUserAddress' : [ 0x48, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x50, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x54, ['unsigned long']], 'CommittedPageTables' : [ 0x58, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x60, ['unsigned long']], 'CommittedPageDirectories' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x70, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x78, ['array', 1, ['unsigned long long']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], 'PCI_FUNCTION_RESOURCES' : [ 0x170, { 'Limit' : [ 0x0, ['array', 7, ['_IO_RESOURCE_DESCRIPTOR']]], 'Current' : [ 0xe0, ['array', 7, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1811' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1815' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'Spare0' : [ 0x10, ['unsigned long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'SegmentPteTemplate' : [ 0x20, ['_MMPTE']], 'NumberOfCommittedPages' : [ 0x28, ['unsigned long long']], 'ExtendInfo' : [ 0x30, ['pointer64', ['_MMEXTEND_INFO']]], 'SegmentFlags' : [ 0x38, ['_SEGMENT_FLAGS']], 'BasedAddress' : [ 0x40, ['pointer64', ['void']]], 'u1' : [ 0x48, ['__unnamed_1811']], 'u2' : [ 0x50, ['__unnamed_1815']], 'PrototypePte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x60, ['array', 1, ['_MMPTE']]], } ], '_PCI_COMMON_EXTENSION' : [ 0x38, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'IrpDispatchTable' : [ 0x10, ['pointer64', ['_PCI_MJ_DISPATCH_TABLE']]], 'DeviceState' : [ 0x18, ['unsigned char']], 'TentativeNextState' : [ 0x19, ['unsigned char']], 'SecondaryExtLock' : [ 0x20, ['_KEVENT']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_POP_IDLE_HANDLER' : [ 0x28, { 'Latency' : [ 0x0, ['unsigned long']], 'TimeCheck' : [ 0x4, ['unsigned long']], 'DemoteLimit' : [ 0x8, ['unsigned long']], 'PromoteLimit' : [ 0xc, ['unsigned long']], 'PromoteCount' : [ 0x10, ['unsigned long']], 'Demote' : [ 0x14, ['unsigned char']], 'Promote' : [ 0x15, ['unsigned char']], 'PromotePercent' : [ 0x16, ['unsigned char']], 'DemotePercent' : [ 0x17, ['unsigned char']], 'State' : [ 0x18, ['unsigned char']], 'Spare' : [ 0x19, ['array', 3, ['unsigned char']]], 'IdleFunction' : [ 0x20, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'spare2' : [ 0x11, ['array', 4, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], 'PCI_SECONDARY_EXTENSION' : [ 0x18, { 'List' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'ExtensionType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Destructor' : [ 0x10, ['pointer64', ['void']]], } ], '__unnamed_1842' : [ 0x30, { 'type0' : [ 0x0, ['_PCI_HEADER_TYPE_0']], 'type1' : [ 0x0, ['_PCI_HEADER_TYPE_1']], 'type2' : [ 0x0, ['_PCI_HEADER_TYPE_2']], } ], '_PCI_COMMON_CONFIG' : [ 0x100, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'Command' : [ 0x4, ['unsigned short']], 'Status' : [ 0x6, ['unsigned short']], 'RevisionID' : [ 0x8, ['unsigned char']], 'ProgIf' : [ 0x9, ['unsigned char']], 'SubClass' : [ 0xa, ['unsigned char']], 'BaseClass' : [ 0xb, ['unsigned char']], 'CacheLineSize' : [ 0xc, ['unsigned char']], 'LatencyTimer' : [ 0xd, ['unsigned char']], 'HeaderType' : [ 0xe, ['unsigned char']], 'BIST' : [ 0xf, ['unsigned char']], 'u' : [ 0x10, ['__unnamed_1842']], 'DeviceSpecific' : [ 0x40, ['array', 192, ['unsigned char']]], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'Spare1' : [ 0x33, ['unsigned char']], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'Reserved' : [ 0x3c, ['array', 1, ['unsigned long']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['unsigned long']], 'NonPagedAllocs' : [ 0x4, ['unsigned long']], 'NonPagedFrees' : [ 0x8, ['unsigned long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_KNODE' : [ 0x40, { 'DeadStackList' : [ 0x0, ['_SLIST_HEADER']], 'PfnDereferenceSListHead' : [ 0x10, ['_SLIST_HEADER']], 'Alignment' : [ 0x10, ['unsigned long long']], 'ProcessorMask' : [ 0x18, ['unsigned long long']], 'Color' : [ 0x20, ['unsigned char']], 'Seed' : [ 0x21, ['unsigned char']], 'NodeNumber' : [ 0x22, ['unsigned char']], 'Flags' : [ 0x23, ['_flags']], 'MmShiftedColor' : [ 0x24, ['unsigned long']], 'FreeCount' : [ 0x28, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x38, ['pointer64', ['_SLIST_ENTRY']]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_PCI_INTERFACE' : [ 0x28, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'MinSize' : [ 0x8, ['unsigned short']], 'MinVersion' : [ 0xa, ['unsigned short']], 'MaxVersion' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'ReferenceCount' : [ 0x10, ['long']], 'Signature' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {1768116272: 'PciPdoExtensionType', 1768116273: 'PciFdoExtensionType', 1768116274: 'PciArb_Io', 1768116275: 'PciArb_Memory', 1768116276: 'PciArb_Interrupt', 1768116277: 'PciArb_BusNumber', 1768116278: 'PciTrans_Interrupt', 1768116279: 'PciInterface_BusHandler', 1768116280: 'PciInterface_IntRouteHandler', 1768116281: 'PciInterface_PciCb', 1768116282: 'PciInterface_LegacyDeviceDetection', 1768116283: 'PciInterface_PmeHandler', 1768116284: 'PciInterface_DevicePresent', 1768116285: 'PciInterface_NativeIde', 1768116286: 'PciInterface_Location', 1768116287: 'PciInterface_AgpTarget'})]], 'Constructor' : [ 0x18, ['pointer64', ['void']]], 'Initializer' : [ 0x20, ['pointer64', ['void']]], } ], '_POP_POWER_ACTION' : [ 0x50, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'IrpMinor' : [ 0x14, ['unsigned char']], 'SystemState' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x20, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x28, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'HiberContext' : [ 0x30, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'LastWakeState' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_MMVAD_SHORT' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1180']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_1183']], } ], '__unnamed_188b' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_188b']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x88, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PROCESSOR_POWER_POLICY_INFO' : [ 0x14, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemoteLimit' : [ 0x4, ['unsigned long']], 'PromoteLimit' : [ 0x8, ['unsigned long']], 'DemotePercent' : [ 0xc, ['unsigned char']], 'PromotePercent' : [ 0xd, ['unsigned char']], 'Spare' : [ 0xe, ['array', 2, ['unsigned char']]], 'AllowDemotion' : [ 0x10, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AllowPromotion' : [ 0x10, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x10, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], '_ARBITER_INSTANCE' : [ 0x138, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x18, ['long']], 'Allocation' : [ 0x20, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x30, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x40, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x50, ['long']], 'Interface' : [ 0x58, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x60, ['unsigned long']], 'AllocationStack' : [ 0x68, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x70, ['pointer64', ['void']]], 'PackResource' : [ 0x78, ['pointer64', ['void']]], 'UnpackResource' : [ 0x80, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x88, ['pointer64', ['void']]], 'TestAllocation' : [ 0x90, ['pointer64', ['void']]], 'RetestAllocation' : [ 0x98, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa0, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xa8, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb0, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xb8, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc0, ['pointer64', ['void']]], 'AddReserved' : [ 0xc8, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd0, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xd8, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe0, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xe8, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf0, ['pointer64', ['void']]], 'AddAllocation' : [ 0xf8, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x100, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x108, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x110, ['unsigned char']], 'Extension' : [ 0x118, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x120, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x128, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x130, ['pointer64', ['void']]], } ], '_BUS_HANDLER' : [ 0xb8, { 'Version' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ConfigurationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'Cmos', 1: 'EisaConfiguration', 2: 'Pos', 3: 'CbusConfiguration', 4: 'PCIConfiguration', 5: 'VMEConfiguration', 6: 'NuBusConfiguration', 7: 'PCMCIAConfiguration', 8: 'MPIConfiguration', 9: 'MPSAConfiguration', 10: 'PNPISAConfiguration', 11: 'SgiInternalConfiguration', 12: 'MaximumBusDataType', -1: 'ConfigurationSpaceUndefined'})]], 'BusNumber' : [ 0xc, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'ParentHandler' : [ 0x18, ['pointer64', ['_BUS_HANDLER']]], 'BusData' : [ 0x20, ['pointer64', ['void']]], 'DeviceControlExtensionSize' : [ 0x28, ['unsigned long']], 'BusAddresses' : [ 0x30, ['pointer64', ['_SUPPORTED_RANGES']]], 'Reserved' : [ 0x38, ['array', 4, ['unsigned long']]], 'GetBusData' : [ 0x48, ['pointer64', ['void']]], 'SetBusData' : [ 0x50, ['pointer64', ['void']]], 'AdjustResourceList' : [ 0x58, ['pointer64', ['void']]], 'AssignSlotResources' : [ 0x60, ['pointer64', ['void']]], 'GetInterruptVector' : [ 0x68, ['pointer64', ['void']]], 'TranslateBusAddress' : [ 0x70, ['pointer64', ['void']]], 'Spare1' : [ 0x78, ['pointer64', ['void']]], 'Spare2' : [ 0x80, ['pointer64', ['void']]], 'Spare3' : [ 0x88, ['pointer64', ['void']]], 'Spare4' : [ 0x90, ['pointer64', ['void']]], 'Spare5' : [ 0x98, ['pointer64', ['void']]], 'Spare6' : [ 0xa0, ['pointer64', ['void']]], 'Spare7' : [ 0xa8, ['pointer64', ['void']]], 'Spare8' : [ 0xb0, ['pointer64', ['void']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_PCI_MN_DISPATCH_TABLE' : [ 0x10, { 'DispatchStyle' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'IRP_COMPLETE', 1: 'IRP_DOWNWARD', 2: 'IRP_UPWARD', 3: 'IRP_DISPATCH'})]], 'DispatchFunction' : [ 0x8, ['pointer64', ['void']]], } ], '_POP_DEVICE_SYS_STATE' : [ 0xba8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Event' : [ 0x8, ['_KEVENT']], 'SpinLock' : [ 0x20, ['unsigned long long']], 'Thread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'Status' : [ 0x448, ['long']], 'FailedDevice' : [ 0x450, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x458, ['unsigned char']], 'Cancelled' : [ 0x459, ['unsigned char']], 'IgnoreErrors' : [ 0x45a, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x45b, ['unsigned char']], 'WaitAny' : [ 0x45c, ['unsigned char']], 'WaitAll' : [ 0x45d, ['unsigned char']], 'PresentIrpQueue' : [ 0x460, ['_LIST_ENTRY']], 'Head' : [ 0x470, ['_POP_DEVICE_POWER_IRP']], 'PowerIrpState' : [ 0x4c8, ['array', 20, ['_POP_DEVICE_POWER_IRP']]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_MMWSLE_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['unsigned short']]], } ], '_CM_KEY_BODY' : [ 0x30, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'HeapHandle' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], 'PCI_POWER_STATE' : [ 0x50, { 'CurrentSystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentDeviceState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemWakeLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWakeLevel' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'SystemStateMapping' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'WaitWakeIrp' : [ 0x30, ['pointer64', ['_IRP']]], 'SavedCancelRoutine' : [ 0x38, ['pointer64', ['void']]], 'Paging' : [ 0x40, ['long']], 'Hibernate' : [ 0x44, ['long']], 'CrashDump' : [ 0x48, ['long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '__unnamed_1930' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1934' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1938' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_193a' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_193e' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1940' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_1942' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], } ], '__unnamed_1944' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1946' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1948' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_194c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsMaximumInformation'})]], } ], '__unnamed_194e' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1950' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1952' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1954' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1956' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1958' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_195c' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1960' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1964' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1966' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_196a' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_196c' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_196e' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1970' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1974' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1978' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_197c' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_197e' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1982' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1986' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1988' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_198a' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_198c' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_198e' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_1930']], 'CreatePipe' : [ 0x0, ['__unnamed_1934']], 'CreateMailslot' : [ 0x0, ['__unnamed_1938']], 'Read' : [ 0x0, ['__unnamed_193a']], 'Write' : [ 0x0, ['__unnamed_193a']], 'QueryDirectory' : [ 0x0, ['__unnamed_193e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1940']], 'QueryFile' : [ 0x0, ['__unnamed_1942']], 'SetFile' : [ 0x0, ['__unnamed_1944']], 'QueryEa' : [ 0x0, ['__unnamed_1946']], 'SetEa' : [ 0x0, ['__unnamed_1948']], 'QueryVolume' : [ 0x0, ['__unnamed_194c']], 'SetVolume' : [ 0x0, ['__unnamed_194c']], 'FileSystemControl' : [ 0x0, ['__unnamed_194e']], 'LockControl' : [ 0x0, ['__unnamed_1950']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1952']], 'QuerySecurity' : [ 0x0, ['__unnamed_1954']], 'SetSecurity' : [ 0x0, ['__unnamed_1956']], 'MountVolume' : [ 0x0, ['__unnamed_1958']], 'VerifyVolume' : [ 0x0, ['__unnamed_1958']], 'Scsi' : [ 0x0, ['__unnamed_195c']], 'QueryQuota' : [ 0x0, ['__unnamed_1960']], 'SetQuota' : [ 0x0, ['__unnamed_1948']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1964']], 'QueryInterface' : [ 0x0, ['__unnamed_1966']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_196a']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_196c']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_196e']], 'SetLock' : [ 0x0, ['__unnamed_1970']], 'QueryId' : [ 0x0, ['__unnamed_1974']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1978']], 'UsageNotification' : [ 0x0, ['__unnamed_197c']], 'WaitWake' : [ 0x0, ['__unnamed_197e']], 'PowerSequence' : [ 0x0, ['__unnamed_1982']], 'Power' : [ 0x0, ['__unnamed_1986']], 'StartDevice' : [ 0x0, ['__unnamed_1988']], 'WMI' : [ 0x0, ['__unnamed_198a']], 'Others' : [ 0x0, ['__unnamed_198c']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_198e']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '__unnamed_1995' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1997' : [ 0x8, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], } ], '__unnamed_1999' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_199b' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_199d' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_199f' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1995']], 'Memory' : [ 0x0, ['__unnamed_1995']], 'Interrupt' : [ 0x0, ['__unnamed_1997']], 'Dma' : [ 0x0, ['__unnamed_1999']], 'Generic' : [ 0x0, ['__unnamed_1995']], 'DevicePrivate' : [ 0x0, ['__unnamed_16dc']], 'BusNumber' : [ 0x0, ['__unnamed_199b']], 'ConfigData' : [ 0x0, ['__unnamed_199d']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_199f']], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '__unnamed_19a8' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_19aa' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_19a8']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_19ac' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_19ae' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_19ac']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_19aa']], 'u2' : [ 0x4, ['__unnamed_19ae']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x70, ['array', 99, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 894, ['unsigned long']]], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x150, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'LinkFile' : [ 0x6, ['unsigned char']], 'LinkFileHandle' : [ 0x8, ['pointer64', ['void']]], 'Lock' : [ 0x10, ['unsigned long long']], 'MapFrozen' : [ 0x18, ['unsigned char']], 'MemoryMap' : [ 0x20, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x30, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x40, ['unsigned long']], 'NextCloneRange' : [ 0x48, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x50, ['unsigned long long']], 'LoaderMdl' : [ 0x58, ['pointer64', ['_MDL']]], 'Clones' : [ 0x60, ['pointer64', ['_MDL']]], 'NextClone' : [ 0x68, ['pointer64', ['unsigned char']]], 'NoClones' : [ 0x70, ['unsigned long long']], 'Spares' : [ 0x78, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x80, ['unsigned long long']], 'IoPage' : [ 0x88, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x90, ['pointer64', ['void']]], 'DumpStack' : [ 0x98, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0xa0, ['pointer64', ['_KPROCESSOR_STATE']]], 'NoRanges' : [ 0xa8, ['unsigned long']], 'HiberVa' : [ 0xb0, ['unsigned long long']], 'HiberPte' : [ 0xb8, ['_LARGE_INTEGER']], 'Status' : [ 0xc0, ['long']], 'MemoryImage' : [ 0xc8, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xd0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xd8, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xe0, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xe8, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xf0, ['pointer64', ['void']]], 'DmaIO' : [ 0xf8, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0x100, ['pointer64', ['void']]], 'PerfInfo' : [ 0x108, ['_PO_HIBER_PERF']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_MMADDRESS_LIST' : [ 0x10, { 'StartVpn' : [ 0x0, ['unsigned long long']], 'EndVpn' : [ 0x8, ['unsigned long long']], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '__unnamed_19e9' : [ 0x4, { 'DeviceNumber' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'FunctionNumber' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_19eb' : [ 0x4, { 'bits' : [ 0x0, ['__unnamed_19e9']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_PCI_SLOT_NUMBER' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_19eb']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_SUPPORTED_RANGES' : [ 0xc0, { 'Version' : [ 0x0, ['unsigned short']], 'Sorted' : [ 0x2, ['unsigned char']], 'Reserved' : [ 0x3, ['unsigned char']], 'NoIO' : [ 0x4, ['unsigned long']], 'IO' : [ 0x8, ['_SUPPORTED_RANGE']], 'NoMemory' : [ 0x30, ['unsigned long']], 'Memory' : [ 0x38, ['_SUPPORTED_RANGE']], 'NoPrefetchMemory' : [ 0x60, ['unsigned long']], 'PrefetchMemory' : [ 0x68, ['_SUPPORTED_RANGE']], 'NoDma' : [ 0x90, ['unsigned long']], 'Dma' : [ 0x98, ['_SUPPORTED_RANGE']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_PM_SUPPORT' : [ 0x1, { 'Rsvd2' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'D1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'D2' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'PMED0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'PMED1' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'PMED2' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'PMED3Hot' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'PMED3Cold' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1a1a' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '__unnamed_1a1c' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '__unnamed_1a20' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '__unnamed_1a22' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '__unnamed_1a24' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_1a26' : [ 0x20, { 'TestAllocation' : [ 0x0, ['__unnamed_1a1a']], 'RetestAllocation' : [ 0x0, ['__unnamed_1a1a']], 'BootAllocation' : [ 0x0, ['__unnamed_1a1c']], 'QueryAllocatedResources' : [ 0x0, ['__unnamed_1a20']], 'QueryConflict' : [ 0x0, ['__unnamed_1a22']], 'QueryArbitrate' : [ 0x0, ['__unnamed_1a1c']], 'AddReserved' : [ 0x0, ['__unnamed_1a24']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_1a26']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xc0, { 'Signature' : [ 0x0, ['unsigned long']], 'Version' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'ImageType' : [ 0x1c, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x48, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Spare' : [ 0x28, ['array', 2, ['unsigned long']]], } ], '__unnamed_1a48' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4a' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4c' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a4e' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a50' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1a52' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a54' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a56' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1a58' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '__unnamed_1a5a' : [ 0x18, { 'DeviceClass' : [ 0x0, ['__unnamed_1a48']], 'TargetDevice' : [ 0x0, ['__unnamed_1a4a']], 'InstallDevice' : [ 0x0, ['__unnamed_1a4c']], 'CustomNotification' : [ 0x0, ['__unnamed_1a4e']], 'ProfileNotification' : [ 0x0, ['__unnamed_1a50']], 'PowerNotification' : [ 0x0, ['__unnamed_1a52']], 'VetoNotification' : [ 0x0, ['__unnamed_1a54']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1a56']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1a58']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x48, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1a5a']], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1a71' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1a73' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1a75' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1a71']], 'Gpt' : [ 0x0, ['__unnamed_1a73']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1a75']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_PCI_HEADER_TYPE_0' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 6, ['unsigned long']]], 'CIS' : [ 0x18, ['unsigned long']], 'SubVendorID' : [ 0x1c, ['unsigned short']], 'SubSystemID' : [ 0x1e, ['unsigned short']], 'ROMBaseAddress' : [ 0x20, ['unsigned long']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'Reserved2' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'MinimumGrant' : [ 0x2e, ['unsigned char']], 'MaximumLatency' : [ 0x2f, ['unsigned char']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x410, { 'DevNodeSequence' : [ 0x0, ['unsigned long']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['unsigned short']]], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x80, { 'LevelReady' : [ 0x0, ['_KEVENT']], 'DeviceCount' : [ 0x18, ['unsigned long']], 'ActiveCount' : [ 0x1c, ['unsigned long']], 'WaitSleep' : [ 0x20, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x30, ['_LIST_ENTRY']], 'Pending' : [ 0x40, ['_LIST_ENTRY']], 'Complete' : [ 0x50, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x60, ['_LIST_ENTRY']], 'WaitS0' : [ 0x70, ['_LIST_ENTRY']], } ], '__unnamed_1aa5' : [ 0x8, { 'Base' : [ 0x0, ['unsigned long']], 'Limit' : [ 0x4, ['unsigned long']], } ], '_PCI_HEADER_TYPE_2' : [ 0x30, { 'SocketRegistersBaseAddress' : [ 0x0, ['unsigned long']], 'CapabilitiesPtr' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'SecondaryStatus' : [ 0x6, ['unsigned short']], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'Range' : [ 0xc, ['array', 4, ['__unnamed_1aa5']]], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['unsigned short']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_POWER_IRP' : [ 0x58, { 'Free' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Irp' : [ 0x8, ['pointer64', ['_IRP']]], 'Notify' : [ 0x10, ['pointer64', ['_PO_DEVICE_NOTIFY']]], 'Pending' : [ 0x18, ['_LIST_ENTRY']], 'Complete' : [ 0x28, ['_LIST_ENTRY']], 'Abort' : [ 0x38, ['_LIST_ENTRY']], 'Failed' : [ 0x48, ['_LIST_ENTRY']], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_PCI_HEADER_TYPE_1' : [ 0x30, { 'BaseAddresses' : [ 0x0, ['array', 2, ['unsigned long']]], 'PrimaryBus' : [ 0x8, ['unsigned char']], 'SecondaryBus' : [ 0x9, ['unsigned char']], 'SubordinateBus' : [ 0xa, ['unsigned char']], 'SecondaryLatency' : [ 0xb, ['unsigned char']], 'IOBase' : [ 0xc, ['unsigned char']], 'IOLimit' : [ 0xd, ['unsigned char']], 'SecondaryStatus' : [ 0xe, ['unsigned short']], 'MemoryBase' : [ 0x10, ['unsigned short']], 'MemoryLimit' : [ 0x12, ['unsigned short']], 'PrefetchBase' : [ 0x14, ['unsigned short']], 'PrefetchLimit' : [ 0x16, ['unsigned short']], 'PrefetchBaseUpper32' : [ 0x18, ['unsigned long']], 'PrefetchLimitUpper32' : [ 0x1c, ['unsigned long']], 'IOBaseUpper16' : [ 0x20, ['unsigned short']], 'IOLimitUpper16' : [ 0x22, ['unsigned short']], 'CapabilitiesPtr' : [ 0x24, ['unsigned char']], 'Reserved1' : [ 0x25, ['array', 3, ['unsigned char']]], 'ROMBaseAddress' : [ 0x28, ['unsigned long']], 'InterruptLine' : [ 0x2c, ['unsigned char']], 'InterruptPin' : [ 0x2d, ['unsigned char']], 'BridgeControl' : [ 0x2e, ['unsigned short']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_SUPPORTED_RANGE' : [ 0x28, { 'Next' : [ 0x0, ['pointer64', ['_SUPPORTED_RANGE']]], 'SystemAddressSpace' : [ 0x8, ['unsigned long']], 'SystemBase' : [ 0x10, ['long long']], 'Base' : [ 0x18, ['long long']], 'Limit' : [ 0x20, ['long long']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['unsigned short']]], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long']], 'Alignment' : [ 0x14, ['unsigned long']], 'Priority' : [ 0x18, ['long']], 'Flags' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x28, ['array', 3, ['unsigned long']]], } ], '__unnamed_1b2b' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1b2d' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1b31' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1b33' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1b2b']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1b2d']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1b31']], 'Others' : [ 0x0, ['__unnamed_1b33']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp0_x64_vtypes.py0000644000175000017500000145571211732225561027450 0ustar mikemike00000000000000ntkrnlmp_types = { 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_101f' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_101f']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1024' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_1024']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_103d' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_103f' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_103d']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x40, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x8, ['pointer64', ['_TP_POOL']]], 'CleanupGroup' : [ 0x10, ['pointer64', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0x18, ['pointer64', ['void']]], 'RaceDll' : [ 0x20, ['pointer64', ['void']]], 'ActivationContext' : [ 0x28, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x30, ['pointer64', ['void']]], 'u' : [ 0x38, ['__unnamed_103f']], } ], '_TP_TASK_CALLBACKS' : [ 0x10, { 'ExecuteCallback' : [ 0x0, ['pointer64', ['void']]], 'Unposted' : [ 0x8, ['pointer64', ['void']]], } ], '_TP_TASK' : [ 0x8, { 'Callbacks' : [ 0x0, ['pointer64', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x8, { 'Callback' : [ 0x0, ['pointer64', ['void']]], } ], '_LIST_ENTRY' : [ 0x10, { 'Flink' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'Blink' : [ 0x8, ['pointer64', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x8, { 'Next' : [ 0x0, ['pointer64', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned short']]], } ], '_STRING' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_RTL_BITMAP' : [ 0x10, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['unsigned long']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS64' : [ 0x108, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER64']], } ], '_KPRCB' : [ 0x3a20, { 'MxCsr' : [ 0x0, ['unsigned long']], 'Number' : [ 0x4, ['unsigned short']], 'InterruptRequest' : [ 0x6, ['unsigned char']], 'IdleHalt' : [ 0x7, ['unsigned char']], 'CurrentThread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'NextThread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'IdleThread' : [ 0x18, ['pointer64', ['_KTHREAD']]], 'NestingLevel' : [ 0x20, ['unsigned char']], 'Group' : [ 0x21, ['unsigned char']], 'PrcbPad00' : [ 0x22, ['array', 6, ['unsigned char']]], 'RspBase' : [ 0x28, ['unsigned long long']], 'PrcbLock' : [ 0x30, ['unsigned long long']], 'SetMember' : [ 0x38, ['unsigned long long']], 'ProcessorState' : [ 0x40, ['_KPROCESSOR_STATE']], 'CpuType' : [ 0x5f0, ['unsigned char']], 'CpuID' : [ 0x5f1, ['unsigned char']], 'CpuStep' : [ 0x5f2, ['unsigned short']], 'CpuStepping' : [ 0x5f2, ['unsigned char']], 'CpuModel' : [ 0x5f3, ['unsigned char']], 'MHz' : [ 0x5f4, ['unsigned long']], 'HalReserved' : [ 0x5f8, ['array', 8, ['unsigned long long']]], 'MinorVersion' : [ 0x638, ['unsigned short']], 'MajorVersion' : [ 0x63a, ['unsigned short']], 'BuildType' : [ 0x63c, ['unsigned char']], 'CpuVendor' : [ 0x63d, ['unsigned char']], 'CoresPerPhysicalProcessor' : [ 0x63e, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x63f, ['unsigned char']], 'ApicMask' : [ 0x640, ['unsigned long']], 'CFlushSize' : [ 0x644, ['unsigned long']], 'AcpiReserved' : [ 0x648, ['pointer64', ['void']]], 'InitialApicId' : [ 0x650, ['unsigned long']], 'Stride' : [ 0x654, ['unsigned long']], 'PrcbPad01' : [ 0x658, ['array', 3, ['unsigned long long']]], 'LockQueue' : [ 0x670, ['array', 33, ['_KSPIN_LOCK_QUEUE']]], 'PPLookasideList' : [ 0x880, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x980, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1580, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x2180, ['unsigned long long']], 'DeferredReadyListHead' : [ 0x2188, ['_SINGLE_LIST_ENTRY']], 'MmPageFaultCount' : [ 0x2190, ['long']], 'MmCopyOnWriteCount' : [ 0x2194, ['long']], 'MmTransitionCount' : [ 0x2198, ['long']], 'MmDemandZeroCount' : [ 0x219c, ['long']], 'MmPageReadCount' : [ 0x21a0, ['long']], 'MmPageReadIoCount' : [ 0x21a4, ['long']], 'MmDirtyPagesWriteCount' : [ 0x21a8, ['long']], 'MmDirtyWriteIoCount' : [ 0x21ac, ['long']], 'MmMappedPagesWriteCount' : [ 0x21b0, ['long']], 'MmMappedWriteIoCount' : [ 0x21b4, ['long']], 'KeSystemCalls' : [ 0x21b8, ['unsigned long']], 'KeContextSwitches' : [ 0x21bc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x21c0, ['unsigned long']], 'CcFastReadWait' : [ 0x21c4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x21c8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x21cc, ['unsigned long']], 'CcCopyReadWait' : [ 0x21d0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x21d4, ['unsigned long']], 'LookasideIrpFloat' : [ 0x21d8, ['long']], 'IoReadOperationCount' : [ 0x21dc, ['long']], 'IoWriteOperationCount' : [ 0x21e0, ['long']], 'IoOtherOperationCount' : [ 0x21e4, ['long']], 'IoReadTransferCount' : [ 0x21e8, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x21f0, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x21f8, ['_LARGE_INTEGER']], 'TargetSet' : [ 0x2200, ['unsigned long long']], 'IpiFrozen' : [ 0x2208, ['unsigned long']], 'PrcbPad3' : [ 0x220c, ['array', 116, ['unsigned char']]], 'RequestMailbox' : [ 0x2280, ['array', 64, ['_REQUEST_MAILBOX']]], 'SenderSummary' : [ 0x3280, ['unsigned long long']], 'PrcbPad4' : [ 0x3288, ['array', 120, ['unsigned char']]], 'DpcData' : [ 0x3300, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x3340, ['pointer64', ['void']]], 'SavedRsp' : [ 0x3348, ['pointer64', ['void']]], 'MaximumDpcQueueDepth' : [ 0x3350, ['long']], 'DpcRequestRate' : [ 0x3354, ['unsigned long']], 'MinimumDpcRate' : [ 0x3358, ['unsigned long']], 'DpcInterruptRequested' : [ 0x335c, ['unsigned char']], 'DpcThreadRequested' : [ 0x335d, ['unsigned char']], 'DpcRoutineActive' : [ 0x335e, ['unsigned char']], 'DpcThreadActive' : [ 0x335f, ['unsigned char']], 'TimerHand' : [ 0x3360, ['unsigned long long']], 'TimerRequest' : [ 0x3360, ['unsigned long long']], 'TickOffset' : [ 0x3368, ['long']], 'MasterOffset' : [ 0x336c, ['long']], 'DpcLastCount' : [ 0x3370, ['unsigned long']], 'ThreadDpcEnable' : [ 0x3374, ['unsigned char']], 'QuantumEnd' : [ 0x3375, ['unsigned char']], 'PrcbPad50' : [ 0x3376, ['unsigned char']], 'IdleSchedule' : [ 0x3377, ['unsigned char']], 'DpcSetEventRequest' : [ 0x3378, ['long']], 'KeExceptionDispatchCount' : [ 0x337c, ['unsigned long']], 'DpcEvent' : [ 0x3380, ['_KEVENT']], 'PrcbPad51' : [ 0x3398, ['pointer64', ['void']]], 'CallDpc' : [ 0x33a0, ['_KDPC']], 'ClockKeepAlive' : [ 0x33e0, ['long']], 'ClockCheckSlot' : [ 0x33e4, ['unsigned char']], 'ClockPollCycle' : [ 0x33e5, ['unsigned char']], 'PrcbPad6' : [ 0x33e6, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x33e8, ['long']], 'DpcWatchdogCount' : [ 0x33ec, ['long']], 'PrcbPad70' : [ 0x33f0, ['array', 2, ['unsigned long long']]], 'WaitListHead' : [ 0x3400, ['_LIST_ENTRY']], 'WaitLock' : [ 0x3410, ['unsigned long long']], 'ReadySummary' : [ 0x3418, ['unsigned long']], 'QueueIndex' : [ 0x341c, ['unsigned long']], 'PrcbPad71' : [ 0x3420, ['array', 12, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x3480, ['array', 32, ['_LIST_ENTRY']]], 'InterruptCount' : [ 0x3680, ['unsigned long']], 'KernelTime' : [ 0x3684, ['unsigned long']], 'UserTime' : [ 0x3688, ['unsigned long']], 'DpcTime' : [ 0x368c, ['unsigned long']], 'InterruptTime' : [ 0x3690, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x3694, ['unsigned long']], 'SkipTick' : [ 0x3698, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x3699, ['unsigned char']], 'PollSlot' : [ 0x369a, ['unsigned char']], 'PrcbPad80' : [ 0x369b, ['array', 5, ['unsigned char']]], 'DpcTimeCount' : [ 0x36a0, ['unsigned long']], 'DpcTimeLimit' : [ 0x36a4, ['unsigned long']], 'PeriodicCount' : [ 0x36a8, ['unsigned long']], 'PeriodicBias' : [ 0x36ac, ['unsigned long']], 'PrcbPad81' : [ 0x36b0, ['array', 2, ['unsigned long long']]], 'ParentNode' : [ 0x36c0, ['pointer64', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x36c8, ['unsigned long long']], 'MultiThreadSetMaster' : [ 0x36d0, ['pointer64', ['_KPRCB']]], 'StartCycles' : [ 0x36d8, ['unsigned long long']], 'MmSpinLockOrdering' : [ 0x36e0, ['long']], 'PageColor' : [ 0x36e4, ['unsigned long']], 'NodeColor' : [ 0x36e8, ['unsigned long']], 'NodeShiftedColor' : [ 0x36ec, ['unsigned long']], 'SecondaryColorMask' : [ 0x36f0, ['unsigned long']], 'Sleeping' : [ 0x36f4, ['long']], 'CycleTime' : [ 0x36f8, ['unsigned long long']], 'CcFastMdlReadNoWait' : [ 0x3700, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x3704, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x3708, ['unsigned long']], 'CcMapDataNoWait' : [ 0x370c, ['unsigned long']], 'CcMapDataWait' : [ 0x3710, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x3714, ['unsigned long']], 'CcPinReadNoWait' : [ 0x3718, ['unsigned long']], 'CcPinReadWait' : [ 0x371c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x3720, ['unsigned long']], 'CcMdlReadWait' : [ 0x3724, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x3728, ['unsigned long']], 'CcLazyWriteIos' : [ 0x372c, ['unsigned long']], 'CcLazyWritePages' : [ 0x3730, ['unsigned long']], 'CcDataFlushes' : [ 0x3734, ['unsigned long']], 'CcDataPages' : [ 0x3738, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x373c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x3740, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x3744, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x3748, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x374c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x3750, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x3754, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x3758, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x375c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x3760, ['unsigned long']], 'CcReadAheadIos' : [ 0x3764, ['unsigned long']], 'MmCacheTransitionCount' : [ 0x3768, ['long']], 'MmCacheReadCount' : [ 0x376c, ['long']], 'MmCacheIoCount' : [ 0x3770, ['long']], 'PrcbPad91' : [ 0x3774, ['array', 3, ['unsigned long']]], 'PowerState' : [ 0x3780, ['_PROCESSOR_POWER_STATE']], 'KeAlignmentFixupCount' : [ 0x38b8, ['unsigned long']], 'VendorString' : [ 0x38bc, ['array', 13, ['unsigned char']]], 'PrcbPad10' : [ 0x38c9, ['array', 3, ['unsigned char']]], 'FeatureBits' : [ 0x38cc, ['unsigned long']], 'UpdateSignature' : [ 0x38d0, ['_LARGE_INTEGER']], 'DpcWatchdogDpc' : [ 0x38d8, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x3918, ['_KTIMER']], 'Cache' : [ 0x3958, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x3994, ['unsigned long']], 'CachedCommit' : [ 0x3998, ['unsigned long']], 'CachedResidentAvailable' : [ 0x399c, ['unsigned long']], 'HyperPte' : [ 0x39a0, ['pointer64', ['void']]], 'WheaInfo' : [ 0x39a8, ['pointer64', ['void']]], 'EtwSupport' : [ 0x39b0, ['pointer64', ['void']]], 'InterruptObjectPool' : [ 0x39c0, ['_SLIST_HEADER']], 'HypercallPagePhysical' : [ 0x39d0, ['_LARGE_INTEGER']], 'HypercallPageVirtual' : [ 0x39d8, ['pointer64', ['void']]], 'RateControl' : [ 0x39e0, ['pointer64', ['void']]], 'CacheProcessorMask' : [ 0x39e8, ['array', 5, ['unsigned long long']]], 'PackageProcessorSet' : [ 0x3a10, ['unsigned long long']], 'CoreProcessorSet' : [ 0x3a18, ['unsigned long long']], } ], '_KTHREAD' : [ 0x330, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x18, ['unsigned long long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer64', ['void']]], 'StackLimit' : [ 0x30, ['pointer64', ['void']]], 'KernelStack' : [ 0x38, ['pointer64', ['void']]], 'ThreadLock' : [ 0x40, ['unsigned long long']], 'ApcState' : [ 0x48, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x48, ['array', 43, ['unsigned char']]], 'Priority' : [ 0x73, ['unsigned char']], 'NextProcessor' : [ 0x74, ['unsigned short']], 'DeferredProcessor' : [ 0x76, ['unsigned short']], 'ApcQueueLock' : [ 0x78, ['unsigned long long']], 'WaitStatus' : [ 0x80, ['long long']], 'WaitBlockList' : [ 0x88, ['pointer64', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x88, ['pointer64', ['_KGATE']]], 'KernelStackResident' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x90, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x90, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x90, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Reserved' : [ 0x90, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x90, ['long']], 'WaitReason' : [ 0x94, ['unsigned char']], 'SwapBusy' : [ 0x95, ['unsigned char']], 'Alerted' : [ 0x96, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x98, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x98, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0xa8, ['pointer64', ['_KQUEUE']]], 'Teb' : [ 0xb0, ['pointer64', ['void']]], 'Timer' : [ 0xb8, ['_KTIMER']], 'TimerFill' : [ 0xb8, ['array', 60, ['unsigned char']]], 'AutoAlignment' : [ 0xf4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xf4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xf4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xf4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xf4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xf4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xf4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xf4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xf4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xf4, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xf4, ['long']], 'WaitBlock' : [ 0xf8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xf8, ['array', 43, ['unsigned char']]], 'IdealProcessor' : [ 0x123, ['unsigned char']], 'WaitBlockFill1' : [ 0xf8, ['array', 91, ['unsigned char']]], 'PreviousMode' : [ 0x153, ['unsigned char']], 'WaitBlockFill2' : [ 0xf8, ['array', 139, ['unsigned char']]], 'ResourceIndex' : [ 0x183, ['unsigned char']], 'WaitBlockFill3' : [ 0xf8, ['array', 187, ['unsigned char']]], 'LargeStack' : [ 0x1b3, ['unsigned char']], 'WaitBlockFill4' : [ 0xf8, ['array', 44, ['unsigned char']]], 'ContextSwitches' : [ 0x124, ['unsigned long']], 'WaitBlockFill5' : [ 0xf8, ['array', 92, ['unsigned char']]], 'State' : [ 0x154, ['unsigned char']], 'NpxState' : [ 0x155, ['unsigned char']], 'WaitIrql' : [ 0x156, ['unsigned char']], 'WaitMode' : [ 0x157, ['unsigned char']], 'WaitBlockFill6' : [ 0xf8, ['array', 140, ['unsigned char']]], 'WaitTime' : [ 0x184, ['unsigned long']], 'WaitBlockFill7' : [ 0xf8, ['array', 188, ['unsigned char']]], 'KernelApcDisable' : [ 0x1b4, ['short']], 'SpecialApcDisable' : [ 0x1b6, ['short']], 'CombinedApcDisable' : [ 0x1b4, ['unsigned long']], 'QueueListEntry' : [ 0x1b8, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x1c8, ['pointer64', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x1d0, ['pointer64', ['void']]], 'CallbackStack' : [ 0x1d8, ['pointer64', ['void']]], 'CallbackDepth' : [ 0x1d8, ['unsigned long long']], 'ApcStateIndex' : [ 0x1e0, ['unsigned char']], 'BasePriority' : [ 0x1e1, ['unsigned char']], 'PriorityDecrement' : [ 0x1e2, ['unsigned char']], 'Preempted' : [ 0x1e3, ['unsigned char']], 'AdjustReason' : [ 0x1e4, ['unsigned char']], 'AdjustIncrement' : [ 0x1e5, ['unsigned char']], 'Spare01' : [ 0x1e6, ['unsigned char']], 'Saturation' : [ 0x1e7, ['unsigned char']], 'SystemCallNumber' : [ 0x1e8, ['unsigned long']], 'Spare02' : [ 0x1ec, ['unsigned long']], 'UserAffinity' : [ 0x1f0, ['unsigned long long']], 'Process' : [ 0x1f8, ['pointer64', ['_KPROCESS']]], 'Affinity' : [ 0x200, ['unsigned long long']], 'ApcStatePointer' : [ 0x208, ['array', 2, ['pointer64', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x218, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x218, ['array', 43, ['unsigned char']]], 'FreezeCount' : [ 0x243, ['unsigned char']], 'SuspendCount' : [ 0x244, ['unsigned char']], 'UserIdealProcessor' : [ 0x245, ['unsigned char']], 'Spare03' : [ 0x246, ['unsigned char']], 'CodePatchInProgress' : [ 0x247, ['unsigned char']], 'Win32Thread' : [ 0x248, ['pointer64', ['void']]], 'StackBase' : [ 0x250, ['pointer64', ['void']]], 'SuspendApc' : [ 0x258, ['_KAPC']], 'SuspendApcFill0' : [ 0x258, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x259, ['unsigned char']], 'SuspendApcFill1' : [ 0x258, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x25b, ['unsigned char']], 'SuspendApcFill2' : [ 0x258, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x25c, ['unsigned long']], 'SuspendApcFill3' : [ 0x258, ['array', 64, ['unsigned char']]], 'WaitPrcb' : [ 0x298, ['pointer64', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x258, ['array', 72, ['unsigned char']]], 'LegoData' : [ 0x2a0, ['pointer64', ['void']]], 'SuspendApcFill5' : [ 0x258, ['array', 83, ['unsigned char']]], 'PowerState' : [ 0x2ab, ['unsigned char']], 'UserTime' : [ 0x2ac, ['unsigned long']], 'SuspendSemaphore' : [ 0x2b0, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x2b0, ['array', 28, ['unsigned char']]], 'SListFaultCount' : [ 0x2cc, ['unsigned long']], 'ThreadListEntry' : [ 0x2d0, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x2e0, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x2f0, ['pointer64', ['void']]], 'ReadOperationCount' : [ 0x2f8, ['long long']], 'WriteOperationCount' : [ 0x300, ['long long']], 'OtherOperationCount' : [ 0x308, ['long long']], 'ReadTransferCount' : [ 0x310, ['long long']], 'WriteTransferCount' : [ 0x318, ['long long']], 'OtherTransferCount' : [ 0x320, ['long long']], 'MdlForLockedTeb' : [ 0x328, ['pointer64', ['void']]], } ], '_KERNEL_STACK_CONTROL' : [ 0x250, { 'XmmSaveArea' : [ 0x0, ['_XMM_SAVE_AREA32']], 'Current' : [ 0x200, ['_KERNEL_STACK_SEGMENT']], 'Previous' : [ 0x228, ['_KERNEL_STACK_SEGMENT']], } ], '_FAST_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KEVENT']], 'OldIrql' : [ 0x30, ['unsigned long']], } ], '__unnamed_1115' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 25, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 61, native_type='unsigned long long')]], 'Region' : [ 0x8, ['BitField', dict(start_bit = 61, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_111a' : [ 0x10, { 'Depth' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Sequence' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='unsigned long long')]], 'HeaderType' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Init' : [ 0x8, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Reserved' : [ 0x8, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long long')]], 'NextEntry' : [ 0x8, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], } ], '_SLIST_HEADER' : [ 0x10, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Region' : [ 0x8, ['unsigned long long']], 'Header8' : [ 0x0, ['__unnamed_1115']], 'Header16' : [ 0x0, ['__unnamed_111a']], } ], '_SLIST_ENTRY' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_LOOKASIDE_LIST_EX' : [ 0x60, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0x80, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer64', ['void']]], 'Information' : [ 0x8, ['unsigned long long']], } ], '_EX_PUSH_LOCK' : [ 0x8, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 64, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x100, { 'Locks' : [ 0x0, ['array', 32, ['pointer64', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_EX_RUNDOWN_REF' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long long']], 'Ptr' : [ 0x0, ['pointer64', ['void']]], } ], '_EX_FAST_REF' : [ 0x8, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long long')]], 'Value' : [ 0x0, ['unsigned long long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x40, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x18, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x20, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x28, ['pointer64', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x30, ['long']], 'Flags' : [ 0x34, ['long']], } ], '_ETHREAD' : [ 0x450, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x330, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x338, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x338, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x348, ['long']], 'OfsChain' : [ 0x348, ['pointer64', ['void']]], 'PostBlockList' : [ 0x350, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x350, ['pointer64', ['void']]], 'StartAddress' : [ 0x358, ['pointer64', ['void']]], 'TerminationPort' : [ 0x360, ['pointer64', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x360, ['pointer64', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x360, ['pointer64', ['void']]], 'Win32StartParameter' : [ 0x360, ['pointer64', ['void']]], 'ActiveTimerListLock' : [ 0x368, ['unsigned long long']], 'ActiveTimerListHead' : [ 0x370, ['_LIST_ENTRY']], 'Cid' : [ 0x380, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x390, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x3b0, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x3b8, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x3c8, ['unsigned long long']], 'DeviceToVerify' : [ 0x3d0, ['pointer64', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x3d8, ['pointer64', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x3e0, ['pointer64', ['void']]], 'SparePtr0' : [ 0x3e8, ['pointer64', ['void']]], 'ThreadListEntry' : [ 0x3f0, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x400, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x408, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x410, ['unsigned long']], 'MmLockOrdering' : [ 0x414, ['long']], 'CrossThreadFlags' : [ 0x418, ['unsigned long']], 'Terminated' : [ 0x418, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x418, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x418, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x418, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x418, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x418, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x418, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x418, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x418, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x418, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x418, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x418, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x418, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x41c, ['unsigned long']], 'ActiveExWorker' : [ 0x41c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x41c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x41c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x41c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x41c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x41c, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x41c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x420, ['unsigned long']], 'Spare' : [ 0x420, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x420, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x420, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x420, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x420, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x421, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x421, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x421, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x421, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x421, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x421, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x421, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x421, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x422, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'CacheManagerActive' : [ 0x424, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x425, ['unsigned char']], 'ActiveFaultCount' : [ 0x426, ['unsigned char']], 'AlpcMessageId' : [ 0x428, ['unsigned long long']], 'AlpcMessage' : [ 0x430, ['pointer64', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x430, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x438, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x448, ['unsigned long']], } ], '_EPROCESS' : [ 0x3e8, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0xc0, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0xc8, ['_LARGE_INTEGER']], 'ExitTime' : [ 0xd0, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0xd8, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0xe0, ['pointer64', ['void']]], 'ActiveProcessLinks' : [ 0xe8, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xf8, ['array', 3, ['unsigned long long']]], 'QuotaPeak' : [ 0x110, ['array', 3, ['unsigned long long']]], 'CommitCharge' : [ 0x128, ['unsigned long long']], 'PeakVirtualSize' : [ 0x130, ['unsigned long long']], 'VirtualSize' : [ 0x138, ['unsigned long long']], 'SessionProcessLinks' : [ 0x140, ['_LIST_ENTRY']], 'DebugPort' : [ 0x150, ['pointer64', ['void']]], 'ExceptionPortData' : [ 0x158, ['pointer64', ['void']]], 'ExceptionPortValue' : [ 0x158, ['unsigned long long']], 'ExceptionPortState' : [ 0x158, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long long')]], 'ObjectTable' : [ 0x160, ['pointer64', ['_HANDLE_TABLE']]], 'Token' : [ 0x168, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0x170, ['unsigned long long']], 'AddressCreationLock' : [ 0x178, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0x180, ['pointer64', ['_ETHREAD']]], 'ForkInProgress' : [ 0x188, ['pointer64', ['_ETHREAD']]], 'HardwareTrigger' : [ 0x190, ['unsigned long long']], 'PhysicalVadRoot' : [ 0x198, ['pointer64', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0x1a0, ['pointer64', ['void']]], 'NumberOfPrivatePages' : [ 0x1a8, ['unsigned long long']], 'NumberOfLockedPages' : [ 0x1b0, ['unsigned long long']], 'Win32Process' : [ 0x1b8, ['pointer64', ['void']]], 'Job' : [ 0x1c0, ['pointer64', ['_EJOB']]], 'SectionObject' : [ 0x1c8, ['pointer64', ['void']]], 'SectionBaseAddress' : [ 0x1d0, ['pointer64', ['void']]], 'QuotaBlock' : [ 0x1d8, ['pointer64', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x1e0, ['pointer64', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x1e8, ['pointer64', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x1f0, ['pointer64', ['void']]], 'LdtInformation' : [ 0x1f8, ['pointer64', ['void']]], 'VadFreeHint' : [ 0x200, ['pointer64', ['void']]], 'VdmObjects' : [ 0x208, ['pointer64', ['void']]], 'DeviceMap' : [ 0x210, ['pointer64', ['void']]], 'EtwDataSource' : [ 0x218, ['pointer64', ['void']]], 'FreeTebHint' : [ 0x220, ['pointer64', ['void']]], 'PageDirectoryPte' : [ 0x228, ['_HARDWARE_PTE']], 'Filler' : [ 0x228, ['unsigned long long']], 'Session' : [ 0x230, ['pointer64', ['void']]], 'ImageFileName' : [ 0x238, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x248, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x258, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x260, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x270, ['pointer64', ['void']]], 'Wow64Process' : [ 0x278, ['pointer64', ['_WOW64_PROCESS']]], 'ActiveThreads' : [ 0x280, ['unsigned long']], 'ImagePathHash' : [ 0x284, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x288, ['unsigned long']], 'LastThreadExitStatus' : [ 0x28c, ['long']], 'Peb' : [ 0x290, ['pointer64', ['_PEB']]], 'PrefetchTrace' : [ 0x298, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x2a0, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x2a8, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x2b0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x2b8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x2c0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x2c8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x2d0, ['unsigned long long']], 'CommitChargePeak' : [ 0x2d8, ['unsigned long long']], 'AweInfo' : [ 0x2e0, ['pointer64', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x2e8, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x2f0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x358, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x368, ['unsigned long']], 'Flags2' : [ 0x36c, ['unsigned long']], 'JobNotReallyActive' : [ 0x36c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x36c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x36c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x36c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x36c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x36c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x36c, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x36c, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x36c, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x36c, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x36c, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x36c, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x36c, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x36c, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x36c, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Flags' : [ 0x370, ['unsigned long']], 'CreateReported' : [ 0x370, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x370, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x370, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x370, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x370, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x370, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x370, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x370, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x370, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x370, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x370, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x370, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x370, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x370, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x370, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x370, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x370, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x370, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x370, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x370, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x370, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x370, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x370, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x370, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x370, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x370, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'SparePsFlags1' : [ 0x370, ['BitField', dict(start_bit = 30, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x374, ['long']], 'Spare7' : [ 0x378, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x37a, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x37b, ['unsigned char']], 'SubSystemVersion' : [ 0x37a, ['unsigned short']], 'PriorityClass' : [ 0x37c, ['unsigned char']], 'VadRoot' : [ 0x380, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x3c0, ['unsigned long']], 'AlpcContext' : [ 0x3c8, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_1202' : [ 0x8, { 'MasterIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1207' : [ 0x10, { 'UserApcRoutine' : [ 0x0, ['pointer64', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer64', ['void']]], 'UserApcContext' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1209' : [ 0x10, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_1207']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_1214' : [ 0x50, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer64', ['void']]]], 'Thread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x28, ['pointer64', ['unsigned char']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x40, ['pointer64', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x40, ['unsigned long']], 'OriginalFileObject' : [ 0x48, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1216' : [ 0x58, { 'Overlay' : [ 0x0, ['__unnamed_1214']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer64', ['void']]], } ], '_IRP' : [ 0xd0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x8, ['pointer64', ['_MDL']]], 'Flags' : [ 0x10, ['unsigned long']], 'AssociatedIrp' : [ 0x18, ['__unnamed_1202']], 'ThreadListEntry' : [ 0x20, ['_LIST_ENTRY']], 'IoStatus' : [ 0x30, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x40, ['unsigned char']], 'PendingReturned' : [ 0x41, ['unsigned char']], 'StackCount' : [ 0x42, ['unsigned char']], 'CurrentLocation' : [ 0x43, ['unsigned char']], 'Cancel' : [ 0x44, ['unsigned char']], 'CancelIrql' : [ 0x45, ['unsigned char']], 'ApcEnvironment' : [ 0x46, ['unsigned char']], 'AllocationFlags' : [ 0x47, ['unsigned char']], 'UserIosb' : [ 0x48, ['pointer64', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'Overlay' : [ 0x58, ['__unnamed_1209']], 'CancelRoutine' : [ 0x68, ['pointer64', ['void']]], 'UserBuffer' : [ 0x70, ['pointer64', ['void']]], 'Tail' : [ 0x78, ['__unnamed_1216']], } ], '__unnamed_121c' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'FileAttributes' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'EaLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1220' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1224' : [ 0x20, { 'SecurityContext' : [ 0x0, ['pointer64', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0x10, ['unsigned short']], 'ShareAccess' : [ 0x12, ['unsigned short']], 'Parameters' : [ 0x18, ['pointer64', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_1226' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_122a' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x8, ['pointer64', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_122c' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x8, ['unsigned long']], } ], '__unnamed_122e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], } ], '__unnamed_1230' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileMaximumInformation'})]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0x18, ['unsigned char']], 'AdvanceOnly' : [ 0x19, ['unsigned char']], 'ClusterCount' : [ 0x18, ['unsigned long']], 'DeleteHandle' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1232' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x8, ['pointer64', ['void']]], 'EaListLength' : [ 0x10, ['unsigned long']], 'EaIndex' : [ 0x18, ['unsigned long']], } ], '__unnamed_1234' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1238' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_123a' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'FsControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_123c' : [ 0x18, { 'Length' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'Key' : [ 0x8, ['unsigned long']], 'ByteOffset' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_123e' : [ 0x20, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x8, ['unsigned long']], 'IoControlCode' : [ 0x10, ['unsigned long']], 'Type3InputBuffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1240' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1242' : [ 0x10, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1246' : [ 0x10, { 'Vpb' : [ 0x0, ['pointer64', ['_VPB']]], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], } ], '__unnamed_124a' : [ 0x8, { 'Srb' : [ 0x0, ['pointer64', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_124e' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x8, ['pointer64', ['void']]], 'SidList' : [ 0x10, ['pointer64', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0x18, ['unsigned long']], } ], '__unnamed_1252' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_1259' : [ 0x20, { 'InterfaceType' : [ 0x0, ['pointer64', ['_GUID']]], 'Size' : [ 0x8, ['unsigned short']], 'Version' : [ 0xa, ['unsigned short']], 'Interface' : [ 0x10, ['pointer64', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_125d' : [ 0x8, { 'Capabilities' : [ 0x0, ['pointer64', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1261' : [ 0x8, { 'IoResourceRequirementList' : [ 0x0, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1263' : [ 0x20, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x8, ['pointer64', ['void']]], 'Offset' : [ 0x10, ['unsigned long']], 'Length' : [ 0x18, ['unsigned long']], } ], '__unnamed_1265' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_1269' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_126d' : [ 0x10, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x8, ['unsigned long']], } ], '__unnamed_1271' : [ 0x10, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_1275' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_1279' : [ 0x8, { 'PowerSequence' : [ 0x0, ['pointer64', ['_POWER_SEQUENCE']]], } ], '__unnamed_1281' : [ 0x20, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x10, ['_POWER_STATE']], 'ShutdownType' : [ 0x18, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_1285' : [ 0x10, { 'AllocatedResources' : [ 0x0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x8, ['pointer64', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_1287' : [ 0x20, { 'ProviderId' : [ 0x0, ['unsigned long long']], 'DataPath' : [ 0x8, ['pointer64', ['void']]], 'BufferSize' : [ 0x10, ['unsigned long']], 'Buffer' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1289' : [ 0x20, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_128b' : [ 0x20, { 'Create' : [ 0x0, ['__unnamed_121c']], 'CreatePipe' : [ 0x0, ['__unnamed_1220']], 'CreateMailslot' : [ 0x0, ['__unnamed_1224']], 'Read' : [ 0x0, ['__unnamed_1226']], 'Write' : [ 0x0, ['__unnamed_1226']], 'QueryDirectory' : [ 0x0, ['__unnamed_122a']], 'NotifyDirectory' : [ 0x0, ['__unnamed_122c']], 'QueryFile' : [ 0x0, ['__unnamed_122e']], 'SetFile' : [ 0x0, ['__unnamed_1230']], 'QueryEa' : [ 0x0, ['__unnamed_1232']], 'SetEa' : [ 0x0, ['__unnamed_1234']], 'QueryVolume' : [ 0x0, ['__unnamed_1238']], 'SetVolume' : [ 0x0, ['__unnamed_1238']], 'FileSystemControl' : [ 0x0, ['__unnamed_123a']], 'LockControl' : [ 0x0, ['__unnamed_123c']], 'DeviceIoControl' : [ 0x0, ['__unnamed_123e']], 'QuerySecurity' : [ 0x0, ['__unnamed_1240']], 'SetSecurity' : [ 0x0, ['__unnamed_1242']], 'MountVolume' : [ 0x0, ['__unnamed_1246']], 'VerifyVolume' : [ 0x0, ['__unnamed_1246']], 'Scsi' : [ 0x0, ['__unnamed_124a']], 'QueryQuota' : [ 0x0, ['__unnamed_124e']], 'SetQuota' : [ 0x0, ['__unnamed_1234']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1252']], 'QueryInterface' : [ 0x0, ['__unnamed_1259']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_125d']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1261']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1263']], 'SetLock' : [ 0x0, ['__unnamed_1265']], 'QueryId' : [ 0x0, ['__unnamed_1269']], 'QueryDeviceText' : [ 0x0, ['__unnamed_126d']], 'UsageNotification' : [ 0x0, ['__unnamed_1271']], 'WaitWake' : [ 0x0, ['__unnamed_1275']], 'PowerSequence' : [ 0x0, ['__unnamed_1279']], 'Power' : [ 0x0, ['__unnamed_1281']], 'StartDevice' : [ 0x0, ['__unnamed_1285']], 'WMI' : [ 0x0, ['__unnamed_1287']], 'Others' : [ 0x0, ['__unnamed_1289']], } ], '_IO_STACK_LOCATION' : [ 0x48, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x8, ['__unnamed_128b']], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x38, ['pointer64', ['void']]], 'Context' : [ 0x40, ['pointer64', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x20, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x8, ['pointer64', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x10, ['pointer64', ['void']]], 'TxnParameters' : [ 0x18, ['pointer64', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ObjectName' : [ 0x10, ['pointer64', ['_UNICODE_STRING']]], 'Attributes' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x20, ['pointer64', ['void']]], 'SecurityQualityOfService' : [ 0x28, ['pointer64', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x38, { 'PointerCount' : [ 0x0, ['long long']], 'HandleCount' : [ 0x8, ['long long']], 'NextToFree' : [ 0x8, ['pointer64', ['void']]], 'Type' : [ 0x10, ['pointer64', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0x18, ['unsigned char']], 'HandleInfoOffset' : [ 0x19, ['unsigned char']], 'QuotaInfoOffset' : [ 0x1a, ['unsigned char']], 'Flags' : [ 0x1b, ['unsigned char']], 'ObjectCreateInfo' : [ 0x20, ['pointer64', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x20, ['pointer64', ['void']]], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'Body' : [ 0x30, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x20, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'Reserved' : [ 0x18, ['unsigned long long']], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x10, { 'HandleCountDataBase' : [ 0x0, ['pointer64', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x20, { 'Directory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'QueryReferences' : [ 0x18, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x20, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x10, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x18, ['unsigned short']], 'Reserved' : [ 0x1a, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0xd8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x10, ['pointer64', ['_VPB']]], 'FsContext' : [ 0x18, ['pointer64', ['void']]], 'FsContext2' : [ 0x20, ['pointer64', ['void']]], 'SectionObjectPointer' : [ 0x28, ['pointer64', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x30, ['pointer64', ['void']]], 'FinalStatus' : [ 0x38, ['long']], 'RelatedFileObject' : [ 0x40, ['pointer64', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x48, ['unsigned char']], 'DeletePending' : [ 0x49, ['unsigned char']], 'ReadAccess' : [ 0x4a, ['unsigned char']], 'WriteAccess' : [ 0x4b, ['unsigned char']], 'DeleteAccess' : [ 0x4c, ['unsigned char']], 'SharedRead' : [ 0x4d, ['unsigned char']], 'SharedWrite' : [ 0x4e, ['unsigned char']], 'SharedDelete' : [ 0x4f, ['unsigned char']], 'Flags' : [ 0x50, ['unsigned long']], 'FileName' : [ 0x58, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x68, ['_LARGE_INTEGER']], 'Waiters' : [ 0x70, ['unsigned long']], 'Busy' : [ 0x74, ['unsigned long']], 'LastLock' : [ 0x78, ['pointer64', ['void']]], 'Lock' : [ 0x80, ['_KEVENT']], 'Event' : [ 0x98, ['_KEVENT']], 'CompletionContext' : [ 0xb0, ['pointer64', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0xb8, ['unsigned long long']], 'IrpList' : [ 0xc0, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0xd0, ['pointer64', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x48, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0xc, ['unsigned long']], 'CurrentFileIndex' : [ 0xc, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer64', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], 'FirstFileEntry' : [ 0x30, ['pointer64', ['unsigned long long']]], 'Process' : [ 0x38, ['pointer64', ['_EPROCESS']]], 'SessionId' : [ 0x40, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer64', ['unsigned long long']]], 'LastPageFrameEntry' : [ 0x28, ['pointer64', ['unsigned long long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x38, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x30, ['_LARGE_INTEGER']], } ], '_KGUARDED_MUTEX' : [ 0x38, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'Contention' : [ 0x10, ['unsigned long']], 'Gate' : [ 0x18, ['_KGATE']], 'KernelApcDisable' : [ 0x30, ['short']], 'SpecialApcDisable' : [ 0x32, ['short']], 'CombinedApcDisable' : [ 0x30, ['unsigned long']], } ], '_WHEA_ERROR_RECORD' : [ 0xd0, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x88, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['unsigned short']], 'ValidationBits' : [ 0xa, ['unsigned char']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '__unnamed_1339' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIX_BUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIX_DEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'RawDataLength' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeOther', 6: 'WheaErrSrcTypeMax'})]], 'Reserved1' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1339']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrorStatusFormatIPFSalRecord', 1: 'WheaErrorStatusFormatIA32MCA', 2: 'WheaErrorStatusFormatEM64TMCA', 3: 'WheaErrorStatusFormatAMD64MCA', 4: 'WheaErrorStatusFormatPCIExpress', 5: 'WheaErrorStatusFormatNMIPort', 6: 'WheaErrorStatusFormatOther', 7: 'WheaErrorStatusFormatMax'})]], 'Reserved2' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0xc0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x18, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x28, ['unsigned long long']], 'Unused0' : [ 0x30, ['unsigned long long']], 'IopmOffset' : [ 0x38, ['unsigned short']], 'ActiveProcessors' : [ 0x40, ['unsigned long long']], 'KernelTime' : [ 0x48, ['unsigned long']], 'UserTime' : [ 0x4c, ['unsigned long']], 'ReadyListHead' : [ 0x50, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x60, ['_SINGLE_LIST_ENTRY']], 'InstrumentationCallback' : [ 0x68, ['pointer64', ['void']]], 'ThreadListHead' : [ 0x70, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x80, ['unsigned long long']], 'Affinity' : [ 0x88, ['unsigned long long']], 'AutoAlignment' : [ 0x90, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x90, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x90, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x90, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x90, ['long']], 'BasePriority' : [ 0x94, ['unsigned char']], 'QuantumReset' : [ 0x95, ['unsigned char']], 'State' : [ 0x96, ['unsigned char']], 'ThreadSeed' : [ 0x97, ['unsigned char']], 'PowerState' : [ 0x98, ['unsigned char']], 'IdealNode' : [ 0x99, ['unsigned char']], 'Visited' : [ 0x9a, ['unsigned char']], 'Flags' : [ 0x9b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x9b, ['unsigned char']], 'StackCount' : [ 0xa0, ['unsigned long long']], 'ProcessListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'CycleTime' : [ 0xb8, ['unsigned long long']], } ], '__unnamed_13f3' : [ 0x8, { 'Long' : [ 0x0, ['unsigned long long']], 'VolatileLong' : [ 0x0, ['unsigned long long']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'HardLarge' : [ 0x0, ['_MMPTE_HARDWARE_LARGEPAGE']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x8, { 'u' : [ 0x0, ['__unnamed_13f3']], } ], '_PTE_QUEUE_POINTER' : [ 0x8, { 'PointerPte' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 48, native_type='long long')]], 'TimeStamp' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], 'Data' : [ 0x0, ['long long']], } ], '__unnamed_140c' : [ 0x10, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0xe8, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x10, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x20, ['_LIST_ENTRY']], 'KernelStack' : [ 0x30, ['unsigned long long']], 'Prcb' : [ 0x38, ['unsigned long long']], 'Process' : [ 0x40, ['unsigned long long']], 'Thread' : [ 0x48, ['unsigned long long']], 'RegistryLength' : [ 0x50, ['unsigned long']], 'RegistryBase' : [ 0x58, ['pointer64', ['void']]], 'ConfigurationRoot' : [ 0x60, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x68, ['pointer64', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x70, ['pointer64', ['unsigned char']]], 'NtBootPathName' : [ 0x78, ['pointer64', ['unsigned char']]], 'NtHalPathName' : [ 0x80, ['pointer64', ['unsigned char']]], 'LoadOptions' : [ 0x88, ['pointer64', ['unsigned char']]], 'NlsData' : [ 0x90, ['pointer64', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x98, ['pointer64', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0xa0, ['pointer64', ['void']]], 'SetupLoaderBlock' : [ 0xa8, ['pointer64', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0xb0, ['pointer64', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0xb8, ['__unnamed_140c']], 'FirmwareInformation' : [ 0xc8, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '__unnamed_1428' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer64', ['void']]], 'VolatileNext' : [ 0x0, ['pointer64', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_142a' : [ 0x8, { 'Blink' : [ 0x0, ['unsigned long long']], 'ImageProtoPte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long long']], } ], '__unnamed_142e' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_1430' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_1432' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_142e']], 'e3' : [ 0x0, ['__unnamed_1430']], } ], '__unnamed_143a' : [ 0x8, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 52, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 58, native_type='unsigned long long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 64, native_type='unsigned long long')]], } ], '_MMPFN' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_1428']], 'u2' : [ 0x8, ['__unnamed_142a']], 'PteAddress' : [ 0x10, ['pointer64', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x10, ['pointer64', ['void']]], 'u3' : [ 0x18, ['__unnamed_1432']], 'UsedPageTableEntries' : [ 0x1c, ['unsigned short']], 'VaType' : [ 0x1e, ['unsigned char']], 'ViewCount' : [ 0x1f, ['unsigned char']], 'OriginalPte' : [ 0x20, ['_MMPTE']], 'AweReferenceCount' : [ 0x20, ['long']], 'u4' : [ 0x28, ['__unnamed_143a']], } ], '__unnamed_1446' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'Long' : [ 0x0, ['unsigned long long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1446']], } ], '_MMWSL' : [ 0x488, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer64', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x18, ['pointer64', ['void']]], 'LastInitializedWsle' : [ 0x20, ['unsigned long']], 'NextEstimationSlot' : [ 0x24, ['unsigned long']], 'NextAgingSlot' : [ 0x28, ['unsigned long']], 'EstimatedAvailable' : [ 0x2c, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x30, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x34, ['unsigned long']], 'VadBitMapHint' : [ 0x38, ['unsigned long']], 'NonDirectCount' : [ 0x3c, ['unsigned long']], 'NonDirectHash' : [ 0x40, ['pointer64', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x48, ['pointer64', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer64', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x58, ['pointer64', ['void']]], 'MaximumUserPageTablePages' : [ 0x60, ['unsigned long']], 'MaximumUserPageDirectoryPages' : [ 0x64, ['unsigned long']], 'CommittedPageTables' : [ 0x68, ['pointer64', ['unsigned long']]], 'NumberOfCommittedPageDirectories' : [ 0x70, ['unsigned long']], 'CommittedPageDirectories' : [ 0x78, ['array', 128, ['unsigned long long']]], 'NumberOfCommittedPageDirectoryParents' : [ 0x478, ['unsigned long']], 'CommittedPageDirectoryParents' : [ 0x480, ['array', 1, ['unsigned long long']]], } ], '_MMSUPPORT' : [ 0x68, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x10, ['unsigned short']], 'NextPageColor' : [ 0x12, ['unsigned short']], 'Flags' : [ 0x14, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x18, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x1c, ['unsigned long']], 'Spare0' : [ 0x20, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x24, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x28, ['unsigned long']], 'VmWorkingSetList' : [ 0x30, ['pointer64', ['_MMWSL']]], 'Claim' : [ 0x38, ['unsigned long']], 'Spare' : [ 0x3c, ['array', 1, ['unsigned long']]], 'WorkingSetPrivateSize' : [ 0x40, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x44, ['unsigned long']], 'WorkingSetSize' : [ 0x48, ['unsigned long']], 'ExitEvent' : [ 0x50, ['pointer64', ['_KEVENT']]], 'WorkingSetMutex' : [ 0x58, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x60, ['pointer64', ['void']]], } ], '__unnamed_146a' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_146c' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_146e' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_146c']], } ], '__unnamed_147a' : [ 0x10, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer64', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer64', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_147c' : [ 0x10, { 'e2' : [ 0x0, ['__unnamed_147a']], } ], '_CONTROL_AREA' : [ 0x60, { 'Segment' : [ 0x0, ['pointer64', ['_SEGMENT']]], 'DereferenceList' : [ 0x8, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0x18, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x1c, ['unsigned long']], 'NumberOfMappedViews' : [ 0x20, ['unsigned long']], 'NumberOfUserReferences' : [ 0x24, ['unsigned long']], 'u' : [ 0x28, ['__unnamed_146a']], 'u1' : [ 0x2c, ['__unnamed_146e']], 'FilePointer' : [ 0x30, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x38, ['long']], 'StartingFrame' : [ 0x3c, ['unsigned long']], 'WaitingForDeletion' : [ 0x40, ['pointer64', ['_MI_SECTION_CREATION_EVENT']]], 'u2' : [ 0x48, ['__unnamed_147c']], 'LockedPages' : [ 0x58, ['long long']], } ], '_MMPAGING_FILE' : [ 0xa0, { 'Size' : [ 0x0, ['unsigned long long']], 'MaximumSize' : [ 0x8, ['unsigned long long']], 'MinimumSize' : [ 0x10, ['unsigned long long']], 'FreeSpace' : [ 0x18, ['unsigned long long']], 'PeakUsage' : [ 0x20, ['unsigned long long']], 'HighestPage' : [ 0x28, ['unsigned long long']], 'File' : [ 0x30, ['pointer64', ['_FILE_OBJECT']]], 'Entry' : [ 0x38, ['array', 2, ['pointer64', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x48, ['_UNICODE_STRING']], 'Bitmap' : [ 0x58, ['pointer64', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x60, ['unsigned long']], 'LastAllocationSize' : [ 0x64, ['unsigned long']], 'PageFileNumber' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x6a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x6a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x70, ['pointer64', ['void']]], 'AvailableList' : [ 0x80, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x90, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x10, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x8, ['unsigned long']], } ], '__unnamed_14ae' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMVAD']]], } ], '__unnamed_14b1' : [ 0x8, { 'LongFlags' : [ 0x0, ['unsigned long long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14b4' : [ 0x8, { 'LongFlags3' : [ 0x0, ['unsigned long long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x40, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], } ], '_MM_AVL_TABLE' : [ 0x40, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], 'NodeFreeHint' : [ 0x38, ['pointer64', ['void']]], } ], '__unnamed_14be' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x60, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], 'u2' : [ 0x40, ['__unnamed_14be']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x48, ['pointer64', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], } ], '_MI_COLOR_BASE' : [ 0x10, { 'ColorPointer' : [ 0x0, ['pointer64', ['unsigned short']]], 'ColorMask' : [ 0x8, ['unsigned short']], 'ColorNode' : [ 0xa, ['unsigned short']], } ], '__unnamed_14d0' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_14d0']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], } ], '__unnamed_14d5' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d5']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], } ], '__unnamed_14db' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer64', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14dd' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x38, { 'u1' : [ 0x0, ['__unnamed_14db']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0x18, ['unsigned long']], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'Subsection' : [ 0x18, ['pointer64', ['_SUBSECTION']]], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'SubsectionBase' : [ 0x28, ['pointer64', ['_MMPTE']]], 'u2' : [ 0x30, ['__unnamed_14dd']], } ], '__unnamed_14e6' : [ 0x10, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14e8' : [ 0x8, { 'LastPageToWrite' : [ 0x0, ['unsigned long long']], 'KeepForever' : [ 0x0, ['unsigned long long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x10, ['__unnamed_14e6']], 'Irp' : [ 0x20, ['pointer64', ['_IRP']]], 'u1' : [ 0x28, ['__unnamed_14e8']], 'PagingFile' : [ 0x30, ['pointer64', ['_MMPAGING_FILE']]], 'File' : [ 0x38, ['pointer64', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x40, ['pointer64', ['_CONTROL_AREA']]], 'FileResource' : [ 0x48, ['pointer64', ['_ERESOURCE']]], 'WriteOffset' : [ 0x50, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x58, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'Mdl' : [ 0x68, ['_MDL']], 'Page' : [ 0x98, ['array', 1, ['unsigned long long']]], } ], '__unnamed_14f0' : [ 0x38, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x30, ['array', 1, ['unsigned long long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x68, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long long']], 'ModifiedPagesTotal' : [ 0x18, ['unsigned long long']], 'ModifiedPagefilePages' : [ 0x20, ['unsigned long long']], 'ModifiedNoWritePages' : [ 0x28, ['unsigned long long']], 'MdlHack' : [ 0x30, ['__unnamed_14f0']], } ], '_HHIVE' : [ 0x590, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x8, ['pointer64', ['void']]], 'ReleaseCellRoutine' : [ 0x10, ['pointer64', ['void']]], 'Allocate' : [ 0x18, ['pointer64', ['void']]], 'Free' : [ 0x20, ['pointer64', ['void']]], 'FileSetSize' : [ 0x28, ['pointer64', ['void']]], 'FileWrite' : [ 0x30, ['pointer64', ['void']]], 'FileRead' : [ 0x38, ['pointer64', ['void']]], 'FileFlush' : [ 0x40, ['pointer64', ['void']]], 'BaseBlock' : [ 0x48, ['pointer64', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x50, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x60, ['unsigned long']], 'DirtyAlloc' : [ 0x64, ['unsigned long']], 'BaseBlockAlloc' : [ 0x68, ['unsigned long']], 'Cluster' : [ 0x6c, ['unsigned long']], 'Flat' : [ 0x70, ['unsigned char']], 'ReadOnly' : [ 0x71, ['unsigned char']], 'DirtyFlag' : [ 0x72, ['unsigned char']], 'HvBinHeadersUse' : [ 0x74, ['unsigned long']], 'HvFreeCellsUse' : [ 0x78, ['unsigned long']], 'HvUsedCellsUse' : [ 0x7c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x80, ['unsigned long']], 'HiveFlags' : [ 0x84, ['unsigned long']], 'CurrentLog' : [ 0x88, ['unsigned long']], 'LogSize' : [ 0x8c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x94, ['unsigned long']], 'StorageTypeCount' : [ 0x98, ['unsigned long']], 'Version' : [ 0x9c, ['unsigned long']], 'Storage' : [ 0xa0, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x30, { '_ptr' : [ 0x0, ['pointer64', ['unsigned char']]], '_cnt' : [ 0x8, ['long']], '_base' : [ 0x10, ['pointer64', ['unsigned char']]], '_flag' : [ 0x18, ['long']], '_file' : [ 0x1c, ['long']], '_charbuf' : [ 0x20, ['long']], '_bufsiz' : [ 0x24, ['long']], '_tmpfname' : [ 0x28, ['pointer64', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x58, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x20, ['_LIST_ENTRY']], 'CmHive' : [ 0x30, ['pointer64', ['_CMHIVE']]], 'Bcb' : [ 0x38, ['pointer64', ['void']]], 'ViewAddress' : [ 0x40, ['pointer64', ['void']]], 'FileOffset' : [ 0x48, ['unsigned long']], 'Size' : [ 0x4c, ['unsigned long']], 'UseCount' : [ 0x50, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer64', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0x10, ['pointer64', ['void']]], 'NumberParameters' : [ 0x18, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_TEB' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x38, ['pointer64', ['void']]], 'ClientId' : [ 0x40, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x50, ['pointer64', ['void']]], 'ThreadLocalStoragePointer' : [ 0x58, ['pointer64', ['void']]], 'ProcessEnvironmentBlock' : [ 0x60, ['pointer64', ['_PEB']]], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['pointer64', ['void']]], 'Win32ThreadInfo' : [ 0x78, ['pointer64', ['void']]], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['pointer64', ['void']]], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['pointer64', ['void']]]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['pointer64', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x7e8, ['pointer64', ['void']]], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['pointer64', ['void']]], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['pointer64', ['void']]]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['pointer64', ['void']]], 'glSectionInfo' : [ 0x1228, ['pointer64', ['void']]], 'glSection' : [ 0x1230, ['pointer64', ['void']]], 'glTable' : [ 0x1238, ['pointer64', ['void']]], 'glCurrentRC' : [ 0x1240, ['pointer64', ['void']]], 'glContext' : [ 0x1248, ['pointer64', ['void']]], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['pointer64', ['void']]], 'TlsSlots' : [ 0x1480, ['array', 64, ['pointer64', ['void']]]], 'TlsLinks' : [ 0x1680, ['_LIST_ENTRY']], 'Vdm' : [ 0x1690, ['pointer64', ['void']]], 'ReservedForNtRpc' : [ 0x1698, ['pointer64', ['void']]], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['pointer64', ['void']]]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['pointer64', ['void']]]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['pointer64', ['void']]], 'EtwLocalData' : [ 0x1728, ['pointer64', ['void']]], 'EtwTraceData' : [ 0x1730, ['pointer64', ['void']]], 'WinSockData' : [ 0x1738, ['pointer64', ['void']]], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['pointer64', ['void']]], 'ReservedForOle' : [ 0x1758, ['pointer64', ['void']]], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['pointer64', ['void']]], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['pointer64', ['void']]], 'TlsExpansionSlots' : [ 0x1780, ['pointer64', ['pointer64', ['void']]]], 'DeallocationBStore' : [ 0x1788, ['pointer64', ['void']]], 'BStoreLimit' : [ 0x1790, ['pointer64', ['void']]], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['pointer64', ['void']]], 'pShimData' : [ 0x17a8, ['pointer64', ['void']]], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['pointer64', ['void']]], 'ActiveFrame' : [ 0x17c0, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0x17c8, ['pointer64', ['void']]], 'PreferredLanguages' : [ 0x17d0, ['pointer64', ['void']]], 'UserPrefLanguages' : [ 0x17d8, ['pointer64', ['void']]], 'MergedPrefLanguages' : [ 0x17e0, ['pointer64', ['void']]], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['pointer64', ['void']]], 'TxnScopeExitCallback' : [ 0x17f8, ['pointer64', ['void']]], 'TxnScopeContext' : [ 0x1800, ['pointer64', ['void']]], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_CONTEXT32_UPDATE' : [ 0x4, { 'NumberEntries' : [ 0x0, ['unsigned long']], } ], '_KTIMER' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x18, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x20, ['_LIST_ENTRY']], 'Dpc' : [ 0x30, ['pointer64', ['_KDPC']]], 'Period' : [ 0x38, ['long']], } ], '_KEVENT' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0x18, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x10, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x8, ['pointer64', ['unsigned long long']]], } ], '_KQUEUE' : [ 0x40, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x18, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x28, ['unsigned long']], 'MaximumCount' : [ 0x2c, ['unsigned long']], 'ThreadListHead' : [ 0x30, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x30, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'Object' : [ 0x18, ['pointer64', ['void']]], 'NextWaitBlock' : [ 0x20, ['pointer64', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x28, ['unsigned short']], 'WaitType' : [ 0x2a, ['unsigned char']], 'SpareByte' : [ 0x2b, ['unsigned char']], 'SpareLong' : [ 0x2c, ['long']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x18, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x10, ['_ULARGE_INTEGER']], } ], '__unnamed_15c8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0x138, { 'IdleFunction' : [ 0x0, ['pointer64', ['void']]], 'IdleStates' : [ 0x8, ['pointer64', ['PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x10, ['unsigned long long']], 'LastIdleTime' : [ 0x18, ['unsigned long long']], 'IdleTimes' : [ 0x20, ['PROCESSOR_IDLE_TIMES']], 'IdleAccounting' : [ 0x40, ['pointer64', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x48, ['pointer64', ['PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x50, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x54, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x58, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x60, ['unsigned long long']], 'ThermalConstraint' : [ 0x68, ['unsigned char']], 'LastBusyPercentage' : [ 0x69, ['unsigned char']], 'Flags' : [ 0x6a, ['__unnamed_15c8']], 'PerfTimer' : [ 0x70, ['_KTIMER']], 'PerfDpc' : [ 0xb0, ['_KDPC']], 'LastSysTime' : [ 0xf0, ['unsigned long']], 'PStateMaster' : [ 0xf8, ['pointer64', ['_KPRCB']]], 'PStateSet' : [ 0x100, ['unsigned long long']], 'CurrentPState' : [ 0x108, ['unsigned long']], 'Reserved0' : [ 0x10c, ['unsigned long']], 'DesiredPState' : [ 0x110, ['unsigned long']], 'Reserved1' : [ 0x114, ['unsigned long']], 'PStateIdleStartTime' : [ 0x118, ['unsigned long']], 'PStateIdleTime' : [ 0x11c, ['unsigned long']], 'LastPStateIdleTime' : [ 0x120, ['unsigned long']], 'PStateStartTime' : [ 0x124, ['unsigned long']], 'WmiDispatchPtr' : [ 0x128, ['unsigned long long']], 'WmiInterfaceEnabled' : [ 0x130, ['long']], } ], '_KEXCEPTION_FRAME' : [ 0x140, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['unsigned long long']], 'Xmm6' : [ 0x30, ['_M128A']], 'Xmm7' : [ 0x40, ['_M128A']], 'Xmm8' : [ 0x50, ['_M128A']], 'Xmm9' : [ 0x60, ['_M128A']], 'Xmm10' : [ 0x70, ['_M128A']], 'Xmm11' : [ 0x80, ['_M128A']], 'Xmm12' : [ 0x90, ['_M128A']], 'Xmm13' : [ 0xa0, ['_M128A']], 'Xmm14' : [ 0xb0, ['_M128A']], 'Xmm15' : [ 0xc0, ['_M128A']], 'TrapFrame' : [ 0xd0, ['unsigned long long']], 'CallbackStack' : [ 0xd8, ['unsigned long long']], 'OutputBuffer' : [ 0xe0, ['unsigned long long']], 'OutputLength' : [ 0xe8, ['unsigned long long']], 'MxCsr' : [ 0xf0, ['unsigned long long']], 'Rbp' : [ 0xf8, ['unsigned long long']], 'Rbx' : [ 0x100, ['unsigned long long']], 'Rdi' : [ 0x108, ['unsigned long long']], 'Rsi' : [ 0x110, ['unsigned long long']], 'R12' : [ 0x118, ['unsigned long long']], 'R13' : [ 0x120, ['unsigned long long']], 'R14' : [ 0x128, ['unsigned long long']], 'R15' : [ 0x130, ['unsigned long long']], 'Return' : [ 0x138, ['unsigned long long']], } ], '_KTRAP_FRAME' : [ 0x190, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5' : [ 0x20, ['unsigned long long']], 'PreviousMode' : [ 0x28, ['unsigned char']], 'PreviousIrql' : [ 0x29, ['unsigned char']], 'FaultIndicator' : [ 0x2a, ['unsigned char']], 'ExceptionActive' : [ 0x2b, ['unsigned char']], 'MxCsr' : [ 0x2c, ['unsigned long']], 'Rax' : [ 0x30, ['unsigned long long']], 'Rcx' : [ 0x38, ['unsigned long long']], 'Rdx' : [ 0x40, ['unsigned long long']], 'R8' : [ 0x48, ['unsigned long long']], 'R9' : [ 0x50, ['unsigned long long']], 'R10' : [ 0x58, ['unsigned long long']], 'R11' : [ 0x60, ['unsigned long long']], 'GsBase' : [ 0x68, ['unsigned long long']], 'GsSwap' : [ 0x68, ['unsigned long long']], 'Xmm0' : [ 0x70, ['_M128A']], 'Xmm1' : [ 0x80, ['_M128A']], 'Xmm2' : [ 0x90, ['_M128A']], 'Xmm3' : [ 0xa0, ['_M128A']], 'Xmm4' : [ 0xb0, ['_M128A']], 'Xmm5' : [ 0xc0, ['_M128A']], 'FaultAddress' : [ 0xd0, ['unsigned long long']], 'ContextRecord' : [ 0xd0, ['unsigned long long']], 'TimeStampCKCL' : [ 0xd0, ['unsigned long long']], 'Dr0' : [ 0xd8, ['unsigned long long']], 'Dr1' : [ 0xe0, ['unsigned long long']], 'Dr2' : [ 0xe8, ['unsigned long long']], 'Dr3' : [ 0xf0, ['unsigned long long']], 'Dr6' : [ 0xf8, ['unsigned long long']], 'Dr7' : [ 0x100, ['unsigned long long']], 'DebugControl' : [ 0x108, ['unsigned long long']], 'LastBranchToRip' : [ 0x110, ['unsigned long long']], 'LastBranchFromRip' : [ 0x118, ['unsigned long long']], 'LastExceptionToRip' : [ 0x120, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x128, ['unsigned long long']], 'LastBranchControl' : [ 0x108, ['unsigned long long']], 'LastBranchMSR' : [ 0x110, ['unsigned long']], 'SegDs' : [ 0x130, ['unsigned short']], 'SegEs' : [ 0x132, ['unsigned short']], 'SegFs' : [ 0x134, ['unsigned short']], 'SegGs' : [ 0x136, ['unsigned short']], 'TrapFrame' : [ 0x138, ['unsigned long long']], 'Rbx' : [ 0x140, ['unsigned long long']], 'Rdi' : [ 0x148, ['unsigned long long']], 'Rsi' : [ 0x150, ['unsigned long long']], 'Rbp' : [ 0x158, ['unsigned long long']], 'ErrorCode' : [ 0x160, ['unsigned long long']], 'ExceptionFrame' : [ 0x160, ['unsigned long long']], 'TimeStampKlog' : [ 0x160, ['unsigned long long']], 'Rip' : [ 0x168, ['unsigned long long']], 'SegCs' : [ 0x170, ['unsigned short']], 'Fill0' : [ 0x172, ['unsigned char']], 'Logging' : [ 0x173, ['unsigned char']], 'Fill1' : [ 0x174, ['array', 2, ['unsigned short']]], 'EFlags' : [ 0x178, ['unsigned long']], 'Fill2' : [ 0x17c, ['unsigned long']], 'Rsp' : [ 0x180, ['unsigned long long']], 'SegSs' : [ 0x188, ['unsigned short']], 'Fill3' : [ 0x18a, ['unsigned short']], 'CodePatchCycle' : [ 0x18c, ['long']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x50, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'DispatchedCount' : [ 0x8, ['unsigned long']], 'DispatchedList' : [ 0x10, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x20, ['_KSEMAPHORE']], 'CompletedList' : [ 0x40, ['_LIST_ENTRY']], } ], '__unnamed_15f9' : [ 0x48, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer64', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x20, ['pointer64', ['_IRP']]], 'Timer' : [ 0x28, ['pointer64', ['_IO_TIMER']]], 'Flags' : [ 0x30, ['unsigned long']], 'Characteristics' : [ 0x34, ['unsigned long']], 'Vpb' : [ 0x38, ['pointer64', ['_VPB']]], 'DeviceExtension' : [ 0x40, ['pointer64', ['void']]], 'DeviceType' : [ 0x48, ['unsigned long']], 'StackSize' : [ 0x4c, ['unsigned char']], 'Queue' : [ 0x50, ['__unnamed_15f9']], 'AlignmentRequirement' : [ 0x98, ['unsigned long']], 'DeviceQueue' : [ 0xa0, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0xc8, ['_KDPC']], 'ActiveThreadCount' : [ 0x108, ['unsigned long']], 'SecurityDescriptor' : [ 0x110, ['pointer64', ['void']]], 'DeviceLock' : [ 0x118, ['_KEVENT']], 'SectorSize' : [ 0x130, ['unsigned short']], 'Spare1' : [ 0x132, ['unsigned short']], 'DeviceObjectExtension' : [ 0x138, ['pointer64', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0x140, ['pointer64', ['void']]], } ], '__unnamed_160b' : [ 0x8, { 'LegacyDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer64', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_160d' : [ 0x8, { 'NextResourceDeviceNode' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], } ], '__unnamed_1611' : [ 0x20, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x8, ['_LIST_ENTRY']], 'SerialNumber' : [ 0x18, ['pointer64', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x220, { 'Sibling' : [ 0x0, ['pointer64', ['_DEVICE_NODE']]], 'Child' : [ 0x8, ['pointer64', ['_DEVICE_NODE']]], 'Parent' : [ 0x10, ['pointer64', ['_DEVICE_NODE']]], 'LastChild' : [ 0x18, ['pointer64', ['_DEVICE_NODE']]], 'Level' : [ 0x20, ['unsigned long']], 'Notify' : [ 0x28, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x68, ['_PO_IRP_MANAGER']], 'State' : [ 0x88, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x8c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x90, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xe0, ['unsigned long']], 'CompletionStatus' : [ 0xe4, ['long']], 'PendingIrp' : [ 0xe8, ['pointer64', ['_IRP']]], 'Flags' : [ 0xf0, ['unsigned long']], 'UserFlags' : [ 0xf4, ['unsigned long']], 'Problem' : [ 0xf8, ['unsigned long']], 'PhysicalDeviceObject' : [ 0x100, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0x108, ['pointer64', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0x110, ['pointer64', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0x118, ['_UNICODE_STRING']], 'ServiceName' : [ 0x128, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0x138, ['pointer64', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0x140, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0x148, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x14c, ['unsigned long']], 'ChildInterfaceType' : [ 0x150, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0x154, ['unsigned long']], 'ChildBusTypeIndex' : [ 0x158, ['unsigned short']], 'RemovalPolicy' : [ 0x15a, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0x15b, ['unsigned char']], 'TargetDeviceNotify' : [ 0x160, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0x170, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x180, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x190, ['unsigned short']], 'QueryTranslatorMask' : [ 0x192, ['unsigned short']], 'NoArbiterMask' : [ 0x194, ['unsigned short']], 'QueryArbiterMask' : [ 0x196, ['unsigned short']], 'OverUsed1' : [ 0x198, ['__unnamed_160b']], 'OverUsed2' : [ 0x1a0, ['__unnamed_160d']], 'BootResources' : [ 0x1a8, ['pointer64', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x1b0, ['pointer64', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x1b8, ['unsigned long']], 'DockInfo' : [ 0x1c0, ['__unnamed_1611']], 'DisableableDepends' : [ 0x1e0, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x1e8, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x1f8, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x208, ['unsigned long']], 'PreviousParent' : [ 0x210, ['pointer64', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x218, ['unsigned long']], 'NumaNodeIndex' : [ 0x21c, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0x10, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x40, { 'PhysicalDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'AllocationType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0x10, ['unsigned long']], 'Position' : [ 0x14, ['unsigned long']], 'ResourceRequirements' : [ 0x18, ['pointer64', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x20, ['pointer64', ['void']]], 'ResourceAssignment' : [ 0x28, ['pointer64', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x30, ['pointer64', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x38, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16b1' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16b1']], } ], '__unnamed_16b8' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16b8']], } ], '_VOLUME_CACHE_MAP' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x20, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x1c8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x28, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x30, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x38, ['array', 4, ['pointer64', ['_VACB']]]], 'Vacbs' : [ 0x58, ['pointer64', ['pointer64', ['_VACB']]]], 'FileObjectFastRef' : [ 0x60, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x68, ['pointer64', ['_VACB']]], 'NeedToZero' : [ 0x70, ['pointer64', ['void']]], 'ActivePage' : [ 0x78, ['unsigned long']], 'NeedToZeroPage' : [ 0x7c, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x80, ['unsigned long long']], 'VacbActiveCount' : [ 0x88, ['unsigned long']], 'DirtyPages' : [ 0x8c, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x90, ['_LIST_ENTRY']], 'Flags' : [ 0xa0, ['unsigned long']], 'Status' : [ 0xa4, ['long']], 'Mbcb' : [ 0xa8, ['pointer64', ['_MBCB']]], 'Section' : [ 0xb0, ['pointer64', ['void']]], 'CreateEvent' : [ 0xb8, ['pointer64', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0xc0, ['pointer64', ['_KEVENT']]], 'PagesToWrite' : [ 0xc8, ['unsigned long']], 'BeyondLastFlush' : [ 0xd0, ['long long']], 'Callbacks' : [ 0xd8, ['pointer64', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0xe0, ['pointer64', ['void']]], 'PrivateList' : [ 0xe8, ['_LIST_ENTRY']], 'LogHandle' : [ 0xf8, ['pointer64', ['void']]], 'FlushToLsnRoutine' : [ 0x100, ['pointer64', ['void']]], 'DirtyPageThreshold' : [ 0x108, ['unsigned long']], 'LazyWritePassCount' : [ 0x10c, ['unsigned long']], 'UninitializeEvent' : [ 0x110, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0x118, ['pointer64', ['_VACB']]], 'BcbSpinLock' : [ 0x120, ['unsigned long long']], 'Reserved' : [ 0x128, ['pointer64', ['void']]], 'Event' : [ 0x130, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0x148, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0x150, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x1b0, ['pointer64', ['void']]], 'VolumeCacheMap' : [ 0x1b8, ['pointer64', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x1c0, ['unsigned long']], 'MappedWritesInProgress' : [ 0x1c4, ['unsigned long']], } ], '__unnamed_16f3' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x30, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x10, ['__unnamed_16f3']], 'LruList' : [ 0x18, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x28, ['pointer64', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1701' : [ 0x8, { 'FileObject' : [ 0x0, ['pointer64', ['_FILE_OBJECT']]], } ], '__unnamed_1703' : [ 0x8, { 'SharedCacheMap' : [ 0x0, ['pointer64', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1705' : [ 0x8, { 'Event' : [ 0x0, ['pointer64', ['_KEVENT']]], } ], '__unnamed_1707' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_1709' : [ 0x8, { 'Read' : [ 0x0, ['__unnamed_1701']], 'Write' : [ 0x0, ['__unnamed_1703']], 'Event' : [ 0x0, ['__unnamed_1705']], 'Notification' : [ 0x0, ['__unnamed_1707']], } ], '_WORK_QUEUE_ENTRY' : [ 0x30, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x10, ['_LIST_ENTRY']], 'Parameters' : [ 0x20, ['__unnamed_1709']], 'Function' : [ 0x28, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x38, { 'ExtendedLookup' : [ 0x0, ['pointer64', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x8, ['unsigned long']], 'ExtraItem' : [ 0xc, ['unsigned long']], 'ItemCount' : [ 0x10, ['unsigned long']], 'OutOfRangeItems' : [ 0x14, ['unsigned long']], 'BaseIndex' : [ 0x18, ['unsigned long']], 'ListHead' : [ 0x20, ['pointer64', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x28, ['pointer64', ['unsigned long']]], 'ListHints' : [ 0x30, ['pointer64', ['pointer64', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x1f8, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], 'Flags' : [ 0x70, ['unsigned long']], 'ForceFlags' : [ 0x74, ['unsigned long']], 'CompatibilityFlags' : [ 0x78, ['unsigned long']], 'EncodeFlagMask' : [ 0x7c, ['unsigned long']], 'Encoding' : [ 0x80, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x90, ['unsigned long long']], 'Interceptor' : [ 0x98, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x9c, ['unsigned long']], 'Signature' : [ 0xa0, ['unsigned long']], 'SegmentReserve' : [ 0xa8, ['unsigned long long']], 'SegmentCommit' : [ 0xb0, ['unsigned long long']], 'DeCommitFreeBlockThreshold' : [ 0xb8, ['unsigned long long']], 'DeCommitTotalFreeThreshold' : [ 0xc0, ['unsigned long long']], 'TotalFreeSize' : [ 0xc8, ['unsigned long long']], 'MaximumAllocationSize' : [ 0xd0, ['unsigned long long']], 'ProcessHeapsListIndex' : [ 0xd8, ['unsigned short']], 'HeaderValidateLength' : [ 0xda, ['unsigned short']], 'HeaderValidateCopy' : [ 0xe0, ['pointer64', ['void']]], 'NextAvailableTagIndex' : [ 0xe8, ['unsigned short']], 'MaximumTagIndex' : [ 0xea, ['unsigned short']], 'TagEntries' : [ 0xf0, ['pointer64', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0xf8, ['_LIST_ENTRY']], 'AlignRound' : [ 0x108, ['unsigned long long']], 'AlignMask' : [ 0x110, ['unsigned long long']], 'VirtualAllocdBlocks' : [ 0x118, ['_LIST_ENTRY']], 'SegmentList' : [ 0x128, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0x138, ['unsigned short']], 'NonDedicatedListLength' : [ 0x13c, ['unsigned long']], 'BlocksIndex' : [ 0x140, ['pointer64', ['void']]], 'UCRIndex' : [ 0x148, ['pointer64', ['void']]], 'PseudoTagEntries' : [ 0x150, ['pointer64', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0x158, ['_LIST_ENTRY']], 'LockVariable' : [ 0x168, ['pointer64', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0x170, ['pointer64', ['void']]], 'FrontEndHeap' : [ 0x178, ['pointer64', ['void']]], 'FrontHeapLockCount' : [ 0x180, ['unsigned short']], 'FrontEndHeapType' : [ 0x182, ['unsigned char']], 'Counters' : [ 0x188, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x1e8, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x10, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x70, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x10, ['unsigned long']], 'SegmentFlags' : [ 0x14, ['unsigned long']], 'SegmentListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Heap' : [ 0x28, ['pointer64', ['_HEAP']]], 'BaseAddress' : [ 0x30, ['pointer64', ['void']]], 'NumberOfPages' : [ 0x38, ['unsigned long']], 'FirstEntry' : [ 0x40, ['pointer64', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x48, ['pointer64', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x50, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x54, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x58, ['unsigned short']], 'Reserved' : [ 0x5a, ['unsigned short']], 'UCRSegmentList' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x20, { 'PreviousBlockPrivateData' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'SmallTagIndex' : [ 0xb, ['unsigned char']], 'PreviousSize' : [ 0xc, ['unsigned short']], 'SegmentOffset' : [ 0xe, ['unsigned char']], 'LFHFlags' : [ 0xe, ['unsigned char']], 'UnusedBytes' : [ 0xf, ['unsigned char']], 'CompactHeader' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x0, ['pointer64', ['void']]], 'FunctionIndex' : [ 0x8, ['unsigned short']], 'ContextValue' : [ 0xa, ['unsigned short']], 'InterceptorValue' : [ 0x8, ['unsigned long']], 'UnusedBytesLength' : [ 0xc, ['unsigned short']], 'EntryOffset' : [ 0xe, ['unsigned char']], 'ExtendedBlockSignature' : [ 0xf, ['unsigned char']], 'ReservedForAlignment' : [ 0x0, ['pointer64', ['void']]], 'Code1' : [ 0x8, ['unsigned long']], 'Code2' : [ 0xc, ['unsigned short']], 'Code3' : [ 0xe, ['unsigned char']], 'Code4' : [ 0xf, ['unsigned char']], 'AgregateCode' : [ 0x8, ['unsigned long long']], 'FreeList' : [ 0x10, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0xc8, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x20, ['_LIST_ENTRY']], 'DllBase' : [ 0x30, ['pointer64', ['void']]], 'EntryPoint' : [ 0x38, ['pointer64', ['void']]], 'SizeOfImage' : [ 0x40, ['unsigned long']], 'FullDllName' : [ 0x48, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x58, ['_UNICODE_STRING']], 'Flags' : [ 0x68, ['unsigned long']], 'LoadCount' : [ 0x6c, ['unsigned short']], 'TlsIndex' : [ 0x6e, ['unsigned short']], 'HashLinks' : [ 0x70, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x70, ['pointer64', ['void']]], 'CheckSum' : [ 0x78, ['unsigned long']], 'TimeDateStamp' : [ 0x80, ['unsigned long']], 'LoadedImports' : [ 0x80, ['pointer64', ['void']]], 'EntryPointActivationContext' : [ 0x88, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ForwarderLinks' : [ 0x98, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0xa8, ['_LIST_ENTRY']], 'StaticLinks' : [ 0xb8, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x30, { 'LocalInfo' : [ 0x0, ['pointer64', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x8, ['pointer64', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x10, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'BlockCount' : [ 0x1c, ['unsigned short']], 'SizeIndex' : [ 0x1e, ['unsigned char']], 'AffinityIndex' : [ 0x1f, ['unsigned char']], 'Alignment' : [ 0x18, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x28, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x350, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer64', ['void']]], 'LoggerThread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'LoggerStatus' : [ 0x18, ['long']], 'LoggerId' : [ 0x1c, ['unsigned long']], 'NBQHead' : [ 0x20, ['pointer64', ['void']]], 'OverflowNBQHead' : [ 0x28, ['pointer64', ['void']]], 'QueueBlockFreeList' : [ 0x30, ['_SLIST_HEADER']], 'GlobalList' : [ 0x40, ['_SLIST_HEADER']], 'LoggerName' : [ 0x50, ['_UNICODE_STRING']], 'LogFileName' : [ 0x60, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x70, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x80, ['_UNICODE_STRING']], 'ClockType' : [ 0x90, ['unsigned long']], 'CollectionOn' : [ 0x94, ['long']], 'MaximumFileSize' : [ 0x98, ['unsigned long']], 'LoggerMode' : [ 0x9c, ['unsigned long']], 'LastFlushedBuffer' : [ 0xa0, ['unsigned long']], 'FlushTimer' : [ 0xa4, ['unsigned long']], 'ByteOffset' : [ 0xa8, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0xb0, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0xb8, ['unsigned long']], 'BuffersAvailable' : [ 0xbc, ['long']], 'NumberOfBuffers' : [ 0xc0, ['long']], 'MaximumBuffers' : [ 0xc4, ['unsigned long']], 'EventsLost' : [ 0xc8, ['unsigned long']], 'BuffersWritten' : [ 0xcc, ['unsigned long']], 'LogBuffersLost' : [ 0xd0, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0xd4, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xd8, ['unsigned long']], 'BufferSize' : [ 0xdc, ['unsigned long']], 'MaximumEventSize' : [ 0xe0, ['unsigned long']], 'SequencePtr' : [ 0xe8, ['pointer64', ['long']]], 'LocalSequence' : [ 0xf0, ['unsigned long']], 'InstanceGuid' : [ 0xf4, ['_GUID']], 'GetCpuClock' : [ 0x108, ['pointer64', ['void']]], 'FileCounter' : [ 0x110, ['long']], 'BufferCallback' : [ 0x118, ['pointer64', ['void']]], 'PoolType' : [ 0x120, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0x128, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0x138, ['unsigned char']], 'Consumers' : [ 0x140, ['_LIST_ENTRY']], 'NumConsumers' : [ 0x150, ['unsigned long']], 'Connecting' : [ 0x158, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x168, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x170, ['pointer64', ['void']]], 'RealtimeLogfileName' : [ 0x178, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x188, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x190, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x198, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x1a0, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x1a8, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x1b0, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x1c0, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x1c4, ['unsigned long']], 'NewRTEventsLost' : [ 0x1c8, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x1d0, ['_KEVENT']], 'FlushEvent' : [ 0x1e8, ['_KEVENT']], 'FlushDpc' : [ 0x200, ['_KDPC']], 'LoggerMutex' : [ 0x240, ['_KMUTANT']], 'ClientSecurityContext' : [ 0x278, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c0, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x2c8, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x310, ['long long']], 'AcceptNewEvents' : [ 0x318, ['long']], 'Flags' : [ 0x31c, ['unsigned long']], 'Persistent' : [ 0x31c, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x31c, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x31c, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x31c, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x31c, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x31c, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x31c, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x320, ['unsigned long']], 'RequestNewFie' : [ 0x320, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x320, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x320, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x320, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x320, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x324, ['unsigned short']], 'StackTraceFilter' : [ 0x326, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Spare0' : [ 0x20, ['unsigned long']], 'Spare1' : [ 0x24, ['unsigned long']], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'SlistEntry' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x38, ['pointer64', ['_WMI_BUFFER_HEADER']]], 'GlobalEntry' : [ 0x40, ['_SINGLE_LIST_ENTRY']], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_GUID_ENTRY' : [ 0x170, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x10, ['long']], 'Guid' : [ 0x14, ['_GUID']], 'RegListHead' : [ 0x28, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x38, ['pointer64', ['void']]], 'LegacyEnableContext' : [ 0x40, ['_TRACE_ENABLE_CONTEXT']], 'LegacyProviderEnabled' : [ 0x48, ['unsigned long']], 'ProviderEnableInfo' : [ 0x50, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x70, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x318, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer64', ['_ERESOURCE']]], 'ModifiedId' : [ 0x38, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x98, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0xa0, ['pointer64', ['void']]], 'DynamicPart' : [ 0xa8, ['pointer64', ['unsigned long']]], 'DefaultDacl' : [ 0xb0, ['pointer64', ['_ACL']]], 'TokenType' : [ 0xb8, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xbc, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xc0, ['unsigned long']], 'TokenInUse' : [ 0xc4, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xc8, ['unsigned long']], 'MandatoryPolicy' : [ 0xcc, ['unsigned long']], 'ProxyData' : [ 0xd0, ['pointer64', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xd8, ['pointer64', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xe0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xe8, ['_LUID']], 'SidHash' : [ 0xf0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x200, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x310, ['unsigned long long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x50, { 'Next' : [ 0x0, ['pointer64', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x8, ['_LUID']], 'BuddyLogonId' : [ 0x10, ['_LUID']], 'ReferenceCount' : [ 0x18, ['unsigned long']], 'Flags' : [ 0x1c, ['unsigned long']], 'pDeviceMap' : [ 0x20, ['pointer64', ['_DEVICE_MAP']]], 'Token' : [ 0x28, ['pointer64', ['void']]], 'AccountName' : [ 0x30, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x40, ['_UNICODE_STRING']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x8, { 'ImpersonationData' : [ 0x0, ['unsigned long long']], 'ImpersonationToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], } ], '_MMVAD_FLAGS3' : [ 0x8, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned long long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'LargePageCreating' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 33, native_type='unsigned long long')]], 'Spare3' : [ 0x0, ['BitField', dict(start_bit = 33, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x8, { 'VerifierPoolEntry' : [ 0x0, ['pointer64', ['_VI_POOL_ENTRY']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x68, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x10, ['pointer64', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0x18, ['short']], 'Flag' : [ 0x1a, ['unsigned short']], 'SharedWaiters' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x28, ['pointer64', ['_KEVENT']]], 'OwnerEntry' : [ 0x30, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x40, ['unsigned long']], 'ContentionCount' : [ 0x44, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x48, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x4c, ['unsigned long']], 'Reserved2' : [ 0x50, ['pointer64', ['void']]], 'Address' : [ 0x58, ['pointer64', ['void']]], 'CreatorBackTraceIndex' : [ 0x58, ['unsigned long long']], 'SpinLock' : [ 0x60, ['unsigned long long']], } ], '_LPCP_MESSAGE' : [ 0x50, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x8, ['unsigned long']], 'SenderPort' : [ 0x10, ['pointer64', ['void']]], 'RepliedToThread' : [ 0x18, ['pointer64', ['_ETHREAD']]], 'PortContext' : [ 0x20, ['pointer64', ['void']]], 'Request' : [ 0x28, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'reserved0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_DUAL' : [ 0x278, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x8, ['pointer64', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x10, ['pointer64', ['_HMAP_TABLE']]], 'Guard' : [ 0x18, ['unsigned long']], 'FreeDisplay' : [ 0x20, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x260, ['unsigned long']], 'FreeBins' : [ 0x268, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x18, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x20, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'PointerProtoPte' : [ 0x0, ['pointer64', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x60, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long long']], 'TotalMemoryCommitted' : [ 0x8, ['unsigned long long']], 'TotalMemoryLargeUCR' : [ 0x10, ['unsigned long long']], 'TotalSizeInVirtualBlocks' : [ 0x18, ['unsigned long long']], 'TotalSegments' : [ 0x20, ['unsigned long']], 'TotalUCRs' : [ 0x24, ['unsigned long']], 'CommittOps' : [ 0x28, ['unsigned long']], 'DeCommitOps' : [ 0x2c, ['unsigned long']], 'LockAcquires' : [ 0x30, ['unsigned long']], 'LockCollisions' : [ 0x34, ['unsigned long']], 'CommitRate' : [ 0x38, ['unsigned long']], 'DecommittRate' : [ 0x3c, ['unsigned long']], 'CommitFailures' : [ 0x40, ['unsigned long']], 'InBlockCommitFailures' : [ 0x44, ['unsigned long']], 'CompactHeapCalls' : [ 0x48, ['unsigned long']], 'CompactedUCRs' : [ 0x4c, ['unsigned long']], 'InBlockDeccommits' : [ 0x50, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x58, ['unsigned long long']], } ], '_SYSPTES_HEADER' : [ 0x28, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x10, ['unsigned long long']], 'NumberOfEntries' : [ 0x18, ['unsigned long long']], 'NumberOfEntriesPeak' : [ 0x20, ['unsigned long long']], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x20, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer64', ['void']]], 'FileObject' : [ 0x10, ['pointer64', ['void']]], 'ThreadId' : [ 0x18, ['unsigned long']], 'ByteCount' : [ 0x1c, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0x10, { 'CommonDataArea' : [ 0x0, ['pointer64', ['void']]], 'MachineType' : [ 0x8, ['unsigned long']], 'VirtualBias' : [ 0xc, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x10, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x10, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x8, ['unsigned long long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x10, { 'Key' : [ 0x0, ['pointer64', ['void']]], 'Index' : [ 0x8, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x2000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer64', ['_HMAP_TABLE']]]], } ], '_WHEA_NMI_ERROR' : [ 0x8, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], } ], '_KAPC' : [ 0x58, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer64', ['_KTHREAD']]], 'ApcListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x20, ['pointer64', ['void']]], 'RundownRoutine' : [ 0x28, ['pointer64', ['void']]], 'NormalRoutine' : [ 0x30, ['pointer64', ['void']]], 'NormalContext' : [ 0x38, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x40, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x48, ['pointer64', ['void']]], 'ApcStateIndex' : [ 0x50, ['unsigned char']], 'ApcMode' : [ 0x51, ['unsigned char']], 'Inserted' : [ 0x52, ['unsigned char']], } ], '_HANDLE_TABLE' : [ 0x60, { 'TableCode' : [ 0x0, ['unsigned long long']], 'QuotaProcess' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x10, ['pointer64', ['void']]], 'HandleLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x20, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x30, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x38, ['pointer64', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x40, ['long']], 'Flags' : [ 0x44, ['unsigned long']], 'StrictFIFO' : [ 0x44, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x48, ['long']], 'LastFreeHandleEntry' : [ 0x50, ['pointer64', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x58, ['long']], 'NextHandleNeedingPool' : [ 0x5c, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x18, { 'Va' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['unsigned long']], 'PoolType' : [ 0xc, ['unsigned long']], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x78, { 'CancelLock' : [ 0x0, ['unsigned long long']], 'IssueLock' : [ 0x8, ['unsigned long long']], 'Counters' : [ 0x10, ['array', 25, ['long']]], } ], '_TEB_ACTIVE_FRAME' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x8, ['pointer64', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x10, ['pointer64', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x60, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x10, ['pointer64', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0x18, ['pointer64', ['void']]], 'KeyBodyList' : [ 0x20, ['_LIST_ENTRY']], 'Flags' : [ 0x30, ['unsigned long']], 'KtmTrans' : [ 0x38, ['pointer64', ['void']]], 'KtmUow' : [ 0x40, ['pointer64', ['_GUID']]], 'KeyBodyLock' : [ 0x48, ['_EX_PUSH_LOCK']], 'ContextListHead' : [ 0x50, ['_LIST_ENTRY']], } ], '_XMM_SAVE_AREA32' : [ 0x200, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned short']], 'Reserved2' : [ 0xe, ['unsigned short']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned short']], 'Reserved3' : [ 0x16, ['unsigned short']], 'MxCsr' : [ 0x18, ['unsigned long']], 'MxCsr_Mask' : [ 0x1c, ['unsigned long']], 'FloatRegisters' : [ 0x20, ['array', 8, ['_M128A']]], 'XmmRegisters' : [ 0xa0, ['array', 16, ['_M128A']]], 'Reserved4' : [ 0x1a0, ['array', 96, ['unsigned char']]], } ], '_MMPTE_PROTOTYPE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned long long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'ProtoAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_THERMAL_INFORMATION_EX' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x54, ['unsigned long']], } ], '__unnamed_18ac' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_18ae' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_18ac']], 'Private' : [ 0x0, ['__unnamed_18ae']], } ], '_VI_VERIFIER_ISSUE' : [ 0x20, { 'IssueType' : [ 0x0, ['unsigned long long']], 'Address' : [ 0x8, ['pointer64', ['void']]], 'Parameters' : [ 0x10, ['array', 2, ['unsigned long long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x10, { 'ExceptionRecord' : [ 0x0, ['pointer64', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x8, ['pointer64', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x38, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x18, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x28, ['pointer64', ['_KTHREAD']]], 'Abandoned' : [ 0x30, ['unsigned char']], 'ApcDisable' : [ 0x31, ['unsigned char']], } ], '_CMHIVE' : [ 0xb38, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x590, ['array', 6, ['pointer64', ['void']]]], 'NotifyList' : [ 0x5c0, ['_LIST_ENTRY']], 'HiveList' : [ 0x5d0, ['_LIST_ENTRY']], 'HiveLock' : [ 0x5e0, ['pointer64', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x5e8, ['pointer64', ['_FAST_MUTEX']]], 'WriterLock' : [ 0x5f0, ['pointer64', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x5f8, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x600, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x608, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x618, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x628, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x638, ['unsigned short']], 'PinnedViewCount' : [ 0x63a, ['unsigned short']], 'UseCount' : [ 0x63c, ['unsigned long']], 'ViewsPerHive' : [ 0x640, ['unsigned long']], 'FileObject' : [ 0x648, ['pointer64', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x650, ['unsigned long']], 'ActualFileSize' : [ 0x658, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x660, ['_UNICODE_STRING']], 'FileUserName' : [ 0x670, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x680, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x690, ['unsigned long']], 'SecurityCacheSize' : [ 0x694, ['unsigned long']], 'SecurityHitHint' : [ 0x698, ['long']], 'SecurityCache' : [ 0x6a0, ['pointer64', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x6a8, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0xaa8, ['unsigned long']], 'UnloadEventArray' : [ 0xab0, ['pointer64', ['pointer64', ['_KEVENT']]]], 'RootKcb' : [ 0xab8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0xac0, ['unsigned char']], 'UnloadWorkItem' : [ 0xac8, ['pointer64', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0xad0, ['unsigned char']], 'GrowOffset' : [ 0xad4, ['unsigned long']], 'KcbConvertListHead' : [ 0xad8, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0xae8, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0xaf8, ['pointer64', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0xb00, ['unsigned long']], 'TrustClassEntry' : [ 0xb08, ['_LIST_ENTRY']], 'FlushCount' : [ 0xb18, ['unsigned long']], 'CmRm' : [ 0xb20, ['pointer64', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0xb28, ['unsigned long']], 'CmRmInitFailStatus' : [ 0xb2c, ['long']], 'CreatorOwner' : [ 0xb30, ['pointer64', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0x18, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x8, ['pointer64', ['void']]], 'ReferenceCount' : [ 0x10, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x48, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], 'TagIndex' : [ 0x10, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x12, ['unsigned short']], 'TagName' : [ 0x14, ['array', 24, ['wchar']]], } ], '__unnamed_18d6' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_18dc' : [ 0x8, { 'Banked' : [ 0x0, ['pointer64', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer64', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x78, { 'u1' : [ 0x0, ['__unnamed_14ae']], 'LeftChild' : [ 0x8, ['pointer64', ['_MMVAD']]], 'RightChild' : [ 0x10, ['pointer64', ['_MMVAD']]], 'StartingVpn' : [ 0x18, ['unsigned long long']], 'EndingVpn' : [ 0x20, ['unsigned long long']], 'u' : [ 0x28, ['__unnamed_14b1']], 'PushLock' : [ 0x30, ['_EX_PUSH_LOCK']], 'u5' : [ 0x38, ['__unnamed_14b4']], 'u2' : [ 0x40, ['__unnamed_14be']], 'Subsection' : [ 0x48, ['pointer64', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x50, ['pointer64', ['_MMPTE']]], 'LastContiguousPte' : [ 0x58, ['pointer64', ['_MMPTE']]], 'u3' : [ 0x60, ['__unnamed_18d6']], 'u4' : [ 0x70, ['__unnamed_18dc']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x8, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_NT_TIB' : [ 0x38, { 'ExceptionList' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x8, ['pointer64', ['void']]], 'StackLimit' : [ 0x10, ['pointer64', ['void']]], 'SubSystemTib' : [ 0x18, ['pointer64', ['void']]], 'FiberData' : [ 0x20, ['pointer64', ['void']]], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['pointer64', ['void']]], 'Self' : [ 0x30, ['pointer64', ['_NT_TIB']]], } ], '_EJOB' : [ 0x1b0, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x18, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x28, ['_LIST_ENTRY']], 'JobLock' : [ 0x38, ['_ERESOURCE']], 'TotalUserTime' : [ 0xa0, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0xa8, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0xb0, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0xb8, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0xc0, ['unsigned long']], 'TotalProcesses' : [ 0xc4, ['unsigned long']], 'ActiveProcesses' : [ 0xc8, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0xcc, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0xd0, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0xd8, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0xe0, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0xe8, ['unsigned long long']], 'MaximumWorkingSetSize' : [ 0xf0, ['unsigned long long']], 'ActiveProcessLimit' : [ 0xf8, ['unsigned long']], 'Affinity' : [ 0x100, ['unsigned long long']], 'PriorityClass' : [ 0x108, ['unsigned char']], 'AccessState' : [ 0x110, ['pointer64', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0x118, ['unsigned long']], 'EndOfJobTimeAction' : [ 0x11c, ['unsigned long']], 'CompletionPort' : [ 0x120, ['pointer64', ['void']]], 'CompletionKey' : [ 0x128, ['pointer64', ['void']]], 'SessionId' : [ 0x130, ['unsigned long']], 'SchedulingClass' : [ 0x134, ['unsigned long']], 'ReadOperationCount' : [ 0x138, ['unsigned long long']], 'WriteOperationCount' : [ 0x140, ['unsigned long long']], 'OtherOperationCount' : [ 0x148, ['unsigned long long']], 'ReadTransferCount' : [ 0x150, ['unsigned long long']], 'WriteTransferCount' : [ 0x158, ['unsigned long long']], 'OtherTransferCount' : [ 0x160, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x168, ['unsigned long long']], 'JobMemoryLimit' : [ 0x170, ['unsigned long long']], 'PeakProcessMemoryUsed' : [ 0x178, ['unsigned long long']], 'PeakJobMemoryUsed' : [ 0x180, ['unsigned long long']], 'CurrentJobMemoryUsed' : [ 0x188, ['unsigned long long']], 'MemoryLimitsLock' : [ 0x190, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x198, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x1a8, ['unsigned long']], 'JobFlags' : [ 0x1ac, ['unsigned long']], } ], '__unnamed_18ee' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_IDLE_STATES' : [ 0x48, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_18ee']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long long']], 'State' : [ 0x20, ['array', 1, ['PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['pointer64', ['void']]], 'ImageBaseAddress' : [ 0x10, ['pointer64', ['void']]], 'Ldr' : [ 0x18, ['pointer64', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x20, ['pointer64', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x28, ['pointer64', ['void']]], 'ProcessHeap' : [ 0x30, ['pointer64', ['void']]], 'FastPebLock' : [ 0x38, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x40, ['pointer64', ['void']]], 'IFEOKey' : [ 0x48, ['pointer64', ['void']]], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['pointer64', ['void']]], 'UserSharedInfoPtr' : [ 0x58, ['pointer64', ['void']]], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['pointer64', ['_PEB_FREE_BLOCK']]], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['pointer64', ['void']]], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['pointer64', ['void']]], 'HotpatchInformation' : [ 0x90, ['pointer64', ['void']]], 'ReadOnlyStaticServerData' : [ 0x98, ['pointer64', ['pointer64', ['void']]]], 'AnsiCodePageData' : [ 0xa0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0xa8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0xb0, ['pointer64', ['void']]], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['pointer64', ['pointer64', ['void']]]], 'GdiSharedHandleTable' : [ 0xf8, ['pointer64', ['void']]], 'ProcessStarterHelper' : [ 0x100, ['pointer64', ['void']]], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['pointer64', ['void']]], 'TlsExpansionBitmap' : [ 0x238, ['pointer64', ['void']]], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['pointer64', ['void']]], 'AppCompatInfo' : [ 0x2e0, ['pointer64', ['void']]], 'CSDVersion' : [ 0x2e8, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x2f8, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x300, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x308, ['pointer64', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x310, ['pointer64', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['pointer64', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x328, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x338, ['pointer64', ['void']]], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['pointer64', ['void']]], 'WerShipAssertPtr' : [ 0x360, ['pointer64', ['void']]], } ], '__unnamed_1908' : [ 0x18, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x20, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x8, ['__unnamed_1908']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x10, ['_LIST_ENTRY']], 'Address' : [ 0x20, ['pointer64', ['void']]], 'Size' : [ 0x28, ['unsigned long long']], } ], '_POOL_DESCRIPTOR' : [ 0x1048, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x20, ['pointer64', ['void']]], 'PendingFrees' : [ 0x28, ['pointer64', ['pointer64', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x30, ['long']], 'PendingFreeDepth' : [ 0x34, ['long']], 'TotalBytes' : [ 0x38, ['unsigned long long']], 'Spare0' : [ 0x40, ['unsigned long long']], 'ListHeads' : [ 0x48, ['array', 256, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x18, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x88, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['unsigned short']], 'Reserved1' : [ 0x6, ['unsigned short']], 'Reserved2' : [ 0x8, ['unsigned short']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidationBits' : [ 0x10, ['unsigned long']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_LARGE_INTEGER']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['unsigned long']], 'PersistenceInfo' : [ 0x70, ['_WHEA_PERSISTENCE_INFO']], 'Reserved3' : [ 0x78, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x20, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x8, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0x18, ['unsigned long long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x58, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x20, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x28, ['pointer64', ['_CM_KEY_BODY']]], 'Filter' : [ 0x30, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x30, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x30, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x38, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0xa0, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x8, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0x18, ['pointer64', ['void']]], 'MessageServiceRoutine' : [ 0x20, ['pointer64', ['void']]], 'MessageIndex' : [ 0x28, ['unsigned long']], 'ServiceContext' : [ 0x30, ['pointer64', ['void']]], 'SpinLock' : [ 0x38, ['unsigned long long']], 'TickCount' : [ 0x40, ['unsigned long']], 'ActualLock' : [ 0x48, ['pointer64', ['unsigned long long']]], 'DispatchAddress' : [ 0x50, ['pointer64', ['void']]], 'Vector' : [ 0x58, ['unsigned long']], 'Irql' : [ 0x5c, ['unsigned char']], 'SynchronizeIrql' : [ 0x5d, ['unsigned char']], 'FloatingSave' : [ 0x5e, ['unsigned char']], 'Connected' : [ 0x5f, ['unsigned char']], 'Number' : [ 0x60, ['unsigned char']], 'ShareVector' : [ 0x61, ['unsigned char']], 'Mode' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x6c, ['unsigned long']], 'DispatchCount' : [ 0x70, ['unsigned long']], 'Rsvd1' : [ 0x78, ['unsigned long long']], 'TrapFrame' : [ 0x80, ['pointer64', ['_KTRAP_FRAME']]], 'Reserved' : [ 0x88, ['pointer64', ['void']]], 'DispatchCode' : [ 0x90, ['array', 4, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x10, { 'Object' : [ 0x0, ['pointer64', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer64', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long long']], 'GrantedAccess' : [ 0x8, ['unsigned long']], 'GrantedAccessIndex' : [ 0x8, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xa, ['unsigned short']], 'NextFreeTableEntry' : [ 0x8, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x38, { 'FileName' : [ 0x0, ['pointer64', ['unsigned short']]], 'BaseName' : [ 0x8, ['pointer64', ['unsigned short']]], 'RegRootName' : [ 0x10, ['pointer64', ['unsigned short']]], 'CmHive' : [ 0x18, ['pointer64', ['_CMHIVE']]], 'HHiveFlags' : [ 0x20, ['unsigned long']], 'CmHiveFlags' : [ 0x24, ['unsigned long']], 'CmHive2' : [ 0x28, ['pointer64', ['_CMHIVE']]], 'ThreadFinished' : [ 0x30, ['unsigned char']], 'ThreadStarted' : [ 0x31, ['unsigned char']], 'Allocate' : [ 0x32, ['unsigned char']], 'WinPERequired' : [ 0x33, ['unsigned char']], } ], '_CONTEXT' : [ 0x4d0, { 'P1Home' : [ 0x0, ['unsigned long long']], 'P2Home' : [ 0x8, ['unsigned long long']], 'P3Home' : [ 0x10, ['unsigned long long']], 'P4Home' : [ 0x18, ['unsigned long long']], 'P5Home' : [ 0x20, ['unsigned long long']], 'P6Home' : [ 0x28, ['unsigned long long']], 'ContextFlags' : [ 0x30, ['unsigned long']], 'MxCsr' : [ 0x34, ['unsigned long']], 'SegCs' : [ 0x38, ['unsigned short']], 'SegDs' : [ 0x3a, ['unsigned short']], 'SegEs' : [ 0x3c, ['unsigned short']], 'SegFs' : [ 0x3e, ['unsigned short']], 'SegGs' : [ 0x40, ['unsigned short']], 'SegSs' : [ 0x42, ['unsigned short']], 'EFlags' : [ 0x44, ['unsigned long']], 'Dr0' : [ 0x48, ['unsigned long long']], 'Dr1' : [ 0x50, ['unsigned long long']], 'Dr2' : [ 0x58, ['unsigned long long']], 'Dr3' : [ 0x60, ['unsigned long long']], 'Dr6' : [ 0x68, ['unsigned long long']], 'Dr7' : [ 0x70, ['unsigned long long']], 'Rax' : [ 0x78, ['unsigned long long']], 'Rcx' : [ 0x80, ['unsigned long long']], 'Rdx' : [ 0x88, ['unsigned long long']], 'Rbx' : [ 0x90, ['unsigned long long']], 'Rsp' : [ 0x98, ['unsigned long long']], 'Rbp' : [ 0xa0, ['unsigned long long']], 'Rsi' : [ 0xa8, ['unsigned long long']], 'Rdi' : [ 0xb0, ['unsigned long long']], 'R8' : [ 0xb8, ['unsigned long long']], 'R9' : [ 0xc0, ['unsigned long long']], 'R10' : [ 0xc8, ['unsigned long long']], 'R11' : [ 0xd0, ['unsigned long long']], 'R12' : [ 0xd8, ['unsigned long long']], 'R13' : [ 0xe0, ['unsigned long long']], 'R14' : [ 0xe8, ['unsigned long long']], 'R15' : [ 0xf0, ['unsigned long long']], 'Rip' : [ 0xf8, ['unsigned long long']], 'FltSave' : [ 0x100, ['_XMM_SAVE_AREA32']], 'Header' : [ 0x100, ['array', 2, ['_M128A']]], 'Legacy' : [ 0x120, ['array', 8, ['_M128A']]], 'Xmm0' : [ 0x1a0, ['_M128A']], 'Xmm1' : [ 0x1b0, ['_M128A']], 'Xmm2' : [ 0x1c0, ['_M128A']], 'Xmm3' : [ 0x1d0, ['_M128A']], 'Xmm4' : [ 0x1e0, ['_M128A']], 'Xmm5' : [ 0x1f0, ['_M128A']], 'Xmm6' : [ 0x200, ['_M128A']], 'Xmm7' : [ 0x210, ['_M128A']], 'Xmm8' : [ 0x220, ['_M128A']], 'Xmm9' : [ 0x230, ['_M128A']], 'Xmm10' : [ 0x240, ['_M128A']], 'Xmm11' : [ 0x250, ['_M128A']], 'Xmm12' : [ 0x260, ['_M128A']], 'Xmm13' : [ 0x270, ['_M128A']], 'Xmm14' : [ 0x280, ['_M128A']], 'Xmm15' : [ 0x290, ['_M128A']], 'VectorRegister' : [ 0x300, ['array', 26, ['_M128A']]], 'VectorControl' : [ 0x4a0, ['unsigned long long']], 'DebugControl' : [ 0x4a8, ['unsigned long long']], 'LastBranchToRip' : [ 0x4b0, ['unsigned long long']], 'LastBranchFromRip' : [ 0x4b8, ['unsigned long long']], 'LastExceptionToRip' : [ 0x4c0, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x4c8, ['unsigned long long']], } ], '_MMPTE_HARDWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 52, native_type='unsigned long long')]], 'SoftwareWsIndex' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 63, native_type='unsigned long long')]], 'NoExecute' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x10, { 'Port' : [ 0x0, ['pointer64', ['void']]], 'Key' : [ 0x8, ['pointer64', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x200, { 'Irp' : [ 0x0, ['pointer64', ['_IRP']]], 'StackTrace' : [ 0x8, ['array', 63, ['pointer64', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x20, { 'VirtualAddress' : [ 0x0, ['pointer64', ['void']]], 'CallingAddress' : [ 0x8, ['pointer64', ['void']]], 'NumberOfBytes' : [ 0x10, ['unsigned long long']], 'Tag' : [ 0x18, ['unsigned long long']], } ], '_INTERFACE' : [ 0x20, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_PI_BUS_EXTENSION' : [ 0x70, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer64', ['unsigned char']]], 'DataPortMapped' : [ 0x10, ['unsigned char']], 'AddressPort' : [ 0x18, ['pointer64', ['unsigned char']]], 'AddrPortMapped' : [ 0x20, ['unsigned char']], 'CommandPort' : [ 0x28, ['pointer64', ['unsigned char']]], 'CmdPortMapped' : [ 0x30, ['unsigned char']], 'NextSlotNumber' : [ 0x34, ['unsigned long']], 'DeviceList' : [ 0x38, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x40, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x48, ['pointer64', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x50, ['pointer64', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x58, ['pointer64', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x60, ['unsigned long']], 'SystemPowerState' : [ 0x64, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x68, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_WHEA_PCIX_BUS_ERROR' : [ 0x48, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_BUS_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['unsigned short']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['unsigned long long']], 'BusRequestorId' : [ 0x30, ['unsigned long long']], 'BusCompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_PEB_FREE_BLOCK' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_PEB_FREE_BLOCK']]], 'Size' : [ 0x8, ['unsigned long']], } ], '_DRIVER_OBJECT' : [ 0x150, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x10, ['unsigned long']], 'DriverStart' : [ 0x18, ['pointer64', ['void']]], 'DriverSize' : [ 0x20, ['unsigned long']], 'DriverSection' : [ 0x28, ['pointer64', ['void']]], 'DriverExtension' : [ 0x30, ['pointer64', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x38, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x48, ['pointer64', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x50, ['pointer64', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x58, ['pointer64', ['void']]], 'DriverStartIo' : [ 0x60, ['pointer64', ['void']]], 'DriverUnload' : [ 0x68, ['pointer64', ['void']]], 'MajorFunction' : [ 0x70, ['array', 28, ['pointer64', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x10, { 'Sid' : [ 0x0, ['pointer64', ['void']]], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x88, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x10, ['_LIST_ENTRY']], 'TmHandle' : [ 0x20, ['pointer64', ['void']]], 'Tm' : [ 0x28, ['pointer64', ['void']]], 'RmHandle' : [ 0x30, ['pointer64', ['void']]], 'KtmRm' : [ 0x38, ['pointer64', ['void']]], 'RefCount' : [ 0x40, ['unsigned long']], 'ContainerNum' : [ 0x44, ['unsigned long']], 'ContainerSize' : [ 0x48, ['unsigned long long']], 'CmHive' : [ 0x50, ['pointer64', ['_CMHIVE']]], 'LogFileObject' : [ 0x58, ['pointer64', ['void']]], 'MarshallingContext' : [ 0x60, ['pointer64', ['void']]], 'RmFlags' : [ 0x68, ['unsigned long']], 'LogStartStatus1' : [ 0x6c, ['long']], 'LogStartStatus2' : [ 0x70, ['long']], 'BaseLsn' : [ 0x78, ['unsigned long long']], 'RmLock' : [ 0x80, ['pointer64', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x8, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 51, native_type='unsigned long long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 51, end_bit = 52, native_type='unsigned long long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 52, end_bit = 55, native_type='unsigned long long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 55, end_bit = 56, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 61, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 61, end_bit = 63, native_type='unsigned long long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '_UNEXPECTED_INTERRUPT' : [ 0x10, { 'PushImmOp' : [ 0x0, ['unsigned char']], 'PushImm' : [ 0x1, ['unsigned long']], 'PushRbp' : [ 0x5, ['unsigned char']], 'JmpOp' : [ 0x6, ['unsigned char']], 'JmpOffset' : [ 0x7, ['long']], } ], '__unnamed_1981' : [ 0x28, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x28, { 'Lock' : [ 0x0, ['__unnamed_1981']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x38, { 'DriverObject' : [ 0x0, ['pointer64', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x8, ['pointer64', ['void']]], 'Count' : [ 0x10, ['unsigned long']], 'ServiceKeyName' : [ 0x18, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x28, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x30, ['pointer64', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x30, { 'AllocAddress' : [ 0x0, ['unsigned long long']], 'AllocTag' : [ 0x8, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x10, ['unsigned long long']], 'ReAllocTag' : [ 0x18, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x20, ['unsigned long long']], 'FreeTag' : [ 0x28, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x10, { 'P' : [ 0x0, ['pointer64', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x8, ['pointer64', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0x10, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long long']], } ], '_CALL_HASH_ENTRY' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x10, ['pointer64', ['void']]], 'CallersCaller' : [ 0x18, ['pointer64', ['void']]], 'CallCount' : [ 0x20, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x10, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'Flags' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x9, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0xa, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x38, { 'Thread' : [ 0x0, ['pointer64', ['void']]], 'OldIrql' : [ 0x8, ['unsigned char']], 'NewIrql' : [ 0x9, ['unsigned char']], 'Processor' : [ 0xa, ['unsigned char']], 'TickCount' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 5, ['pointer64', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x48, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer64', ['void']]], 'InLoadOrderModuleList' : [ 0x10, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x20, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x30, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x40, ['pointer64', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0x18, { 'AnsiCodePageData' : [ 0x0, ['pointer64', ['void']]], 'OemCodePageData' : [ 0x8, ['pointer64', ['void']]], 'UnicodeCaseTableData' : [ 0x10, ['pointer64', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x100, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x18, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x20, ['unsigned long']], 'ParentKcb' : [ 0x28, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x30, ['pointer64', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x38, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x40, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x50, ['pointer64', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x50, ['unsigned long']], 'SubKeyCount' : [ 0x50, ['unsigned long']], 'KeyBodyListHead' : [ 0x58, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x58, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x68, ['array', 4, ['pointer64', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x88, ['pointer64', ['void']]], 'KcbLastWriteTime' : [ 0x90, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x98, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x9a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x9c, ['unsigned long']], 'KcbUserFlags' : [ 0xa0, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0xa0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0xa0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0xa0, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'RealKeyName' : [ 0xa8, ['pointer64', ['unsigned char']]], 'KCBUoWListHead' : [ 0xb0, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0xc0, ['pointer64', ['_CM_TRANS']]], 'KCBLock' : [ 0xc8, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0xd8, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0xe8, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0xf0, ['pointer64', ['_CM_TRANS']]], 'FullKCBName' : [ 0xf8, ['pointer64', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'UsedPageTableEntries' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 22, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x28, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x28, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0x10, ['unsigned long long']], 'PagedAllocs' : [ 0x18, ['unsigned long']], 'PagedFrees' : [ 0x1c, ['unsigned long']], 'PagedBytes' : [ 0x20, ['unsigned long long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long long')]], 'Unused' : [ 0x28, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long long')]], 'NumberGenericTableElements' : [ 0x28, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'NodeHint' : [ 0x30, ['pointer64', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x24, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x18, ['long']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x40, { 'BaseAddress' : [ 0x0, ['pointer64', ['void']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x18, ['unsigned long']], 'ImageCommitment' : [ 0x1c, ['unsigned long']], 'ControlArea' : [ 0x20, ['pointer64', ['_CONTROL_AREA']]], 'Subsection' : [ 0x28, ['pointer64', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x30, ['pointer64', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x38, ['pointer64', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], 'CMP_OFFSET_ARRAY' : [ 0x18, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x8, ['pointer64', ['void']]], 'DataLength' : [ 0x10, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1a07' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], 'PPM_PERF_STATES' : [ 0x80, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'MaxPerfState' : [ 0x8, ['unsigned long']], 'MinPerfState' : [ 0xc, ['unsigned long']], 'LowestPState' : [ 0x10, ['unsigned long']], 'IncreaseTime' : [ 0x14, ['unsigned long']], 'DecreaseTime' : [ 0x18, ['unsigned long']], 'BusyAdjThreshold' : [ 0x1c, ['unsigned char']], 'Reserved' : [ 0x1d, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x1e, ['unsigned char']], 'PolicyType' : [ 0x1f, ['unsigned char']], 'TimerInterval' : [ 0x20, ['unsigned long']], 'Flags' : [ 0x24, ['__unnamed_1a07']], 'TargetProcessors' : [ 0x28, ['unsigned long long']], 'PStateHandler' : [ 0x30, ['pointer64', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long long']], 'TStateHandler' : [ 0x40, ['pointer64', ['void']]], 'TStateContext' : [ 0x48, ['unsigned long long']], 'FeedbackHandler' : [ 0x50, ['pointer64', ['void']]], 'State' : [ 0x58, ['array', 1, ['PPM_PERF_STATE']]], } ], 'PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], 'PPM_IDLE_STATE' : [ 0x28, { 'IdleHandler' : [ 0x0, ['pointer64', ['void']]], 'Context' : [ 0x8, ['unsigned long long']], 'Latency' : [ 0x10, ['unsigned long']], 'Power' : [ 0x14, ['unsigned long']], 'TimeCheck' : [ 0x18, ['unsigned long']], 'StateFlags' : [ 0x1c, ['unsigned long']], 'PromotePercent' : [ 0x20, ['unsigned char']], 'DemotePercent' : [ 0x21, ['unsigned char']], 'PromotePercentBase' : [ 0x22, ['unsigned char']], 'DemotePercentBase' : [ 0x23, ['unsigned char']], 'StateType' : [ 0x24, ['unsigned char']], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], 'PROCESSOR_IDLE_TIMES' : [ 0x20, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], 'Reserved' : [ 0x10, ['array', 4, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER64' : [ 0xf0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'ImageBase' : [ 0x18, ['unsigned long long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long long']], 'SizeOfStackCommit' : [ 0x50, ['unsigned long long']], 'SizeOfHeapReserve' : [ 0x58, ['unsigned long long']], 'SizeOfHeapCommit' : [ 0x60, ['unsigned long long']], 'LoaderFlags' : [ 0x68, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x6c, ['unsigned long']], 'DataDirectory' : [ 0x70, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_TERMINATION_PORT' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_TERMINATION_PORT']]], 'Port' : [ 0x8, ['pointer64', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderMaximum'})]], 'BasePage' : [ 0x14, ['unsigned long']], 'PageCount' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIX_DEVICE_ERROR' : [ 0x68, { 'ValidationBits' : [ 0x0, ['_WHEA_PCIX_DEV_VALIDATION_BITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['array', 16, ['unsigned char']]], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 64, ['unsigned char']]], } ], '_CM_INTENT_LOCK' : [ 0x10, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x8, ['pointer64', ['pointer64', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x58, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0x10, ['unsigned long long']], 'SamplingPeriod' : [ 0x18, ['unsigned long']], 'CurrentTemperature' : [ 0x1c, ['unsigned long']], 'PassiveTripPoint' : [ 0x20, ['unsigned long']], 'CriticalTripPoint' : [ 0x24, ['unsigned long']], 'ActiveTripPointCount' : [ 0x28, ['unsigned char']], 'ActiveTripPoint' : [ 0x2c, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x40, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x30, ['_SEGMENT_FLAGS']], 'LastSubsectionHint' : [ 0x38, ['pointer64', ['_MSUBSECTION']]], } ], '_TEB64' : [ 0x1828, { 'NtTib' : [ 0x0, ['_NT_TIB64']], 'EnvironmentPointer' : [ 0x38, ['unsigned long long']], 'ClientId' : [ 0x40, ['_CLIENT_ID64']], 'ActiveRpcHandle' : [ 0x50, ['unsigned long long']], 'ThreadLocalStoragePointer' : [ 0x58, ['unsigned long long']], 'ProcessEnvironmentBlock' : [ 0x60, ['unsigned long long']], 'LastErrorValue' : [ 0x68, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x6c, ['unsigned long']], 'CsrClientThread' : [ 0x70, ['unsigned long long']], 'Win32ThreadInfo' : [ 0x78, ['unsigned long long']], 'User32Reserved' : [ 0x80, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xe8, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0x100, ['unsigned long long']], 'CurrentLocale' : [ 0x108, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0x10c, ['unsigned long']], 'SystemReserved1' : [ 0x110, ['array', 54, ['unsigned long long']]], 'ExceptionCode' : [ 0x2c0, ['long']], 'ActivationContextStackPointer' : [ 0x2c8, ['unsigned long long']], 'SpareBytes1' : [ 0x2d0, ['array', 24, ['unsigned char']]], 'TxFsContext' : [ 0x2e8, ['unsigned long']], 'GdiTebBatch' : [ 0x2f0, ['_GDI_TEB_BATCH64']], 'RealClientId' : [ 0x7d8, ['_CLIENT_ID64']], 'GdiCachedProcessHandle' : [ 0x7e8, ['unsigned long long']], 'GdiClientPID' : [ 0x7f0, ['unsigned long']], 'GdiClientTID' : [ 0x7f4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x7f8, ['unsigned long long']], 'Win32ClientInfo' : [ 0x800, ['array', 62, ['unsigned long long']]], 'glDispatchTable' : [ 0x9f0, ['array', 233, ['unsigned long long']]], 'glReserved1' : [ 0x1138, ['array', 29, ['unsigned long long']]], 'glReserved2' : [ 0x1220, ['unsigned long long']], 'glSectionInfo' : [ 0x1228, ['unsigned long long']], 'glSection' : [ 0x1230, ['unsigned long long']], 'glTable' : [ 0x1238, ['unsigned long long']], 'glCurrentRC' : [ 0x1240, ['unsigned long long']], 'glContext' : [ 0x1248, ['unsigned long long']], 'LastStatusValue' : [ 0x1250, ['unsigned long']], 'StaticUnicodeString' : [ 0x1258, ['_STRING64']], 'StaticUnicodeBuffer' : [ 0x1268, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0x1478, ['unsigned long long']], 'TlsSlots' : [ 0x1480, ['array', 64, ['unsigned long long']]], 'TlsLinks' : [ 0x1680, ['LIST_ENTRY64']], 'Vdm' : [ 0x1690, ['unsigned long long']], 'ReservedForNtRpc' : [ 0x1698, ['unsigned long long']], 'DbgSsReserved' : [ 0x16a0, ['array', 2, ['unsigned long long']]], 'HardErrorMode' : [ 0x16b0, ['unsigned long']], 'Instrumentation' : [ 0x16b8, ['array', 11, ['unsigned long long']]], 'ActivityId' : [ 0x1710, ['_GUID']], 'SubProcessTag' : [ 0x1720, ['unsigned long long']], 'EtwLocalData' : [ 0x1728, ['unsigned long long']], 'EtwTraceData' : [ 0x1730, ['unsigned long long']], 'WinSockData' : [ 0x1738, ['unsigned long long']], 'GdiBatchCount' : [ 0x1740, ['unsigned long']], 'SpareBool0' : [ 0x1744, ['unsigned char']], 'SpareBool1' : [ 0x1745, ['unsigned char']], 'SpareBool2' : [ 0x1746, ['unsigned char']], 'IdealProcessor' : [ 0x1747, ['unsigned char']], 'GuaranteedStackBytes' : [ 0x1748, ['unsigned long']], 'ReservedForPerf' : [ 0x1750, ['unsigned long long']], 'ReservedForOle' : [ 0x1758, ['unsigned long long']], 'WaitingOnLoaderLock' : [ 0x1760, ['unsigned long']], 'SavedPriorityState' : [ 0x1768, ['unsigned long long']], 'SoftPatchPtr1' : [ 0x1770, ['unsigned long long']], 'ThreadPoolData' : [ 0x1778, ['unsigned long long']], 'TlsExpansionSlots' : [ 0x1780, ['unsigned long long']], 'DeallocationBStore' : [ 0x1788, ['unsigned long long']], 'BStoreLimit' : [ 0x1790, ['unsigned long long']], 'ImpersonationLocale' : [ 0x1798, ['unsigned long']], 'IsImpersonating' : [ 0x179c, ['unsigned long']], 'NlsCache' : [ 0x17a0, ['unsigned long long']], 'pShimData' : [ 0x17a8, ['unsigned long long']], 'HeapVirtualAffinity' : [ 0x17b0, ['unsigned long']], 'CurrentTransactionHandle' : [ 0x17b8, ['unsigned long long']], 'ActiveFrame' : [ 0x17c0, ['unsigned long long']], 'FlsData' : [ 0x17c8, ['unsigned long long']], 'PreferredLanguages' : [ 0x17d0, ['unsigned long long']], 'UserPrefLanguages' : [ 0x17d8, ['unsigned long long']], 'MergedPrefLanguages' : [ 0x17e0, ['unsigned long long']], 'MuiImpersonation' : [ 0x17e8, ['unsigned long']], 'CrossTebFlags' : [ 0x17ec, ['unsigned short']], 'SpareCrossTebBits' : [ 0x17ec, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0x17ee, ['unsigned short']], 'DbgSafeThunkCall' : [ 0x17ee, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0x17ee, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0x17ee, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0x17ee, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0x17ee, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0x17ee, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0x17ee, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0x17ee, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0x17ee, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0x17f0, ['unsigned long long']], 'TxnScopeExitCallback' : [ 0x17f8, ['unsigned long long']], 'TxnScopeContext' : [ 0x1800, ['unsigned long long']], 'LockCount' : [ 0x1808, ['unsigned long']], 'ProcessRundown' : [ 0x180c, ['unsigned long']], 'LastSwitchTime' : [ 0x1810, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0x1818, ['unsigned long long']], 'WaitReasonBitMap' : [ 0x1820, ['_LARGE_INTEGER']], } ], '_GDI_TEB_BATCH' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_AMD64_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x20, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x18, ['unsigned long']], 'ObjectMask' : [ 0x1c, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0x18, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x8, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_OWNER_ENTRY' : [ 0x10, { 'OwnerThread' : [ 0x0, ['unsigned long long']], 'OwnerCount' : [ 0x8, ['long']], 'TableSize' : [ 0x8, ['unsigned long']], } ], '_ETIMER' : [ 0x108, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x40, ['_KAPC']], 'TimerDpc' : [ 0x98, ['_KDPC']], 'ActiveTimerListEntry' : [ 0xd8, ['_LIST_ENTRY']], 'Lock' : [ 0xe8, ['unsigned long long']], 'Period' : [ 0xf0, ['long']], 'ApcAssociated' : [ 0xf4, ['unsigned char']], 'WakeTimer' : [ 0xf5, ['unsigned char']], 'WakeTimerListEntry' : [ 0xf8, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0x18, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x8, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x20, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x10, ['_LIST_ENTRY']], } ], '__unnamed_1a66' : [ 0x8, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer64', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x10, { 'u1' : [ 0x0, ['__unnamed_1a66']], 'EndVa' : [ 0x8, ['pointer64', ['void']]], } ], '_ARBITER_INSTANCE' : [ 0x690, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x8, ['pointer64', ['_KEVENT']]], 'Name' : [ 0x10, ['pointer64', ['unsigned short']]], 'OrderingName' : [ 0x18, ['pointer64', ['unsigned short']]], 'ResourceType' : [ 0x20, ['long']], 'Allocation' : [ 0x28, ['pointer64', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x30, ['pointer64', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x38, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x48, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x58, ['long']], 'Interface' : [ 0x60, ['pointer64', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x68, ['unsigned long']], 'AllocationStack' : [ 0x70, ['pointer64', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x78, ['pointer64', ['void']]], 'PackResource' : [ 0x80, ['pointer64', ['void']]], 'UnpackResource' : [ 0x88, ['pointer64', ['void']]], 'ScoreRequirement' : [ 0x90, ['pointer64', ['void']]], 'TestAllocation' : [ 0x98, ['pointer64', ['void']]], 'RetestAllocation' : [ 0xa0, ['pointer64', ['void']]], 'CommitAllocation' : [ 0xa8, ['pointer64', ['void']]], 'RollbackAllocation' : [ 0xb0, ['pointer64', ['void']]], 'BootAllocation' : [ 0xb8, ['pointer64', ['void']]], 'QueryArbitrate' : [ 0xc0, ['pointer64', ['void']]], 'QueryConflict' : [ 0xc8, ['pointer64', ['void']]], 'AddReserved' : [ 0xd0, ['pointer64', ['void']]], 'StartArbiter' : [ 0xd8, ['pointer64', ['void']]], 'PreprocessEntry' : [ 0xe0, ['pointer64', ['void']]], 'AllocateEntry' : [ 0xe8, ['pointer64', ['void']]], 'GetNextAllocationRange' : [ 0xf0, ['pointer64', ['void']]], 'FindSuitableRange' : [ 0xf8, ['pointer64', ['void']]], 'AddAllocation' : [ 0x100, ['pointer64', ['void']]], 'BacktrackAllocation' : [ 0x108, ['pointer64', ['void']]], 'OverrideConflict' : [ 0x110, ['pointer64', ['void']]], 'InitializeRangeList' : [ 0x118, ['pointer64', ['void']]], 'TransactionInProgress' : [ 0x120, ['unsigned char']], 'Extension' : [ 0x128, ['pointer64', ['void']]], 'BusDeviceObject' : [ 0x130, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0x138, ['pointer64', ['void']]], 'ConflictCallback' : [ 0x140, ['pointer64', ['void']]], 'PdoDescriptionString' : [ 0x148, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x3e8, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x688, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x18, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x10, ['unsigned long']], 'Inserted' : [ 0x14, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x4000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x50, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequestorId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1acc' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ad2' : [ 0x18, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long long']], } ], '__unnamed_1ad4' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1ad6' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1ad8' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1ada' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1adc' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ade' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ae0' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1ae2' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1acc']], 'Memory' : [ 0x0, ['__unnamed_1acc']], 'Interrupt' : [ 0x0, ['__unnamed_1ad2']], 'Dma' : [ 0x0, ['__unnamed_1ad4']], 'Generic' : [ 0x0, ['__unnamed_1acc']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ad6']], 'BusNumber' : [ 0x0, ['__unnamed_1ad8']], 'ConfigData' : [ 0x0, ['__unnamed_1ada']], 'Memory40' : [ 0x0, ['__unnamed_1adc']], 'Memory48' : [ 0x0, ['__unnamed_1ade']], 'Memory64' : [ 0x0, ['__unnamed_1ae0']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1ae2']], } ], '_POP_THERMAL_ZONE' : [ 0x128, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x10, ['unsigned char']], 'Flags' : [ 0x11, ['unsigned char']], 'Mode' : [ 0x12, ['unsigned char']], 'PendingMode' : [ 0x13, ['unsigned char']], 'ActivePoint' : [ 0x14, ['unsigned char']], 'PendingActivePoint' : [ 0x15, ['unsigned char']], 'Throttle' : [ 0x18, ['long']], 'LastTime' : [ 0x20, ['unsigned long long']], 'SampleRate' : [ 0x28, ['unsigned long']], 'LastTemp' : [ 0x2c, ['unsigned long']], 'PassiveTimer' : [ 0x30, ['_KTIMER']], 'PassiveDpc' : [ 0x70, ['_KDPC']], 'OverThrottled' : [ 0xb0, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0xc8, ['pointer64', ['_IRP']]], 'Info' : [ 0xd0, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 64, native_type='unsigned long long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0x18, { 'NextPage' : [ 0x0, ['pointer64', ['_SLIST_ENTRY']]], 'VerifierEntry' : [ 0x8, ['pointer64', ['void']]], 'Signature' : [ 0x10, ['unsigned long long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0xf0, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0x10, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x48, ['unsigned long']], 'TraceDb' : [ 0x50, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x30, { 'Next' : [ 0x0, ['pointer64', ['_MDL']]], 'Size' : [ 0x8, ['short']], 'MdlFlags' : [ 0xa, ['short']], 'Process' : [ 0x10, ['pointer64', ['_EPROCESS']]], 'MappedSystemVa' : [ 0x18, ['pointer64', ['void']]], 'StartVa' : [ 0x20, ['pointer64', ['void']]], 'ByteCount' : [ 0x28, ['unsigned long']], 'ByteOffset' : [ 0x2c, ['unsigned long']], } ], '_CM_TRANS' : [ 0xb0, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x10, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x30, ['pointer64', ['void']]], 'CmRm' : [ 0x38, ['pointer64', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x40, ['pointer64', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x48, ['pointer64', ['void']]], 'KtmUow' : [ 0x50, ['_GUID']], 'StartLsn' : [ 0x60, ['unsigned long long']], 'TransState' : [ 0x68, ['unsigned long']], 'HiveCount' : [ 0x6c, ['unsigned long']], 'HiveArray' : [ 0x70, ['array', 8, ['pointer64', ['_CMHIVE']]]], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x1c, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x20, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], 'Count' : [ 0x14, ['unsigned long']], 'Stamp' : [ 0x18, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x48, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x8, ['pointer64', ['void']]], 'ParseContext' : [ 0x10, ['pointer64', ['void']]], 'ProbeMode' : [ 0x18, ['unsigned char']], 'PagedPoolCharge' : [ 0x1c, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x20, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x24, ['unsigned long']], 'SecurityDescriptor' : [ 0x28, ['pointer64', ['void']]], 'SecurityQos' : [ 0x30, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x38, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x30, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x10, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0x18, { 'DataSectionObject' : [ 0x0, ['pointer64', ['void']]], 'SharedCacheMap' : [ 0x8, ['pointer64', ['void']]], 'ImageSectionObject' : [ 0x10, ['pointer64', ['void']]], } ], '_SEP_AUDIT_POLICY' : [ 0x1b, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1a, ['unsigned char']], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x110, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x8, ['pointer64', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x10, ['array', 32, ['unsigned long long']]], } ], '_MBCB' : [ 0xb8, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x20, ['long long']], 'BitmapRange1' : [ 0x28, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x58, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x88, ['_BITMAP_RANGE']], } ], '__unnamed_1b1e' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1b1e']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['void']]], 'BusExtension' : [ 0x8, ['pointer64', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x8, ['unsigned long long']], 'RealKcb' : [ 0x8, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x28, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x8, ['_LIST_ENTRY']], 'Lock' : [ 0x18, ['unsigned long long']], 'Busy' : [ 0x20, ['unsigned char']], 'Reserved' : [ 0x20, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='long long')]], 'Hint' : [ 0x20, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='long long')]], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x5b0, { 'SpecialRegisters' : [ 0x0, ['_KSPECIAL_REGISTERS']], 'ContextFrame' : [ 0xe0, ['_CONTEXT']], } ], '_IO_CLIENT_EXTENSION' : [ 0x10, { 'NextExtension' : [ 0x0, ['pointer64', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KERNEL_STACK_SEGMENT' : [ 0x28, { 'StackBase' : [ 0x0, ['unsigned long long']], 'StackLimit' : [ 0x8, ['unsigned long long']], 'KernelStack' : [ 0x10, ['unsigned long long']], 'InitialStack' : [ 0x18, ['unsigned long long']], 'ActualLimit' : [ 0x20, ['unsigned long long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x50, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer64', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x28, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x30, ['unsigned long']], 'Alternatives' : [ 0x38, ['pointer64', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x40, ['unsigned short']], 'RangeAttributes' : [ 0x42, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x43, ['unsigned char']], 'WorkSpace' : [ 0x48, ['unsigned long long']], } ], '_VACB_ARRAY_HEADER' : [ 0x18, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 64, native_type='unsigned long long')]], } ], '_WOW64_PROCESS' : [ 0x8, { 'Wow64' : [ 0x0, ['pointer64', ['void']]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_MI_SECTION_CREATION_EVENT' : [ 0x20, { 'Next' : [ 0x0, ['pointer64', ['_MI_SECTION_CREATION_EVENT']]], 'Event' : [ 0x8, ['_KEVENT']], } ], '_PEB32' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['unsigned long']], 'ImageBaseAddress' : [ 0x8, ['unsigned long']], 'Ldr' : [ 0xc, ['unsigned long']], 'ProcessParameters' : [ 0x10, ['unsigned long']], 'SubSystemData' : [ 0x14, ['unsigned long']], 'ProcessHeap' : [ 0x18, ['unsigned long']], 'FastPebLock' : [ 0x1c, ['unsigned long']], 'AtlThunkSListPtr' : [ 0x20, ['unsigned long']], 'IFEOKey' : [ 0x24, ['unsigned long']], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['unsigned long']], 'UserSharedInfoPtr' : [ 0x2c, ['unsigned long']], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'FreeList' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['unsigned long']], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['unsigned long']], 'HotpatchInformation' : [ 0x50, ['unsigned long']], 'ReadOnlyStaticServerData' : [ 0x54, ['unsigned long']], 'AnsiCodePageData' : [ 0x58, ['unsigned long']], 'OemCodePageData' : [ 0x5c, ['unsigned long']], 'UnicodeCaseTableData' : [ 0x60, ['unsigned long']], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['unsigned long']], 'GdiSharedHandleTable' : [ 0x94, ['unsigned long']], 'ProcessStarterHelper' : [ 0x98, ['unsigned long']], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['unsigned long']], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['unsigned long']], 'TlsExpansionBitmap' : [ 0x150, ['unsigned long']], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['unsigned long']], 'AppCompatInfo' : [ 0x1ec, ['unsigned long']], 'CSDVersion' : [ 0x1f0, ['_STRING32']], 'ActivationContextData' : [ 0x1f8, ['unsigned long']], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['unsigned long']], 'SystemDefaultActivationContextData' : [ 0x200, ['unsigned long']], 'SystemAssemblyStorageMap' : [ 0x204, ['unsigned long']], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['unsigned long']], 'FlsListHead' : [ 0x210, ['LIST_ENTRY32']], 'FlsBitmap' : [ 0x218, ['unsigned long']], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['unsigned long']], 'WerShipAssertPtr' : [ 0x234, ['unsigned long']], } ], '_VPB' : [ 0x60, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x18, ['unsigned long']], 'ReferenceCount' : [ 0x1c, ['unsigned long']], 'VolumeLabel' : [ 0x20, ['array', 32, ['wchar']]], } ], '__unnamed_1b63' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_1b65' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1b63']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_1b67' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_1b69' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_1b67']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_1b65']], 'u2' : [ 0x4, ['__unnamed_1b69']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x18, ['unsigned long']], 'ClientViewSize' : [ 0x20, ['unsigned long long']], 'CallbackId' : [ 0x20, ['unsigned long']], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x20, { 'ClientToken' : [ 0x0, ['pointer64', ['void']]], 'ImpersonationLevel' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x10, ['pointer64', ['void']]], 'ProcessAuditId' : [ 0x18, ['pointer64', ['void']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x60, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0x10, ['_KEVENT']], 'AccessBufferMax' : [ 0x28, ['unsigned long']], 'AccessBufferList' : [ 0x40, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x50, ['long']], 'Flags' : [ 0x54, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x58, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x8, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x10, { 'Next' : [ 0x0, ['pointer64', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x8, ['pointer64', ['void']]], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_MMPTE_SUBSECTION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Unused0' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Unused1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 16, native_type='unsigned long long')]], 'SubsectionAddress' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 64, native_type='long long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x18, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x8, ['pointer64', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x10, ['long']], 'MissedMappingsCount' : [ 0x14, ['unsigned long']], } ], '__unnamed_1b90' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b92' : [ 0x10, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1b94' : [ 0x10, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long long']], } ], '__unnamed_1b96' : [ 0x10, { 'Raw' : [ 0x0, ['__unnamed_1b94']], 'Translated' : [ 0x0, ['__unnamed_1b92']], } ], '__unnamed_1b98' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9a' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9c' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1b9e' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ba4' : [ 0x10, { 'Generic' : [ 0x0, ['__unnamed_1b90']], 'Port' : [ 0x0, ['__unnamed_1b90']], 'Interrupt' : [ 0x0, ['__unnamed_1b92']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1b96']], 'Memory' : [ 0x0, ['__unnamed_1b90']], 'Dma' : [ 0x0, ['__unnamed_1b98']], 'DevicePrivate' : [ 0x0, ['__unnamed_1ad6']], 'BusNumber' : [ 0x0, ['__unnamed_1b9a']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1b9c']], 'Memory40' : [ 0x0, ['__unnamed_1b9e']], 'Memory48' : [ 0x0, ['__unnamed_1ba0']], 'Memory64' : [ 0x0, ['__unnamed_1ba2']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x14, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1ba4']], } ], '__unnamed_1ba9' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1ba9']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x8, { 'ReserveDevice' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_MMPTE_HARDWARE_LARGEPAGE' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PAT' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'reserved1' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 21, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 40, native_type='unsigned long long')]], 'reserved2' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1bc6' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x58, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x8, ['__unnamed_1bc6']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x48, { 'Parent' : [ 0x0, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x8, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x10, ['pointer64', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0x18, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x40, ['pointer64', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd0' : [ 0x8, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long long')]], 'Parent' : [ 0x0, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x28, { 'u' : [ 0x0, ['__unnamed_14d5']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0x10, ['__unnamed_1bd0']], 'LeftChild' : [ 0x18, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x20, ['pointer64', ['_MMSUBSECTION_NODE']]], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x88, { 'IdleCount' : [ 0x0, ['long']], 'ConservationIdleTime' : [ 0x4, ['unsigned long']], 'PerformanceIdleTime' : [ 0x8, ['unsigned long']], 'DeviceObject' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x28, ['unsigned char']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x30, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x40, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x50, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x70, ['_LIST_ENTRY']], 'PreviousIdleCount' : [ 0x80, ['unsigned long']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_FS_FILTER_CALLBACKS' : [ 0x68, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer64', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0x10, ['pointer64', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x18, ['pointer64', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x20, ['pointer64', ['void']]], 'PreAcquireForCcFlush' : [ 0x28, ['pointer64', ['void']]], 'PostAcquireForCcFlush' : [ 0x30, ['pointer64', ['void']]], 'PreReleaseForCcFlush' : [ 0x38, ['pointer64', ['void']]], 'PostReleaseForCcFlush' : [ 0x40, ['pointer64', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x48, ['pointer64', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x50, ['pointer64', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x58, ['pointer64', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x60, ['pointer64', ['void']]], } ], '_KENLISTMENT' : [ 0x1e0, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x8, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x30, ['_GUID']], 'Mutex' : [ 0x40, ['_KMUTANT']], 'NextSameTx' : [ 0x78, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x88, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x98, ['pointer64', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0xa0, ['pointer64', ['_KTRANSACTION']]], 'State' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0xac, ['unsigned long']], 'NotificationMask' : [ 0xb0, ['unsigned long']], 'Key' : [ 0xb8, ['pointer64', ['void']]], 'KeyRefCount' : [ 0xc0, ['unsigned long']], 'RecoveryInformation' : [ 0xc8, ['pointer64', ['void']]], 'RecoveryInformationLength' : [ 0xd0, ['unsigned long']], 'DynamicNameInformation' : [ 0xd8, ['pointer64', ['void']]], 'DynamicNameInformationLength' : [ 0xe0, ['unsigned long']], 'FinalNotification' : [ 0xe8, ['pointer64', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0xf8, ['pointer64', ['void']]], 'SubordinateTxHandle' : [ 0x100, ['pointer64', ['void']]], 'CrmEnlistmentEnId' : [ 0x108, ['_GUID']], 'CrmEnlistmentTmId' : [ 0x118, ['_GUID']], 'CrmEnlistmentRmId' : [ 0x128, ['_GUID']], 'NextHistory' : [ 0x138, ['unsigned long']], 'History' : [ 0x13c, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x30, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x8, ['pointer64', ['void']]], 'InterfaceReference' : [ 0x10, ['pointer64', ['void']]], 'InterfaceDereference' : [ 0x18, ['pointer64', ['void']]], 'ArbiterHandler' : [ 0x20, ['pointer64', ['void']]], 'Flags' : [ 0x28, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x30, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x20, ['pointer64', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x28, ['unsigned char']], 'KernelApcPending' : [ 0x29, ['unsigned char']], 'UserApcPending' : [ 0x2a, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x10, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x8, ['array', 1, ['pointer64', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x38, { 'DosDevicesDirectory' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x8, ['pointer64', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x10, ['unsigned long']], 'DriveMap' : [ 0x14, ['unsigned long']], 'DriveType' : [ 0x18, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x30, { 'InterceptorFunction' : [ 0x0, ['pointer64', ['void']]], 'InterceptorValue' : [ 0x8, ['unsigned short']], 'ExtendedOptions' : [ 0xc, ['unsigned long']], 'StackTraceDepth' : [ 0x10, ['unsigned long']], 'MinTotalBlockSize' : [ 0x18, ['unsigned long long']], 'MaxTotalBlockSize' : [ 0x20, ['unsigned long long']], 'HeapLeakEnumerationRoutine' : [ 0x28, ['pointer64', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x38, { 'BasePhysicalPage' : [ 0x0, ['unsigned long long']], 'BasedPte' : [ 0x8, ['pointer64', ['_MMPTE']]], 'BankSize' : [ 0x10, ['unsigned long']], 'BankShift' : [ 0x14, ['unsigned long']], 'BankedRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'CurrentMappedPte' : [ 0x28, ['pointer64', ['_MMPTE']]], 'BankTemplate' : [ 0x30, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidationBits' : [ 0x0, ['unsigned long long']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PciExpressEndpoint', 1: 'PciExpressLegacyEndpoint', 4: 'PciExpressRootPort', 5: 'PciExpressUpstreamSwitchPort', 6: 'PciExpressDownstreamSwitchPort', 7: 'PciExpressToPciXBridge', 8: 'PciXToExpressBridge', 9: 'PciExpressRootComplexIntegratedEndpoint', 10: 'PciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['unsigned long']], 'CommandStatus' : [ 0x10, ['unsigned long']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_PCIE_DEVICE_ID']], 'DeviceSN' : [ 0x28, ['unsigned long long']], 'BridgeCtrlSts' : [ 0x30, ['unsigned long']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x40, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x10, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x20, ['unsigned long long']], 'ReserveSize' : [ 0x28, ['unsigned long long']], 'BusyBlock' : [ 0x30, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x28, { 'DebugInfo' : [ 0x0, ['pointer64', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x8, ['long']], 'RecursionCount' : [ 0xc, ['long']], 'OwningThread' : [ 0x10, ['pointer64', ['void']]], 'LockSemaphore' : [ 0x18, ['pointer64', ['void']]], 'SpinCount' : [ 0x20, ['unsigned long long']], } ], '_OBJECT_TYPE' : [ 0x220, { 'Mutex' : [ 0x0, ['_ERESOURCE']], 'TypeList' : [ 0x68, ['_LIST_ENTRY']], 'Name' : [ 0x78, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x88, ['pointer64', ['void']]], 'Index' : [ 0x90, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x94, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x98, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x9c, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0xa0, ['unsigned long']], 'TypeInfo' : [ 0xa8, ['_OBJECT_TYPE_INITIALIZER']], 'Key' : [ 0x118, ['unsigned long']], 'ObjectLocks' : [ 0x120, ['array', 32, ['_EX_PUSH_LOCK']]], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x70, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'PoolType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x24, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer64', ['void']]], 'OpenProcedure' : [ 0x38, ['pointer64', ['void']]], 'CloseProcedure' : [ 0x40, ['pointer64', ['void']]], 'DeleteProcedure' : [ 0x48, ['pointer64', ['void']]], 'ParseProcedure' : [ 0x50, ['pointer64', ['void']]], 'SecurityProcedure' : [ 0x58, ['pointer64', ['void']]], 'QueryNameProcedure' : [ 0x60, ['pointer64', ['void']]], 'OkayToCloseProcedure' : [ 0x68, ['pointer64', ['void']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x48, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeviceContext' : [ 0x20, ['pointer64', ['void']]], 'NumberOfMapRegisters' : [ 0x28, ['unsigned long']], 'DeviceObject' : [ 0x30, ['pointer64', ['void']]], 'CurrentIrp' : [ 0x38, ['pointer64', ['void']]], 'BufferChainingDpc' : [ 0x40, ['pointer64', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x30, { 'StartingVa' : [ 0x0, ['pointer64', ['void']]], 'EndingVa' : [ 0x8, ['pointer64', ['void']]], 'Parent' : [ 0x10, ['pointer64', ['void']]], 'LeftChild' : [ 0x18, ['pointer64', ['void']]], 'RightChild' : [ 0x20, ['pointer64', ['void']]], 'Segment' : [ 0x28, ['pointer64', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x20, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x8, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0x10, ['pointer64', ['_CM_KEY_HASH']]], 'NameLength' : [ 0x18, ['unsigned short']], 'Name' : [ 0x1a, ['array', 1, ['wchar']]], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_REQUEST_MAILBOX' : [ 0x40, { 'RequestSummary' : [ 0x0, ['long long']], 'RequestPacket' : [ 0x8, ['_KREQUEST_PACKET']], 'Virtual' : [ 0x8, ['array', 7, ['pointer64', ['void']]]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x60, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'AllocateHits' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'FreeHits' : [ 0x20, ['unsigned long']], 'Type' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x28, ['unsigned long']], 'Size' : [ 0x2c, ['unsigned long']], 'AllocateEx' : [ 0x30, ['pointer64', ['void']]], 'Allocate' : [ 0x30, ['pointer64', ['void']]], 'FreeEx' : [ 0x38, ['pointer64', ['void']]], 'Free' : [ 0x38, ['pointer64', ['void']]], 'ListEntry' : [ 0x40, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x50, ['unsigned long']], 'LastAllocateMisses' : [ 0x54, ['unsigned long']], 'LastAllocateHits' : [ 0x54, ['unsigned long']], 'Future' : [ 0x58, ['array', 2, ['unsigned long']]], } ], '_KDPC' : [ 0x40, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x8, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0x18, ['pointer64', ['void']]], 'DeferredContext' : [ 0x20, ['pointer64', ['void']]], 'SystemArgument1' : [ 0x28, ['pointer64', ['void']]], 'SystemArgument2' : [ 0x30, ['pointer64', ['void']]], 'DpcData' : [ 0x38, ['pointer64', ['void']]], } ], '_M128A' : [ 0x10, { 'Low' : [ 0x0, ['unsigned long long']], 'High' : [ 0x8, ['long long']], } ], '_HEAP_LOOKASIDE' : [ 0x40, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x10, ['unsigned short']], 'MaximumDepth' : [ 0x12, ['unsigned short']], 'TotalAllocates' : [ 0x14, ['unsigned long']], 'AllocateMisses' : [ 0x18, ['unsigned long']], 'TotalFrees' : [ 0x1c, ['unsigned long']], 'FreeMisses' : [ 0x20, ['unsigned long']], 'LastTotalAllocates' : [ 0x24, ['unsigned long']], 'LastAllocateMisses' : [ 0x28, ['unsigned long']], 'Counters' : [ 0x2c, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x70, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x8, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x30, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x60, ['unsigned long']], 'Buckets' : [ 0x68, ['array', 1, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xb0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer64', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x38, ['pointer64', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x40, ['pointer64', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x48, ['pointer64', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x50, ['unsigned long long']], 'SleepTime' : [ 0x58, ['unsigned long long']], 'SystemContext' : [ 0x60, ['_SYSTEM_POWER_STATE_CONTEXT']], 'FilteredCapabilities' : [ 0x64, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x20, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer64', ['_HHIVE']]], 'KeyCell' : [ 0x18, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x40, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x10, ['pointer64', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0x18, ['unsigned char']], 'DeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x28, ['pointer64', ['unsigned short']]], 'DriverName' : [ 0x30, ['pointer64', ['unsigned short']]], 'ChildCount' : [ 0x38, ['unsigned long']], 'ActiveChild' : [ 0x3c, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x10, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x8, ['pointer64', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x40, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x10, ['pointer64', ['_FILE_OBJECT']]], 'Parameters' : [ 0x18, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x8, { 'PageHashes' : [ 0x0, ['pointer64', ['void']]], 'Value' : [ 0x0, ['unsigned long long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1cb0' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cb2' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x18, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer64', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0x10, ['__unnamed_1cb0']], 'Button' : [ 0x10, ['__unnamed_1cb2']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentSavepointing', 270: 'KEnlistmentAborting', 271: 'KEnlistmentReadOnly', 272: 'KEnlistmentOutcomeUnavailable', 273: 'KEnlistmentOffline', 274: 'KEnlistmentPrePrepared', 275: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0xe0, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x8, ['pointer64', ['void']]], 'FastIoRead' : [ 0x10, ['pointer64', ['void']]], 'FastIoWrite' : [ 0x18, ['pointer64', ['void']]], 'FastIoQueryBasicInfo' : [ 0x20, ['pointer64', ['void']]], 'FastIoQueryStandardInfo' : [ 0x28, ['pointer64', ['void']]], 'FastIoLock' : [ 0x30, ['pointer64', ['void']]], 'FastIoUnlockSingle' : [ 0x38, ['pointer64', ['void']]], 'FastIoUnlockAll' : [ 0x40, ['pointer64', ['void']]], 'FastIoUnlockAllByKey' : [ 0x48, ['pointer64', ['void']]], 'FastIoDeviceControl' : [ 0x50, ['pointer64', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x58, ['pointer64', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x60, ['pointer64', ['void']]], 'FastIoDetachDevice' : [ 0x68, ['pointer64', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x70, ['pointer64', ['void']]], 'AcquireForModWrite' : [ 0x78, ['pointer64', ['void']]], 'MdlRead' : [ 0x80, ['pointer64', ['void']]], 'MdlReadComplete' : [ 0x88, ['pointer64', ['void']]], 'PrepareMdlWrite' : [ 0x90, ['pointer64', ['void']]], 'MdlWriteComplete' : [ 0x98, ['pointer64', ['void']]], 'FastIoReadCompressed' : [ 0xa0, ['pointer64', ['void']]], 'FastIoWriteCompressed' : [ 0xa8, ['pointer64', ['void']]], 'MdlReadCompleteCompressed' : [ 0xb0, ['pointer64', ['void']]], 'MdlWriteCompleteCompressed' : [ 0xb8, ['pointer64', ['void']]], 'FastIoQueryOpen' : [ 0xc0, ['pointer64', ['void']]], 'ReleaseForModWrite' : [ 0xc8, ['pointer64', ['void']]], 'AcquireForCcFlush' : [ 0xd0, ['pointer64', ['void']]], 'ReleaseForCcFlush' : [ 0xd8, ['pointer64', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0xb8, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x20, ['pointer64', ['void']]], 'EmInfFileSize' : [ 0x28, ['unsigned long']], 'TriageDumpBlock' : [ 0x30, ['pointer64', ['void']]], 'LoaderPagesSpanned' : [ 0x38, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x40, ['pointer64', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x48, ['pointer64', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x50, ['pointer64', ['void']]], 'DrvDBSize' : [ 0x58, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x60, ['pointer64', ['_NETWORK_LOADER_BLOCK']]], 'FirmwareDescriptorListHead' : [ 0x68, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x78, ['pointer64', ['void']]], 'AcpiTableSize' : [ 0x80, ['unsigned long']], 'BootViaWinload' : [ 0x84, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x84, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x88, ['pointer64', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x90, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0xa0, ['pointer64', ['void']]], 'BootIdentifier' : [ 0xa8, ['_GUID']], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x70, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x10, ['unsigned char']], 'ArbiterInterface' : [ 0x18, ['pointer64', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x20, ['pointer64', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x38, ['_LIST_ENTRY']], 'BestConfig' : [ 0x48, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x58, ['_LIST_ENTRY']], 'State' : [ 0x68, ['unsigned char']], 'ResourcesChanged' : [ 0x69, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x28, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x8, ['pointer64', ['void']]], 'Group' : [ 0x10, ['pointer64', ['void']]], 'Sacl' : [ 0x18, ['pointer64', ['_ACL']]], 'Dacl' : [ 0x20, ['pointer64', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x3f8, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer64', ['void']]], 'ConsoleFlags' : [ 0x18, ['unsigned long']], 'StandardInput' : [ 0x20, ['pointer64', ['void']]], 'StandardOutput' : [ 0x28, ['pointer64', ['void']]], 'StandardError' : [ 0x30, ['pointer64', ['void']]], 'CurrentDirectory' : [ 0x38, ['_CURDIR']], 'DllPath' : [ 0x50, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x60, ['_UNICODE_STRING']], 'CommandLine' : [ 0x70, ['_UNICODE_STRING']], 'Environment' : [ 0x80, ['pointer64', ['void']]], 'StartingX' : [ 0x88, ['unsigned long']], 'StartingY' : [ 0x8c, ['unsigned long']], 'CountX' : [ 0x90, ['unsigned long']], 'CountY' : [ 0x94, ['unsigned long']], 'CountCharsX' : [ 0x98, ['unsigned long']], 'CountCharsY' : [ 0x9c, ['unsigned long']], 'FillAttribute' : [ 0xa0, ['unsigned long']], 'WindowFlags' : [ 0xa4, ['unsigned long']], 'ShowWindowFlags' : [ 0xa8, ['unsigned long']], 'WindowTitle' : [ 0xb0, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0xc0, ['_UNICODE_STRING']], 'ShellInfo' : [ 0xd0, ['_UNICODE_STRING']], 'RuntimeData' : [ 0xe0, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0xf0, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x3f0, ['unsigned long long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x10, { 'BasePage' : [ 0x0, ['unsigned long long']], 'PageCount' : [ 0x8, ['unsigned long long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0xa0, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x10, ['unsigned long']], 'Unloads' : [ 0x14, ['unsigned long']], 'BaseName' : [ 0x18, ['_UNICODE_STRING']], 'StartAddress' : [ 0x28, ['pointer64', ['void']]], 'EndAddress' : [ 0x30, ['pointer64', ['void']]], 'Flags' : [ 0x38, ['unsigned long']], 'Signature' : [ 0x40, ['unsigned long long']], 'PoolPageHeaders' : [ 0x50, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x60, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x70, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x74, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x78, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x7c, ['unsigned long']], 'PagedBytes' : [ 0x80, ['unsigned long long']], 'NonPagedBytes' : [ 0x88, ['unsigned long long']], 'PeakPagedBytes' : [ 0x90, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x98, ['unsigned long long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x28, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x20, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x20, { 'AcquireForLazyWrite' : [ 0x0, ['pointer64', ['void']]], 'ReleaseFromLazyWrite' : [ 0x8, ['pointer64', ['void']]], 'AcquireForReadAhead' : [ 0x10, ['pointer64', ['void']]], 'ReleaseFromReadAhead' : [ 0x18, ['pointer64', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer64', ['void']]], 'Owner' : [ 0x18, ['pointer64', ['void']]], 'Attributes' : [ 0x20, ['unsigned char']], 'Flags' : [ 0x21, ['unsigned char']], } ], '_KSPECIAL_REGISTERS' : [ 0xd8, { 'Cr0' : [ 0x0, ['unsigned long long']], 'Cr2' : [ 0x8, ['unsigned long long']], 'Cr3' : [ 0x10, ['unsigned long long']], 'Cr4' : [ 0x18, ['unsigned long long']], 'KernelDr0' : [ 0x20, ['unsigned long long']], 'KernelDr1' : [ 0x28, ['unsigned long long']], 'KernelDr2' : [ 0x30, ['unsigned long long']], 'KernelDr3' : [ 0x38, ['unsigned long long']], 'KernelDr6' : [ 0x40, ['unsigned long long']], 'KernelDr7' : [ 0x48, ['unsigned long long']], 'Gdtr' : [ 0x50, ['_KDESCRIPTOR']], 'Idtr' : [ 0x60, ['_KDESCRIPTOR']], 'Tr' : [ 0x70, ['unsigned short']], 'Ldtr' : [ 0x72, ['unsigned short']], 'MxCsr' : [ 0x74, ['unsigned long']], 'DebugControl' : [ 0x78, ['unsigned long long']], 'LastBranchToRip' : [ 0x80, ['unsigned long long']], 'LastBranchFromRip' : [ 0x88, ['unsigned long long']], 'LastExceptionToRip' : [ 0x90, ['unsigned long long']], 'LastExceptionFromRip' : [ 0x98, ['unsigned long long']], 'Cr8' : [ 0xa0, ['unsigned long long']], 'MsrGsBase' : [ 0xa8, ['unsigned long long']], 'MsrGsSwap' : [ 0xb0, ['unsigned long long']], 'MsrStar' : [ 0xb8, ['unsigned long long']], 'MsrLStar' : [ 0xc0, ['unsigned long long']], 'MsrCStar' : [ 0xc8, ['unsigned long long']], 'MsrSyscallMask' : [ 0xd0, ['unsigned long long']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x10, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'BlockSize' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'PoolType' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'ProcessBilled' : [ 0x8, ['pointer64', ['_EPROCESS']]], 'AllocatorBackTraceIndex' : [ 0x8, ['unsigned short']], 'PoolTagHash' : [ 0xa, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x18, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer64', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0x10, ['pointer64', ['void']]], } ], '_PEB64' : [ 0x368, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x8, ['unsigned long long']], 'ImageBaseAddress' : [ 0x10, ['unsigned long long']], 'Ldr' : [ 0x18, ['unsigned long long']], 'ProcessParameters' : [ 0x20, ['unsigned long long']], 'SubSystemData' : [ 0x28, ['unsigned long long']], 'ProcessHeap' : [ 0x30, ['unsigned long long']], 'FastPebLock' : [ 0x38, ['unsigned long long']], 'AtlThunkSListPtr' : [ 0x40, ['unsigned long long']], 'IFEOKey' : [ 0x48, ['unsigned long long']], 'CrossProcessFlags' : [ 0x50, ['unsigned long']], 'ProcessInJob' : [ 0x50, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x50, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReservedBits0' : [ 0x50, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x58, ['unsigned long long']], 'UserSharedInfoPtr' : [ 0x58, ['unsigned long long']], 'SystemReserved' : [ 0x60, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x64, ['unsigned long']], 'FreeList' : [ 0x68, ['unsigned long long']], 'TlsExpansionCounter' : [ 0x70, ['unsigned long']], 'TlsBitmap' : [ 0x78, ['unsigned long long']], 'TlsBitmapBits' : [ 0x80, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x88, ['unsigned long long']], 'HotpatchInformation' : [ 0x90, ['unsigned long long']], 'ReadOnlyStaticServerData' : [ 0x98, ['unsigned long long']], 'AnsiCodePageData' : [ 0xa0, ['unsigned long long']], 'OemCodePageData' : [ 0xa8, ['unsigned long long']], 'UnicodeCaseTableData' : [ 0xb0, ['unsigned long long']], 'NumberOfProcessors' : [ 0xb8, ['unsigned long']], 'NtGlobalFlag' : [ 0xbc, ['unsigned long']], 'CriticalSectionTimeout' : [ 0xc0, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0xc8, ['unsigned long long']], 'HeapSegmentCommit' : [ 0xd0, ['unsigned long long']], 'HeapDeCommitTotalFreeThreshold' : [ 0xd8, ['unsigned long long']], 'HeapDeCommitFreeBlockThreshold' : [ 0xe0, ['unsigned long long']], 'NumberOfHeaps' : [ 0xe8, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0xec, ['unsigned long']], 'ProcessHeaps' : [ 0xf0, ['unsigned long long']], 'GdiSharedHandleTable' : [ 0xf8, ['unsigned long long']], 'ProcessStarterHelper' : [ 0x100, ['unsigned long long']], 'GdiDCAttributeList' : [ 0x108, ['unsigned long']], 'LoaderLock' : [ 0x110, ['unsigned long long']], 'OSMajorVersion' : [ 0x118, ['unsigned long']], 'OSMinorVersion' : [ 0x11c, ['unsigned long']], 'OSBuildNumber' : [ 0x120, ['unsigned short']], 'OSCSDVersion' : [ 0x122, ['unsigned short']], 'OSPlatformId' : [ 0x124, ['unsigned long']], 'ImageSubsystem' : [ 0x128, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0x12c, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0x130, ['unsigned long']], 'ImageProcessAffinityMask' : [ 0x138, ['unsigned long long']], 'GdiHandleBuffer' : [ 0x140, ['array', 60, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x230, ['unsigned long long']], 'TlsExpansionBitmap' : [ 0x238, ['unsigned long long']], 'TlsExpansionBitmapBits' : [ 0x240, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x2c0, ['unsigned long']], 'AppCompatFlags' : [ 0x2c8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x2d0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x2d8, ['unsigned long long']], 'AppCompatInfo' : [ 0x2e0, ['unsigned long long']], 'CSDVersion' : [ 0x2e8, ['_STRING64']], 'ActivationContextData' : [ 0x2f8, ['unsigned long long']], 'ProcessAssemblyStorageMap' : [ 0x300, ['unsigned long long']], 'SystemDefaultActivationContextData' : [ 0x308, ['unsigned long long']], 'SystemAssemblyStorageMap' : [ 0x310, ['unsigned long long']], 'MinimumStackCommit' : [ 0x318, ['unsigned long long']], 'FlsCallback' : [ 0x320, ['unsigned long long']], 'FlsListHead' : [ 0x328, ['LIST_ENTRY64']], 'FlsBitmap' : [ 0x338, ['unsigned long long']], 'FlsBitmapBits' : [ 0x340, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x350, ['unsigned long']], 'WerRegistrationData' : [ 0x358, ['unsigned long long']], 'WerShipAssertPtr' : [ 0x360, ['unsigned long long']], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x8, { 'ImageFileName' : [ 0x0, ['pointer64', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x10, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x8, ['unsigned long long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], 'ZeroInit1' : [ 0x8, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x80, { 'Address' : [ 0x0, ['pointer64', ['void']]], 'Size' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_ETHREAD']]], 'StackTrace' : [ 0x18, ['array', 13, ['pointer64', ['void']]]], } ], '__unnamed_1d51' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1e00, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1d51']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x20, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x28, ['unsigned long long']], 'NonPagablePages' : [ 0x30, ['unsigned long long']], 'CommittedPages' : [ 0x38, ['unsigned long long']], 'PagedPoolStart' : [ 0x40, ['pointer64', ['void']]], 'PagedPoolEnd' : [ 0x48, ['pointer64', ['void']]], 'SessionObject' : [ 0x50, ['pointer64', ['void']]], 'SessionObjectHandle' : [ 0x58, ['pointer64', ['void']]], 'ResidentProcessCount' : [ 0x60, ['long']], 'ImageLoadingCount' : [ 0x64, ['long']], 'SessionPoolAllocationFailures' : [ 0x68, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x78, ['_LIST_ENTRY']], 'LocaleId' : [ 0x88, ['unsigned long']], 'AttachCount' : [ 0x8c, ['unsigned long']], 'AttachEvent' : [ 0x90, ['_KEVENT']], 'WsListEntry' : [ 0xa8, ['_LIST_ENTRY']], 'Lookaside' : [ 0xc0, ['array', 21, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xb40, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xb98, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xc00, ['_MMSUPPORT']], 'Wsle' : [ 0xc68, ['pointer64', ['_MMWSLE']]], 'DriverUnload' : [ 0xc70, ['pointer64', ['void']]], 'PagedPool' : [ 0xc78, ['_POOL_DESCRIPTOR']], 'PageDirectory' : [ 0x1cc0, ['_MMPTE']], 'SessionVaLock' : [ 0x1cc8, ['_KGUARDED_MUTEX']], 'DynamicVaBitMap' : [ 0x1d00, ['_RTL_BITMAP']], 'DynamicVaHint' : [ 0x1d10, ['unsigned long']], 'SpecialPool' : [ 0x1d18, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1d48, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1d80, ['long']], 'PagedPoolPdeCount' : [ 0x1d84, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1d88, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1d8c, ['unsigned long']], 'SessionPteFreeHead' : [ 0x1d90, ['_MMPTE']], 'SystemPteInfo' : [ 0x1d98, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1db8, ['pointer64', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1dc0, ['unsigned long long']], 'PoolTrackBigPages' : [ 0x1dc8, ['pointer64', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1dd0, ['unsigned long long']], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x10, { 'Process' : [ 0x0, ['pointer64', ['_EPROCESS']]], 'HandleCount' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['pointer64', ['void']]], 'UniqueThread' : [ 0x8, ['pointer64', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_VI_DEADLOCK_RESOURCE' : [ 0xf8, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer64', ['void']]], 'ThreadOwner' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x18, ['_LIST_ENTRY']], 'HashChainList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'StackTrace' : [ 0x38, ['array', 8, ['pointer64', ['void']]]], 'LastAcquireTrace' : [ 0x78, ['array', 8, ['pointer64', ['void']]]], 'LastReleaseTrace' : [ 0xb8, ['array', 8, ['pointer64', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x48, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0x10, ['pointer64', ['void']]], 'DirectlyAccessClientToken' : [ 0x18, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x19, ['unsigned char']], 'ServerIsRemote' : [ 0x1a, ['unsigned char']], 'ClientTokenControl' : [ 0x1c, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x68, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x38, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x48, ['pointer64', ['_MMPTE']]], 'PagedPoolHint' : [ 0x50, ['unsigned long']], 'PagedPoolCommit' : [ 0x58, ['unsigned long long']], 'AllocatedPagedPool' : [ 0x60, ['unsigned long long']], } ], '_BITMAP_RANGE' : [ 0x30, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x10, ['long long']], 'FirstDirtyPage' : [ 0x18, ['unsigned long']], 'LastDirtyPage' : [ 0x1c, ['unsigned long']], 'DirtyPages' : [ 0x20, ['unsigned long']], 'Bitmap' : [ 0x28, ['pointer64', ['unsigned long']]], } ], '_NT_TIB64' : [ 0x38, { 'ExceptionList' : [ 0x0, ['unsigned long long']], 'StackBase' : [ 0x8, ['unsigned long long']], 'StackLimit' : [ 0x10, ['unsigned long long']], 'SubSystemTib' : [ 0x18, ['unsigned long long']], 'FiberData' : [ 0x20, ['unsigned long long']], 'Version' : [ 0x20, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x28, ['unsigned long long']], 'Self' : [ 0x30, ['unsigned long long']], } ], '_IO_SECURITY_CONTEXT' : [ 0x18, { 'SecurityQos' : [ 0x0, ['pointer64', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x8, ['pointer64', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x10, ['unsigned long']], 'FullCreateOptions' : [ 0x14, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['unsigned long long']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequestorId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0xa0, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x10, ['pointer64', ['void']]], 'Type' : [ 0x18, ['unsigned long']], 'StackTrace' : [ 0x20, ['array', 16, ['pointer64', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x38, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x18, ['long']], 'Link' : [ 0x20, ['_LIST_ENTRY']], 'Trigger' : [ 0x30, ['pointer64', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x30, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x8, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0x18, ['pointer64', ['void']]], 'Context' : [ 0x20, ['pointer64', ['void']]], 'DeviceObject' : [ 0x28, ['pointer64', ['_DEVICE_OBJECT']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0x18, { 'ArbitrationList' : [ 0x0, ['pointer64', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x8, ['unsigned long']], 'AllocateFrom' : [ 0x10, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x30, { 'PteBase' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FreePteHead' : [ 0x8, ['_MMPTE']], 'FreePteTail' : [ 0x10, ['_MMPTE']], 'PagesInUse' : [ 0x18, ['long long']], 'SpecialPoolPdes' : [ 0x20, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x20, { 'PhysicalDeviceObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x8, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x10, ['pointer64', ['unsigned long']]], 'Conflicts' : [ 0x18, ['pointer64', ['pointer64', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x20, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x8, ['unsigned long long']], 'Run' : [ 0x10, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x88, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x8, ['_KMUTANT']], 'Lock' : [ 0x40, ['_KGUARDED_MUTEX']], 'List' : [ 0x78, ['_LIST_ENTRY']], } ], '_OBJECT_DIRECTORY' : [ 0x150, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x128, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x130, ['pointer64', ['_DEVICE_MAP']]], 'SessionId' : [ 0x138, ['unsigned long']], 'NamespaceEntry' : [ 0x140, ['pointer64', ['void']]], 'Flags' : [ 0x148, ['unsigned long']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x20, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x10, ['_PO_IRP_QUEUE']], } ], '_CLIENT_ID64' : [ 0x10, { 'UniqueProcess' : [ 0x0, ['unsigned long long']], 'UniqueThread' : [ 0x8, ['unsigned long long']], } ], '_KDPC_DATA' : [ 0x20, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x10, ['unsigned long long']], 'DpcQueueDepth' : [ 0x18, ['long']], 'DpcCount' : [ 0x1c, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x20, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '__unnamed_1dca' : [ 0x10, { 'UserData' : [ 0x0, ['pointer64', ['void']]], 'Owner' : [ 0x8, ['pointer64', ['void']]], } ], '__unnamed_1dcc' : [ 0x10, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1dca']], 'Merged' : [ 0x10, ['__unnamed_1dcc']], 'Attributes' : [ 0x20, ['unsigned char']], 'PublicFlags' : [ 0x21, ['unsigned char']], 'PrivateFlags' : [ 0x22, ['unsigned short']], 'ListEntry' : [ 0x28, ['_LIST_ENTRY']], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '__unnamed_1dd3' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1dd3']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x28, { 'ActiveFrame' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x8, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x1c, ['unsigned long']], 'StackId' : [ 0x20, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x68, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x8, ['pointer64', ['_MMPTE']]], 'NextSubsection' : [ 0x10, ['pointer64', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x10, ['pointer64', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0x18, ['unsigned long']], 'UnusedPtes' : [ 0x20, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x20, ['pointer64', ['_MM_AVL_TABLE']]], 'u' : [ 0x28, ['__unnamed_14d5']], 'StartingSector' : [ 0x2c, ['unsigned long']], 'NumberOfFullSectors' : [ 0x30, ['unsigned long']], 'u1' : [ 0x38, ['__unnamed_1bd0']], 'LeftChild' : [ 0x40, ['pointer64', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x48, ['pointer64', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x50, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x60, ['unsigned long long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x18, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x58, { 'GetTime' : [ 0x0, ['unsigned long long']], 'SetTime' : [ 0x8, ['unsigned long long']], 'GetWakeupTime' : [ 0x10, ['unsigned long long']], 'SetWakeupTime' : [ 0x18, ['unsigned long long']], 'SetVirtualAddressMap' : [ 0x20, ['unsigned long long']], 'ConvertPointer' : [ 0x28, ['unsigned long long']], 'GetVariable' : [ 0x30, ['unsigned long long']], 'GetNextVariableName' : [ 0x38, ['unsigned long long']], 'SetVariable' : [ 0x40, ['unsigned long long']], 'GetNextHighMonotonicCount' : [ 0x48, ['unsigned long long']], 'ResetSystem' : [ 0x50, ['unsigned long long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer64', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1de9' : [ 0x8, { 'ImageCommitment' : [ 0x0, ['unsigned long long']], 'CreatingProcess' : [ 0x0, ['pointer64', ['_EPROCESS']]], } ], '__unnamed_1ded' : [ 0x8, { 'ImageInformation' : [ 0x0, ['pointer64', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer64', ['void']]], } ], '_SEGMENT' : [ 0x58, { 'ControlArea' : [ 0x0, ['pointer64', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x8, ['unsigned long']], 'NonExtendedPtes' : [ 0xc, ['unsigned long']], 'NumberOfCommittedPages' : [ 0x10, ['unsigned long long']], 'SizeOfSegment' : [ 0x18, ['unsigned long long']], 'ExtendInfo' : [ 0x20, ['pointer64', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x20, ['pointer64', ['void']]], 'SegmentLock' : [ 0x28, ['_EX_PUSH_LOCK']], 'SegmentFlags' : [ 0x30, ['_SEGMENT_FLAGS']], 'u1' : [ 0x38, ['__unnamed_1de9']], 'u2' : [ 0x40, ['__unnamed_1ded']], 'PrototypePte' : [ 0x48, ['pointer64', ['_MMPTE']]], 'ThePtes' : [ 0x50, ['array', 1, ['_MMPTE']]], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x60, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long long']], 'PrivateLinks' : [ 0x50, ['_LIST_ENTRY']], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x30, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x18, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x20, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x28, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_MMPFNLIST' : [ 0x20, { 'Total' : [ 0x0, ['unsigned long long']], 'ListName' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x10, ['unsigned long long']], 'Blink' : [ 0x18, ['unsigned long long']], } ], '_DEVOBJ_EXTENSION' : [ 0x50, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer64', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x10, ['unsigned long']], 'Dope' : [ 0x18, ['pointer64', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x20, ['unsigned long']], 'DeviceNode' : [ 0x28, ['pointer64', ['void']]], 'AttachedTo' : [ 0x30, ['pointer64', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x38, ['long']], 'StartIoKey' : [ 0x3c, ['long']], 'StartIoFlags' : [ 0x40, ['unsigned long']], 'Vpb' : [ 0x48, ['pointer64', ['_VPB']]], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_STRING32' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['unsigned long']], } ], '_WHEA_PCIX_BUS_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorTypeValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusIdValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddressValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusDataValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'CommandValid' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequestorIdValid' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterIdValid' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetIdValid' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_HMAP_ENTRY' : [ 0x20, { 'BlockAddress' : [ 0x0, ['unsigned long long']], 'BinAddress' : [ 0x8, ['unsigned long long']], 'CmView' : [ 0x10, ['pointer64', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0x18, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x18, { 'HashLink' : [ 0x0, ['pointer64', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x8, ['unsigned short']], 'Atom' : [ 0xa, ['unsigned short']], 'ReferenceCount' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned char']], 'NameLength' : [ 0xf, ['unsigned char']], 'Name' : [ 0x10, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x8, ['pointer64', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_MMSESSION' : [ 0x58, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x38, ['pointer64', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x40, ['pointer64', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x48, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x4c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x50, ['unsigned long']], 'BitmapFailures' : [ 0x54, ['unsigned long']], } ], '_ETW_REG_ENTRY' : [ 0x50, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x10, ['pointer64', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0x18, ['unsigned short']], 'Flags' : [ 0x1a, ['unsigned short']], 'EnableMask' : [ 0x1c, ['unsigned char']], 'ReplyQueue' : [ 0x20, ['pointer64', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x20, ['array', 4, ['pointer64', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x40, ['pointer64', ['_EPROCESS']]], 'Callback' : [ 0x40, ['pointer64', ['void']]], 'CallbackContext' : [ 0x48, ['pointer64', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0x100, { 'ConnectionPort' : [ 0x0, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x8, ['pointer64', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x10, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x30, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x40, ['pointer64', ['void']]], 'ServerSectionBase' : [ 0x48, ['pointer64', ['void']]], 'PortContext' : [ 0x50, ['pointer64', ['void']]], 'ClientThread' : [ 0x58, ['pointer64', ['_ETHREAD']]], 'SecurityQos' : [ 0x60, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x70, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0xb8, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0xc8, ['_LIST_ENTRY']], 'ServerProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MappingProcess' : [ 0xd8, ['pointer64', ['_EPROCESS']]], 'MaxMessageLength' : [ 0xe0, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0xe2, ['unsigned short']], 'Flags' : [ 0xe4, ['unsigned long']], 'WaitEvent' : [ 0xe8, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x10, ['unsigned long']], 'Alternatives' : [ 0x18, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x20, ['pointer64', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'WorkSpace' : [ 0x30, ['long long']], 'InterfaceType' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x3c, ['unsigned long']], 'BusNumber' : [ 0x40, ['unsigned long']], 'Assignment' : [ 0x48, ['pointer64', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x50, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x58, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0xc0, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x10, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x40, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x50, ['unsigned long long']], 'Color' : [ 0x58, ['unsigned char']], 'Seed' : [ 0x59, ['unsigned char']], 'NodeNumber' : [ 0x5a, ['unsigned char']], 'Flags' : [ 0x5b, ['_flags']], 'MmShiftedColor' : [ 0x5c, ['unsigned long']], 'FreeCount' : [ 0x60, ['array', 2, ['unsigned long long']]], 'PfnDeferredList' : [ 0x70, ['pointer64', ['_SLIST_ENTRY']]], 'Right' : [ 0x78, ['unsigned long']], 'Left' : [ 0x7c, ['unsigned long']], 'CachedKernelStacks' : [ 0x80, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x20, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x10, ['long']], 'Misses' : [ 0x14, ['unsigned long']], 'MissesLast' : [ 0x18, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x2b8, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long long']], 'Thread' : [ 0x10, ['pointer64', ['_KTHREAD']]], 'AbortEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'ReadySemaphore' : [ 0x20, ['pointer64', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x28, ['pointer64', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x30, ['unsigned char']], 'Order' : [ 0x38, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x288, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x28c, ['long']], 'Pending' : [ 0x290, ['_LIST_ENTRY']], 'Status' : [ 0x2a0, ['long']], 'FailedDevice' : [ 0x2a8, ['pointer64', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x2b0, ['unsigned char']], 'Cancelled' : [ 0x2b1, ['unsigned char']], 'IgnoreErrors' : [ 0x2b2, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x2b3, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x2b4, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x8, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 63, native_type='unsigned long long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 63, end_bit = 64, native_type='unsigned long long')]], } ], '_EX_WORK_QUEUE' : [ 0x58, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x40, ['unsigned long']], 'WorkItemsProcessed' : [ 0x44, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x48, ['unsigned long']], 'QueueDepthLastPass' : [ 0x4c, ['unsigned long']], 'Info' : [ 0x50, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0x18, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x10, ['unsigned long']], } ], '_TEB32' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB32']], 'EnvironmentPointer' : [ 0x1c, ['unsigned long']], 'ClientId' : [ 0x20, ['_CLIENT_ID32']], 'ActiveRpcHandle' : [ 0x28, ['unsigned long']], 'ThreadLocalStoragePointer' : [ 0x2c, ['unsigned long']], 'ProcessEnvironmentBlock' : [ 0x30, ['unsigned long']], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['unsigned long']], 'Win32ThreadInfo' : [ 0x40, ['unsigned long']], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['unsigned long']], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['unsigned long']]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['unsigned long']], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH32']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID32']], 'GdiCachedProcessHandle' : [ 0x6bc, ['unsigned long']], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['unsigned long']], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['unsigned long']]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['unsigned long']], 'glSectionInfo' : [ 0xbe0, ['unsigned long']], 'glSection' : [ 0xbe4, ['unsigned long']], 'glTable' : [ 0xbe8, ['unsigned long']], 'glCurrentRC' : [ 0xbec, ['unsigned long']], 'glContext' : [ 0xbf0, ['unsigned long']], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_STRING32']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['unsigned long']], 'TlsSlots' : [ 0xe10, ['array', 64, ['unsigned long']]], 'TlsLinks' : [ 0xf10, ['LIST_ENTRY32']], 'Vdm' : [ 0xf18, ['unsigned long']], 'ReservedForNtRpc' : [ 0xf1c, ['unsigned long']], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['unsigned long']]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['unsigned long']]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['unsigned long']], 'EtwLocalData' : [ 0xf64, ['unsigned long']], 'EtwTraceData' : [ 0xf68, ['unsigned long']], 'WinSockData' : [ 0xf6c, ['unsigned long']], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['unsigned long']], 'ReservedForOle' : [ 0xf80, ['unsigned long']], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['unsigned long']], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['unsigned long']], 'TlsExpansionSlots' : [ 0xf94, ['unsigned long']], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['unsigned long']], 'pShimData' : [ 0xfa4, ['unsigned long']], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['unsigned long']], 'ActiveFrame' : [ 0xfb0, ['unsigned long']], 'FlsData' : [ 0xfb4, ['unsigned long']], 'PreferredLanguages' : [ 0xfb8, ['unsigned long']], 'UserPrefLanguages' : [ 0xfbc, ['unsigned long']], 'MergedPrefLanguages' : [ 0xfc0, ['unsigned long']], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['unsigned long']], 'TxnScopeExitCallback' : [ 0xfd0, ['unsigned long']], 'TxnScopeContext' : [ 0xfd4, ['unsigned long']], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x30, { 'Thread' : [ 0x0, ['pointer64', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x8, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x10, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'NodeCount' : [ 0x28, ['unsigned long']], 'PagingCount' : [ 0x2c, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x250, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x20, ['unsigned long']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x88, ['_GUID']], 'NotificationQueue' : [ 0x98, ['_KQUEUE']], 'NotificationMutex' : [ 0xd8, ['_KMUTANT']], 'EnlistmentHead' : [ 0x110, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x120, ['unsigned long']], 'NotificationRoutine' : [ 0x128, ['pointer64', ['void']]], 'Key' : [ 0x130, ['pointer64', ['void']]], 'ProtocolListHead' : [ 0x138, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0x148, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0x158, ['_LIST_ENTRY']], 'Tm' : [ 0x168, ['pointer64', ['_KTM']]], 'Description' : [ 0x170, ['_UNICODE_STRING']], 'Enlistments' : [ 0x180, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x228, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_GDI_TEB_BATCH64' : [ 0x4e8, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x8, ['unsigned long long']], 'Buffer' : [ 0x10, ['array', 310, ['unsigned long']]], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x80, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long long']], 'NonPagedBytes' : [ 0x58, ['unsigned long long']], 'PeakPagedBytes' : [ 0x60, ['unsigned long long']], 'PeakNonPagedBytes' : [ 0x68, ['unsigned long long']], 'BurstAllocationsFailedDeliberately' : [ 0x70, ['unsigned long']], 'SessionTrims' : [ 0x74, ['unsigned long']], 'OptionChanges' : [ 0x78, ['unsigned long']], 'VerifyMode' : [ 0x7c, ['unsigned long']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x8168, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer64', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x18, ['unsigned long long']], 'ResourceAddressRange' : [ 0x20, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x4010, ['pointer64', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x4018, ['unsigned long long']], 'ThreadAddressRange' : [ 0x4020, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x8010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x8014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x8018, ['unsigned long']], 'NodesSearched' : [ 0x801c, ['unsigned long']], 'MaxNodesSearched' : [ 0x8020, ['unsigned long']], 'SequenceNumber' : [ 0x8024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x8028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x802c, ['unsigned long']], 'DepthLimitHits' : [ 0x8030, ['unsigned long']], 'SearchLimitHits' : [ 0x8034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x8038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x803c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x8040, ['unsigned long']], 'TotalReleases' : [ 0x8044, ['unsigned long']], 'RootNodesDeleted' : [ 0x8048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x804c, ['unsigned long']], 'Instigator' : [ 0x8050, ['pointer64', ['void']]], 'NumberOfParticipants' : [ 0x8058, ['unsigned long']], 'Participant' : [ 0x8060, ['array', 32, ['pointer64', ['_VI_DEADLOCK_NODE']]]], 'CacheReductionInProgress' : [ 0x8160, ['unsigned long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x80, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x20, ['pointer64', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x28, ['_KEVENT']], 'PowerOnEvent' : [ 0x40, ['_KEVENT']], 'DoneEvent' : [ 0x58, ['_KEVENT']], 'WorkerQueued' : [ 0x70, ['unsigned long']], 'WorkerAbort' : [ 0x74, ['unsigned long']], 'NoResumeUI' : [ 0x78, ['unsigned long']], } ], '_KPCR' : [ 0x3ba0, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'GdtBase' : [ 0x0, ['pointer64', ['_KGDTENTRY64']]], 'TssBase' : [ 0x8, ['pointer64', ['_KTSS64']]], 'UserRsp' : [ 0x10, ['unsigned long long']], 'Self' : [ 0x18, ['pointer64', ['_KPCR']]], 'CurrentPrcb' : [ 0x20, ['pointer64', ['_KPRCB']]], 'LockArray' : [ 0x28, ['pointer64', ['_KSPIN_LOCK_QUEUE']]], 'Used_Self' : [ 0x30, ['pointer64', ['void']]], 'IdtBase' : [ 0x38, ['pointer64', ['_KIDTENTRY64']]], 'Unused' : [ 0x40, ['array', 2, ['unsigned long long']]], 'Irql' : [ 0x50, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x51, ['unsigned char']], 'ObsoleteNumber' : [ 0x52, ['unsigned char']], 'Fill0' : [ 0x53, ['unsigned char']], 'Unused0' : [ 0x54, ['array', 3, ['unsigned long']]], 'MajorVersion' : [ 0x60, ['unsigned short']], 'MinorVersion' : [ 0x62, ['unsigned short']], 'StallScaleFactor' : [ 0x64, ['unsigned long']], 'Unused1' : [ 0x68, ['array', 3, ['pointer64', ['void']]]], 'KernelReserved' : [ 0x80, ['array', 15, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0xbc, ['unsigned long']], 'HalReserved' : [ 0xc0, ['array', 16, ['unsigned long']]], 'Unused2' : [ 0x100, ['unsigned long']], 'KdVersionBlock' : [ 0x108, ['pointer64', ['void']]], 'Unused3' : [ 0x110, ['pointer64', ['void']]], 'PcrAlign1' : [ 0x118, ['array', 24, ['unsigned long']]], 'Prcb' : [ 0x180, ['_KPRCB']], } ], '_KTM' : [ 0x380, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x8, ['_KMUTANT']], 'State' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x48, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x70, ['_GUID']], 'Flags' : [ 0x80, ['unsigned long']], 'VolatileFlags' : [ 0x84, ['unsigned long']], 'LogFileName' : [ 0x88, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x98, ['pointer64', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0xa0, ['pointer64', ['void']]], 'LogManagementContext' : [ 0xa8, ['pointer64', ['void']]], 'Transactions' : [ 0xb0, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0x158, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x200, ['_KMUTANT']], 'LsnOrderedList' : [ 0x238, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x248, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x250, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x288, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x290, ['_CLS_LSN']], 'TmRmHandle' : [ 0x298, ['pointer64', ['void']]], 'TmRm' : [ 0x2a0, ['pointer64', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x2a8, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x2c0, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x2e0, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x2e8, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x308, ['_ERESOURCE']], 'LogFlags' : [ 0x370, ['unsigned long']], 'LogFullStatus' : [ 0x374, ['long']], 'RecoveryStatus' : [ 0x378, ['long']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x90, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x10, ['unsigned long']], 'CallerEvent' : [ 0x18, ['pointer64', ['_KEVENT']]], 'Callback' : [ 0x20, ['pointer64', ['void']]], 'Context' : [ 0x28, ['pointer64', ['void']]], 'VetoType' : [ 0x30, ['pointer64', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x38, ['pointer64', ['_UNICODE_STRING']]], 'Data' : [ 0x40, ['_PLUGPLAY_EVENT_BLOCK']], } ], '__unnamed_1e94' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0xa0, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x20, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x40, ['pointer64', ['void']]], 'AuxData' : [ 0x48, ['pointer64', ['void']]], 'Privileges' : [ 0x50, ['__unnamed_1e94']], 'AuditPrivileges' : [ 0x7c, ['unsigned char']], 'ObjectName' : [ 0x80, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x90, ['_UNICODE_STRING']], } ], '_CONFIGURATION_COMPONENT' : [ 0x28, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer64', ['unsigned char']]], } ], '_KTRANSACTION' : [ 0x268, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x20, ['_KMUTANT']], 'TreeTx' : [ 0x58, ['pointer64', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x60, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x88, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0xb0, ['_GUID']], 'State' : [ 0xc0, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionSavepointing', 12: 'KTransactionPrePrepared'})]], 'Flags' : [ 0xc4, ['unsigned long']], 'EnlistmentHead' : [ 0xc8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xd8, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0xdc, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0xe0, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0xe4, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0xe8, ['unsigned long']], 'PendingResponses' : [ 0xec, ['unsigned long']], 'SuperiorEnlistment' : [ 0xf0, ['pointer64', ['_KENLISTMENT']]], 'LastLsn' : [ 0xf8, ['_CLS_LSN']], 'PromotedEntry' : [ 0x100, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0x110, ['pointer64', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0x118, ['pointer64', ['void']]], 'IsolationLevel' : [ 0x120, ['unsigned long']], 'IsolationFlags' : [ 0x124, ['unsigned long']], 'Timeout' : [ 0x128, ['_LARGE_INTEGER']], 'Description' : [ 0x130, ['_UNICODE_STRING']], 'RollbackThread' : [ 0x140, ['pointer64', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0x148, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0x168, ['_KDPC']], 'RollbackTimer' : [ 0x1a8, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x1e8, ['_LIST_ENTRY']], 'Outcome' : [ 0x1f8, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'NextSavepoint' : [ 0x1fc, ['unsigned long']], 'Tm' : [ 0x200, ['pointer64', ['_KTM']]], 'CommitReservation' : [ 0x208, ['long long']], 'TransactionHistory' : [ 0x210, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x260, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x60, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x10, ['pointer64', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0x18, ['pointer64', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x20, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x30, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x38, ['pointer64', ['_CM_TRANS']]], 'UoWState' : [ 0x40, ['unsigned long']], 'ActionType' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x50, ['unsigned long']], 'OldValueCell' : [ 0x50, ['unsigned long']], 'NewValueCell' : [ 0x54, ['unsigned long']], 'UserFlags' : [ 0x50, ['unsigned long']], 'LastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x50, ['unsigned long']], 'OldChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x58, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x50, ['pointer64', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x58, ['unsigned long']], } ], '_MMPTE_TRANSITION' : [ 0x8, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 40, native_type='unsigned long long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 64, native_type='unsigned long long')]], } ], '_KREQUEST_PACKET' : [ 0x20, { 'CurrentPacket' : [ 0x0, ['array', 3, ['pointer64', ['void']]]], 'WorkerRoutine' : [ 0x18, ['pointer64', ['void']]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x38, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x18, ['unsigned long']], 'RealRefCount' : [ 0x1c, ['unsigned long']], 'Descriptor' : [ 0x20, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0x18, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer64', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x10, ['unsigned short']], 'Name' : [ 0x12, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x10, { 'CurrentIrp' : [ 0x0, ['pointer64', ['_IRP']]], 'PendingIrpList' : [ 0x8, ['pointer64', ['_IRP']]], } ], '__unnamed_1ecb' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0xd0, { 'Parent' : [ 0x0, ['pointer64', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x8, ['_LIST_ENTRY']], 'SiblingsList' : [ 0x18, ['_LIST_ENTRY']], 'ResourceList' : [ 0x28, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x28, ['_LIST_ENTRY']], 'Root' : [ 0x38, ['pointer64', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x40, ['pointer64', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x48, ['__unnamed_1ecb']], 'StackTrace' : [ 0x50, ['array', 8, ['pointer64', ['void']]]], 'ParentStackTrace' : [ 0x90, ['array', 8, ['pointer64', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_CLIENT_ID32' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['unsigned long']], 'UniqueThread' : [ 0x4, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE' : [ 0xa8, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x68, ['_KMUTANT']], 'LinksOffset' : [ 0xa0, ['unsigned short']], 'GuidOffset' : [ 0xa2, ['unsigned short']], 'Expired' : [ 0xa4, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x20, { 'NonPagedPortQueue' : [ 0x0, ['pointer64', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x8, ['pointer64', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x10, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x10, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x8, ['pointer64', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x10, { 'Stream' : [ 0x0, ['pointer64', ['void']]], 'Detail' : [ 0x8, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x18, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x28, ['pointer64', ['void']]], 'DosDeviceDriveIndex' : [ 0x30, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x28, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x20, ['pointer64', ['_LPCP_PORT_OBJECT']]], } ], '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x28, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x10, ['pointer64', ['void']]], 'Key' : [ 0x18, ['unsigned long long']], 'BindingProcess' : [ 0x20, ['pointer64', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_CALL_PERFORMANCE_DATA' : [ 0x408, { 'SpinLock' : [ 0x0, ['unsigned long long']], 'HashTable' : [ 0x8, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x40, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer64', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x30, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 46, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 46, end_bit = 48, native_type='unsigned long long')]], 'Signature' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x48, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x40, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_PCIE_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_HEAP_USERDATA_HEADER' : [ 0x20, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer64', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x8, ['pointer64', ['void']]], 'SizeIndex' : [ 0x10, ['unsigned long long']], 'Signature' : [ 0x18, ['unsigned long long']], } ], '_STRING64' : [ 0x10, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x8, ['unsigned long long']], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_WHEA_PCIX_DEV_VALIDATION_BITS' : [ 0x8, { 'ErrorStatusValid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfoValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumberValid' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumberValid' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairValid' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], } ], '_DEFERRED_WRITE' : [ 0x50, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x8, ['pointer64', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x10, ['unsigned long']], 'DeferredWriteLinks' : [ 0x18, ['_LIST_ENTRY']], 'Event' : [ 0x28, ['pointer64', ['_KEVENT']]], 'PostRoutine' : [ 0x30, ['pointer64', ['void']]], 'Context1' : [ 0x38, ['pointer64', ['void']]], 'Context2' : [ 0x40, ['pointer64', ['void']]], 'LimitModifiedPages' : [ 0x48, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x10, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x8, ['pointer64', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x40, { 'TransferAddress' : [ 0x0, ['pointer64', ['void']]], 'ZeroBits' : [ 0x8, ['unsigned long']], 'MaximumStackSize' : [ 0x10, ['unsigned long long']], 'CommittedStackSize' : [ 0x18, ['unsigned long long']], 'SubSystemType' : [ 0x20, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x24, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x26, ['unsigned short']], 'SubSystemVersion' : [ 0x24, ['unsigned long']], 'GpValue' : [ 0x28, ['unsigned long']], 'ImageCharacteristics' : [ 0x2c, ['unsigned short']], 'DllCharacteristics' : [ 0x2e, ['unsigned short']], 'Machine' : [ 0x30, ['unsigned short']], 'ImageContainsCode' : [ 0x32, ['unsigned char']], 'ImageFlags' : [ 0x33, ['unsigned char']], 'ComPlusNativeReady' : [ 0x33, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x33, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x33, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Reserved' : [ 0x33, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x34, ['unsigned long']], 'ImageFileSize' : [ 0x38, ['unsigned long']], 'CheckSum' : [ 0x3c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1a, { 'PerUserPolicy' : [ 0x0, ['array', 26, ['unsigned char']]], } ], '__unnamed_1f1d' : [ 0x10, { 'EndingOffset' : [ 0x0, ['pointer64', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x8, ['pointer64', ['pointer64', ['_ERESOURCE']]]], } ], '__unnamed_1f1f' : [ 0x8, { 'ResourceToRelease' : [ 0x0, ['pointer64', ['_ERESOURCE']]], } ], '__unnamed_1f23' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f27' : [ 0x10, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x8, ['unsigned char']], } ], '__unnamed_1f29' : [ 0x28, { 'Argument1' : [ 0x0, ['pointer64', ['void']]], 'Argument2' : [ 0x8, ['pointer64', ['void']]], 'Argument3' : [ 0x10, ['pointer64', ['void']]], 'Argument4' : [ 0x18, ['pointer64', ['void']]], 'Argument5' : [ 0x20, ['pointer64', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x28, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_1f1d']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_1f1f']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_1f23']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_1f27']], 'Others' : [ 0x0, ['__unnamed_1f29']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_POP_HIBER_CONTEXT' : [ 0x158, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long long']], 'MapFrozen' : [ 0x10, ['unsigned char']], 'MemoryMap' : [ 0x18, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x28, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x38, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x48, ['unsigned long']], 'NextCloneRange' : [ 0x50, ['pointer64', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x58, ['unsigned long long']], 'LoaderMdl' : [ 0x60, ['pointer64', ['_MDL']]], 'AllocatedMdl' : [ 0x68, ['pointer64', ['_MDL']]], 'PagesOut' : [ 0x70, ['unsigned long long']], 'IoPages' : [ 0x78, ['pointer64', ['void']]], 'CurrentMcb' : [ 0x80, ['pointer64', ['void']]], 'DumpStack' : [ 0x88, ['pointer64', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x90, ['pointer64', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x98, ['unsigned long long']], 'HiberPte' : [ 0xa0, ['_LARGE_INTEGER']], 'Status' : [ 0xa8, ['long']], 'MemoryImage' : [ 0xb0, ['pointer64', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0xb8, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0xc0, ['pointer64', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0xc8, ['pointer64', ['unsigned char']]], 'PerformanceStats' : [ 0xd0, ['pointer64', ['unsigned long']]], 'CompressionBlock' : [ 0xd8, ['pointer64', ['void']]], 'DmaIO' : [ 0xe0, ['pointer64', ['void']]], 'TemporaryHeap' : [ 0xe8, ['pointer64', ['void']]], 'PerfInfo' : [ 0xf0, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0x150, ['pointer64', ['_MDL']]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x10, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_KDESCRIPTOR' : [ 0x10, { 'Pad' : [ 0x0, ['array', 3, ['unsigned short']]], 'Limit' : [ 0x6, ['unsigned short']], 'Base' : [ 0x8, ['pointer64', ['void']]], } ], '_DUMP_STACK_CONTEXT' : [ 0x110, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0xa0, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0xa8, ['pointer64', ['void']]], 'PointersLength' : [ 0xb0, ['unsigned long']], 'ModulePrefix' : [ 0xb8, ['pointer64', ['unsigned short']]], 'DriverList' : [ 0xc0, ['_LIST_ENTRY']], 'InitMsg' : [ 0xd0, ['_STRING']], 'ProgMsg' : [ 0xe0, ['_STRING']], 'DoneMsg' : [ 0xf0, ['_STRING']], 'FileObject' : [ 0x100, ['pointer64', ['void']]], 'UsageType' : [ 0x108, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x28, { 'Code' : [ 0x0, ['unsigned long']], 'Parameter1' : [ 0x8, ['unsigned long long']], 'Parameter2' : [ 0x10, ['unsigned long long']], 'Parameter3' : [ 0x18, ['unsigned long long']], 'Parameter4' : [ 0x20, ['unsigned long long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x4, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer64', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '__unnamed_1f51' : [ 0x20, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x20, { 'Parameters' : [ 0x0, ['__unnamed_1f51']], } ], '__unnamed_1f55' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_1f55']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], '_NT_TIB32' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['unsigned long']], 'StackBase' : [ 0x4, ['unsigned long']], 'StackLimit' : [ 0x8, ['unsigned long']], 'SubSystemTib' : [ 0xc, ['unsigned long']], 'FiberData' : [ 0x10, ['unsigned long']], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['unsigned long']], 'Self' : [ 0x18, ['unsigned long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0x128, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long long']], 'PageSize' : [ 0x18, ['unsigned long']], 'SystemTime' : [ 0x20, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x28, ['unsigned long long']], 'FeatureFlags' : [ 0x30, ['unsigned long']], 'HiberFlags' : [ 0x34, ['unsigned char']], 'spare' : [ 0x35, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x38, ['unsigned long']], 'HiberVa' : [ 0x40, ['unsigned long long']], 'HiberPte' : [ 0x48, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x50, ['unsigned long']], 'FreeMapCheck' : [ 0x54, ['unsigned long']], 'WakeCheck' : [ 0x58, ['unsigned long']], 'TotalPages' : [ 0x60, ['unsigned long long']], 'FirstTablePage' : [ 0x68, ['unsigned long long']], 'LastFilePage' : [ 0x70, ['unsigned long long']], 'PerfInfo' : [ 0x78, ['_PO_HIBER_PERF']], 'NoBootLoaderLogPages' : [ 0xd8, ['unsigned long']], 'BootLoaderLogPages' : [ 0xe0, ['array', 8, ['unsigned long long']]], 'TotalPhysicalMemoryCount' : [ 0x120, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0x18, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x10, ['pointer64', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x20, { 'Parent' : [ 0x0, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x8, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x10, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0x18, ['unsigned char']], 'Reserved' : [ 0x19, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x10, { 'Entry' : [ 0x0, ['unsigned long long']], 'Writable' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ControlArea' : [ 0x8, ['pointer64', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x30, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x8, ['pointer64', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x10, ['_LIST_ENTRY']], 'EntryCount' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'Flags' : [ 0x28, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x2c, ['unsigned short']], 'SpareUSHORT' : [ 0x2e, ['unsigned short']], } ], '__unnamed_1f74' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_1f76' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f78' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f7a' : [ 0x10, { 'NotificationStructure' : [ 0x0, ['pointer64', ['void']]], 'DeviceIds' : [ 0x8, ['array', 1, ['wchar']]], } ], '__unnamed_1f7c' : [ 0x8, { 'Notification' : [ 0x0, ['pointer64', ['void']]], } ], '__unnamed_1f7e' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_1f80' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_1f82' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_1f84' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_1f86' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_1f88' : [ 0x20, { 'DeviceClass' : [ 0x0, ['__unnamed_1f74']], 'TargetDevice' : [ 0x0, ['__unnamed_1f76']], 'InstallDevice' : [ 0x0, ['__unnamed_1f78']], 'CustomNotification' : [ 0x0, ['__unnamed_1f7a']], 'ProfileNotification' : [ 0x0, ['__unnamed_1f7c']], 'PowerNotification' : [ 0x0, ['__unnamed_1f7e']], 'VetoNotification' : [ 0x0, ['__unnamed_1f80']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_1f82']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_1f84']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_1f86']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x50, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x18, ['pointer64', ['unsigned long']]], 'Flags' : [ 0x20, ['unsigned long']], 'TotalSize' : [ 0x24, ['unsigned long']], 'DeviceObject' : [ 0x28, ['pointer64', ['void']]], 'u' : [ 0x30, ['__unnamed_1f88']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x40, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0x10, ['pointer64', ['unsigned char']]], 'PciDeviceId' : [ 0x18, ['unsigned short']], 'PciVendorId' : [ 0x1a, ['unsigned short']], 'PciBusNumber' : [ 0x1c, ['unsigned char']], 'PciBusSegment' : [ 0x1e, ['unsigned short']], 'PciSlotNumber' : [ 0x20, ['unsigned char']], 'PciFunctionNumber' : [ 0x21, ['unsigned char']], 'PciFlags' : [ 0x24, ['unsigned long']], 'SystemGUID' : [ 0x28, ['_GUID']], 'IsMMIODevice' : [ 0x38, ['unsigned char']], 'TerminalType' : [ 0x39, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x20, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0x10, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x20, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_1f9f' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_1fa1' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_1fa3' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_1f9f']], 'Gpt' : [ 0x0, ['__unnamed_1fa1']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0xa0, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer64', ['void']]], 'CommonBuffer' : [ 0x10, ['array', 2, ['pointer64', ['void']]]], 'PhysicalAddress' : [ 0x20, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x30, ['pointer64', ['void']]], 'OpenRoutine' : [ 0x38, ['pointer64', ['void']]], 'WriteRoutine' : [ 0x40, ['pointer64', ['void']]], 'FinishRoutine' : [ 0x48, ['pointer64', ['void']]], 'AdapterObject' : [ 0x50, ['pointer64', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x58, ['pointer64', ['void']]], 'PortConfiguration' : [ 0x60, ['pointer64', ['void']]], 'CrashDump' : [ 0x68, ['unsigned char']], 'MaximumTransferSize' : [ 0x6c, ['unsigned long']], 'CommonBufferSize' : [ 0x70, ['unsigned long']], 'TargetAddress' : [ 0x78, ['pointer64', ['void']]], 'WritePendingRoutine' : [ 0x80, ['pointer64', ['void']]], 'PartitionStyle' : [ 0x88, ['unsigned long']], 'DiskInfo' : [ 0x8c, ['__unnamed_1fa3']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x20, { 'FirstFreePte' : [ 0x0, ['pointer64', ['_MMPTE']]], 'FailureCount' : [ 0x8, ['pointer64', ['unsigned long']]], 'GlobalMutex' : [ 0x10, ['pointer64', ['_KGUARDED_MUTEX']]], 'TbFlushTimeStamp' : [ 0x18, ['unsigned long']], } ], '_WORK_QUEUE_ITEM' : [ 0x20, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x10, ['pointer64', ['void']]], 'Parameter' : [ 0x18, ['pointer64', ['void']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x20, { 'DHCPServerACK' : [ 0x0, ['pointer64', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x8, ['unsigned long']], 'BootServerReplyPacket' : [ 0x10, ['pointer64', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0x18, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x250, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x8, ['pointer64', ['pointer64', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x10, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x20, { 'PageNo' : [ 0x0, ['unsigned long long']], 'StartPage' : [ 0x8, ['unsigned long long']], 'EndPage' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], } ], '_KTSS64' : [ 0x68, { 'Reserved0' : [ 0x0, ['unsigned long']], 'Rsp0' : [ 0x4, ['unsigned long long']], 'Rsp1' : [ 0xc, ['unsigned long long']], 'Rsp2' : [ 0x14, ['unsigned long long']], 'Ist' : [ 0x1c, ['array', 8, ['unsigned long long']]], 'Reserved1' : [ 0x5c, ['unsigned long long']], 'Reserved2' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer64', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x48, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x18, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x28, ['_LIST_ENTRY']], 'WaitS0' : [ 0x38, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x10, { 'Start' : [ 0x0, ['pointer64', ['unsigned char']]], 'End' : [ 0x8, ['pointer64', ['unsigned char']]], } ], '_GDI_TEB_BATCH32' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x18, { 'Next' : [ 0x0, ['pointer64', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x8, ['unsigned long long']], 'CheckSum' : [ 0x10, ['unsigned long']], 'EntryCount' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY64' : [ 0x10, { 'OffsetLow' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'IstIndex' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned short')]], 'Reserved0' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned short')]], 'Type' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned short')]], 'Dpl' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned short')]], 'Present' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned short')]], 'OffsetMiddle' : [ 0x6, ['unsigned short']], 'OffsetHigh' : [ 0x8, ['unsigned long']], 'Reserved1' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0x18, { 'ChainLink' : [ 0x0, ['pointer64', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x8, ['pointer64', ['void']]], 'HashValue' : [ 0x10, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x48, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x40, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer64', ['pointer64', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0x18, { 'Previous' : [ 0x0, ['pointer64', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x8, ['pointer64', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x10, ['unsigned long']], } ], '__unnamed_1fda' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHigh' : [ 0x3, ['unsigned char']], } ], '__unnamed_1fde' : [ 0x4, { 'BaseMiddle' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Present' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHigh' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'System' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'LongMode' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'DefaultBig' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHigh' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_KGDTENTRY64' : [ 0x10, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'Bytes' : [ 0x4, ['__unnamed_1fda']], 'Bits' : [ 0x4, ['__unnamed_1fde']], 'BaseUpper' : [ 0x8, ['unsigned long']], 'MustBeZero' : [ 0xc, ['unsigned long']], 'Alignment' : [ 0x0, ['unsigned long long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x68, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x20, ['pointer64', ['void']]], 'WhichOrderedElement' : [ 0x28, ['unsigned long']], 'NumberGenericTableElements' : [ 0x2c, ['unsigned long']], 'DepthOfTree' : [ 0x30, ['unsigned long']], 'RestartKey' : [ 0x38, ['pointer64', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x40, ['unsigned long']], 'CompareRoutine' : [ 0x48, ['pointer64', ['void']]], 'AllocateRoutine' : [ 0x50, ['pointer64', ['void']]], 'FreeRoutine' : [ 0x58, ['pointer64', ['void']]], 'TableContext' : [ 0x60, ['pointer64', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp1_x86_vtypes.py0000644000175000017500000146330711732225561027454 0ustar mikemike00000000000000ntkrnlmp_types = { '_KRESOURCEMANAGER_COMPLETION_BINDING' : [ 0x14, { 'NotificationListHead' : [ 0x0, ['_LIST_ENTRY']], 'Port' : [ 0x8, ['pointer', ['void']]], 'Key' : [ 0xc, ['unsigned long']], 'BindingProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], } ], '_VF_TRACKER' : [ 0x10, { 'TrackerFlags' : [ 0x0, ['unsigned long']], 'TrackerSize' : [ 0x4, ['unsigned long']], 'TrackerIndex' : [ 0x8, ['unsigned long']], 'TraceDepth' : [ 0xc, ['unsigned long']], } ], '_EX_RUNDOWN_REF' : [ 0x4, { 'Count' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_CALL_PERFORMANCE_DATA' : [ 0x204, { 'SpinLock' : [ 0x0, ['unsigned long']], 'HashTable' : [ 0x4, ['array', 64, ['_LIST_ENTRY']]], } ], '_ARBITER_ALTERNATIVE' : [ 0x38, { 'Minimum' : [ 0x0, ['unsigned long long']], 'Maximum' : [ 0x8, ['unsigned long long']], 'Length' : [ 0x10, ['unsigned long long']], 'Alignment' : [ 0x18, ['unsigned long long']], 'Priority' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'Descriptor' : [ 0x28, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Reserved' : [ 0x2c, ['array', 3, ['unsigned long']]], } ], '_WHEA_PERSISTENCE_INFO' : [ 0x8, { 'Signature' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long long')]], 'Length' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 40, native_type='unsigned long long')]], 'Identifier' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 56, native_type='unsigned long long')]], 'Attributes' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 58, native_type='unsigned long long')]], 'DoNotLog' : [ 0x0, ['BitField', dict(start_bit = 58, end_bit = 59, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 59, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_MI_SECTION_IMAGE_INFORMATION' : [ 0x38, { 'ExportedImageInformation' : [ 0x0, ['_SECTION_IMAGE_INFORMATION']], 'InternalImageInformation' : [ 0x30, ['_MI_EXTRA_IMAGE_INFORMATION']], } ], '_HEAP_USERDATA_HEADER' : [ 0x10, { 'SFreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'SubSegment' : [ 0x0, ['pointer', ['_HEAP_SUBSEGMENT']]], 'Reserved' : [ 0x4, ['pointer', ['void']]], 'SizeIndex' : [ 0x8, ['unsigned long']], 'Signature' : [ 0xc, ['unsigned long']], } ], '_PPM_DIA_STATS' : [ 0xc, { 'PerfLevel' : [ 0x0, ['unsigned long']], 'IdleTime' : [ 0x4, ['unsigned long']], 'TimeInterval' : [ 0x8, ['unsigned long']], } ], '_STACK_TABLE' : [ 0x8040, { 'NumStackTraces' : [ 0x0, ['unsigned short']], 'TraceCapacity' : [ 0x2, ['unsigned short']], 'StackTrace' : [ 0x4, ['array', 16, ['pointer', ['_OBJECT_REF_TRACE']]]], 'StackTableHash' : [ 0x44, ['array', 16381, ['unsigned short']]], } ], '_CM_INDEX_HINT_BLOCK' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'HashKey' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_TOKEN_CONTROL' : [ 0x28, { 'TokenId' : [ 0x0, ['_LUID']], 'AuthenticationId' : [ 0x8, ['_LUID']], 'ModifiedId' : [ 0x10, ['_LUID']], 'TokenSource' : [ 0x18, ['_TOKEN_SOURCE']], } ], '_DEFERRED_WRITE' : [ 0x28, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'FileObject' : [ 0x4, ['pointer', ['_FILE_OBJECT']]], 'BytesToWrite' : [ 0x8, ['unsigned long']], 'DeferredWriteLinks' : [ 0xc, ['_LIST_ENTRY']], 'Event' : [ 0x14, ['pointer', ['_KEVENT']]], 'PostRoutine' : [ 0x18, ['pointer', ['void']]], 'Context1' : [ 0x1c, ['pointer', ['void']]], 'Context2' : [ 0x20, ['pointer', ['void']]], 'LimitModifiedPages' : [ 0x24, ['unsigned char']], } ], '_DBGKD_ANY_CONTROL_SET' : [ 0x1c, { 'X86ControlSet' : [ 0x0, ['_X86_DBGKD_CONTROL_SET']], 'AlphaControlSet' : [ 0x0, ['unsigned long']], 'IA64ControlSet' : [ 0x0, ['_IA64_DBGKD_CONTROL_SET']], 'Amd64ControlSet' : [ 0x0, ['_AMD64_DBGKD_CONTROL_SET']], 'ArmControlSet' : [ 0x0, ['_ARM_DBGKD_CONTROL_SET']], } ], '_ARBITER_ORDERING_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned short']], 'Maximum' : [ 0x2, ['unsigned short']], 'Orderings' : [ 0x4, ['pointer', ['_ARBITER_ORDERING']]], } ], '_SECTION_IMAGE_INFORMATION' : [ 0x30, { 'TransferAddress' : [ 0x0, ['pointer', ['void']]], 'ZeroBits' : [ 0x4, ['unsigned long']], 'MaximumStackSize' : [ 0x8, ['unsigned long']], 'CommittedStackSize' : [ 0xc, ['unsigned long']], 'SubSystemType' : [ 0x10, ['unsigned long']], 'SubSystemMinorVersion' : [ 0x14, ['unsigned short']], 'SubSystemMajorVersion' : [ 0x16, ['unsigned short']], 'SubSystemVersion' : [ 0x14, ['unsigned long']], 'GpValue' : [ 0x18, ['unsigned long']], 'ImageCharacteristics' : [ 0x1c, ['unsigned short']], 'DllCharacteristics' : [ 0x1e, ['unsigned short']], 'Machine' : [ 0x20, ['unsigned short']], 'ImageContainsCode' : [ 0x22, ['unsigned char']], 'ImageFlags' : [ 0x23, ['unsigned char']], 'ComPlusNativeReady' : [ 0x23, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ComPlusILOnly' : [ 0x23, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ImageDynamicallyRelocated' : [ 0x23, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'ImageMappedFlat' : [ 0x23, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Reserved' : [ 0x23, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'LoaderFlags' : [ 0x24, ['unsigned long']], 'ImageFileSize' : [ 0x28, ['unsigned long']], 'CheckSum' : [ 0x2c, ['unsigned long']], } ], '_ARM_DBGKD_CONTROL_SET' : [ 0xc, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long']], 'CurrentSymbolEnd' : [ 0x8, ['unsigned long']], } ], '_TOKEN_AUDIT_POLICY' : [ 0x1b, { 'PerUserPolicy' : [ 0x0, ['array', 27, ['unsigned char']]], } ], '__unnamed_203f' : [ 0x8, { 'EndingOffset' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'ResourceToRelease' : [ 0x4, ['pointer', ['pointer', ['_ERESOURCE']]]], } ], '__unnamed_2041' : [ 0x4, { 'ResourceToRelease' : [ 0x0, ['pointer', ['_ERESOURCE']]], } ], '__unnamed_2045' : [ 0x8, { 'SyncType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SyncTypeOther', 1: 'SyncTypeCreateSection'})]], 'PageProtection' : [ 0x4, ['unsigned long']], } ], '__unnamed_2049' : [ 0x8, { 'NotificationType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NotifyTypeCreate', 1: 'NotifyTypeRetired'})]], 'SafeToRecurse' : [ 0x4, ['unsigned char']], } ], '__unnamed_204b' : [ 0x14, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], 'Argument5' : [ 0x10, ['pointer', ['void']]], } ], '_FS_FILTER_PARAMETERS' : [ 0x14, { 'AcquireForModifiedPageWriter' : [ 0x0, ['__unnamed_203f']], 'ReleaseForModifiedPageWriter' : [ 0x0, ['__unnamed_2041']], 'AcquireForSectionSynchronization' : [ 0x0, ['__unnamed_2045']], 'NotifyStreamFileObject' : [ 0x0, ['__unnamed_2049']], 'Others' : [ 0x0, ['__unnamed_204b']], } ], '_PROFILE_PARAMETER_BLOCK' : [ 0x10, { 'Status' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'DockingState' : [ 0x4, ['unsigned short']], 'Capabilities' : [ 0x6, ['unsigned short']], 'DockID' : [ 0x8, ['unsigned long']], 'SerialNumber' : [ 0xc, ['unsigned long']], } ], '_COMPRESSED_DATA_INFO' : [ 0xc, { 'CompressionFormatAndEngine' : [ 0x0, ['unsigned short']], 'CompressionUnitShift' : [ 0x2, ['unsigned char']], 'ChunkShift' : [ 0x3, ['unsigned char']], 'ClusterShift' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'NumberOfChunks' : [ 0x6, ['unsigned short']], 'CompressedChunkSizes' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_POP_HIBER_CONTEXT' : [ 0x100, { 'WriteToFile' : [ 0x0, ['unsigned char']], 'ReserveLoaderMemory' : [ 0x1, ['unsigned char']], 'ReserveFreeMemory' : [ 0x2, ['unsigned char']], 'VerifyOnWake' : [ 0x3, ['unsigned char']], 'Reset' : [ 0x4, ['unsigned char']], 'HiberFlags' : [ 0x5, ['unsigned char']], 'WroteHiberFile' : [ 0x6, ['unsigned char']], 'Lock' : [ 0x8, ['unsigned long']], 'MapFrozen' : [ 0xc, ['unsigned char']], 'MemoryMap' : [ 0x10, ['_RTL_BITMAP']], 'DiscardedMemoryPages' : [ 0x18, ['_RTL_BITMAP']], 'ClonedRanges' : [ 0x20, ['_LIST_ENTRY']], 'ClonedRangeCount' : [ 0x28, ['unsigned long']], 'NextCloneRange' : [ 0x2c, ['pointer', ['_LIST_ENTRY']]], 'NextPreserve' : [ 0x30, ['unsigned long']], 'LoaderMdl' : [ 0x34, ['pointer', ['_MDL']]], 'AllocatedMdl' : [ 0x38, ['pointer', ['_MDL']]], 'PagesOut' : [ 0x40, ['unsigned long long']], 'IoPages' : [ 0x48, ['pointer', ['void']]], 'IoPagesCount' : [ 0x4c, ['unsigned long']], 'CurrentMcb' : [ 0x50, ['pointer', ['void']]], 'DumpStack' : [ 0x54, ['pointer', ['_DUMP_STACK_CONTEXT']]], 'WakeState' : [ 0x58, ['pointer', ['_KPROCESSOR_STATE']]], 'HiberVa' : [ 0x5c, ['unsigned long']], 'HiberPte' : [ 0x60, ['_LARGE_INTEGER']], 'Status' : [ 0x68, ['long']], 'MemoryImage' : [ 0x6c, ['pointer', ['PO_MEMORY_IMAGE']]], 'TableHead' : [ 0x70, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'CompressionWorkspace' : [ 0x74, ['pointer', ['unsigned char']]], 'CompressedWriteBuffer' : [ 0x78, ['pointer', ['unsigned char']]], 'PerformanceStats' : [ 0x7c, ['pointer', ['unsigned long']]], 'CompressionBlock' : [ 0x80, ['pointer', ['void']]], 'DmaIO' : [ 0x84, ['pointer', ['void']]], 'TemporaryHeap' : [ 0x88, ['pointer', ['void']]], 'PerfInfo' : [ 0x90, ['_PO_HIBER_PERF']], 'BootLoaderLogMdl' : [ 0xf0, ['pointer', ['_MDL']]], 'FirmwareRuntimeInformationMdl' : [ 0xf4, ['pointer', ['_MDL']]], 'ResumeContext' : [ 0xf8, ['pointer', ['void']]], 'ResumeContextPages' : [ 0xfc, ['unsigned long']], } ], '_OBJECT_REF_TRACE' : [ 0x40, { 'StackTrace' : [ 0x0, ['array', 16, ['pointer', ['void']]]], } ], '_OBJECT_NAME_INFORMATION' : [ 0x8, { 'Name' : [ 0x0, ['_UNICODE_STRING']], } ], '_DUMP_STACK_CONTEXT' : [ 0xb0, { 'Init' : [ 0x0, ['_DUMP_INITIALIZATION_CONTEXT']], 'PartitionOffset' : [ 0x70, ['_LARGE_INTEGER']], 'DumpPointers' : [ 0x78, ['pointer', ['void']]], 'PointersLength' : [ 0x7c, ['unsigned long']], 'ModulePrefix' : [ 0x80, ['pointer', ['unsigned short']]], 'DriverList' : [ 0x84, ['_LIST_ENTRY']], 'InitMsg' : [ 0x8c, ['_STRING']], 'ProgMsg' : [ 0x94, ['_STRING']], 'DoneMsg' : [ 0x9c, ['_STRING']], 'FileObject' : [ 0xa4, ['pointer', ['void']]], 'UsageType' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '_FILE_STANDARD_INFORMATION' : [ 0x18, { 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x8, ['_LARGE_INTEGER']], 'NumberOfLinks' : [ 0x10, ['unsigned long']], 'DeletePending' : [ 0x14, ['unsigned char']], 'Directory' : [ 0x15, ['unsigned char']], } ], '_POP_SHUTDOWN_BUG_CHECK' : [ 0x20, { 'ThreadHandle' : [ 0x0, ['pointer', ['void']]], 'ThreadId' : [ 0x4, ['pointer', ['void']]], 'ProcessId' : [ 0x8, ['pointer', ['void']]], 'Code' : [ 0xc, ['unsigned long']], 'Parameter1' : [ 0x10, ['unsigned long']], 'Parameter2' : [ 0x14, ['unsigned long']], 'Parameter3' : [ 0x18, ['unsigned long']], 'Parameter4' : [ 0x1c, ['unsigned long']], } ], '_MI_EXTRA_IMAGE_INFORMATION' : [ 0x8, { 'SizeOfHeaders' : [ 0x0, ['unsigned long']], 'ImageMerge' : [ 0x4, ['pointer', ['void']]], } ], '_RTL_HANDLE_TABLE_ENTRY' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 'NextFree' : [ 0x0, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_SECURITY_DESCRIPTOR_RELATIVE' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['unsigned long']], 'Group' : [ 0x8, ['unsigned long']], 'Sacl' : [ 0xc, ['unsigned long']], 'Dacl' : [ 0x10, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS' : [ 0x8, { 'ProcessorType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'InstructionSet' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Operation' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Flags' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Level' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'CPUVersion' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CPUBrandString' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'ProcessorId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'TargetAddress' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'InstructionPointer' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_2072' : [ 0x10, { 'TestAllocation' : [ 0x0, ['_ARBITER_TEST_ALLOCATION_PARAMETERS']], 'RetestAllocation' : [ 0x0, ['_ARBITER_RETEST_ALLOCATION_PARAMETERS']], 'BootAllocation' : [ 0x0, ['_ARBITER_BOOT_ALLOCATION_PARAMETERS']], 'QueryAllocatedResources' : [ 0x0, ['_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS']], 'QueryConflict' : [ 0x0, ['_ARBITER_QUERY_CONFLICT_PARAMETERS']], 'QueryArbitrate' : [ 0x0, ['_ARBITER_QUERY_ARBITRATE_PARAMETERS']], 'AddReserved' : [ 0x0, ['_ARBITER_ADD_RESERVED_PARAMETERS']], } ], '_ARBITER_PARAMETERS' : [ 0x10, { 'Parameters' : [ 0x0, ['__unnamed_2072']], } ], '__unnamed_2076' : [ 0x8, { 'idxRecord' : [ 0x0, ['unsigned long']], 'cidContainer' : [ 0x4, ['unsigned long']], } ], '_CLS_LSN' : [ 0x8, { 'offset' : [ 0x0, ['__unnamed_2076']], 'ullOffset' : [ 0x0, ['unsigned long long']], } ], 'POWER_ACTION_POLICY' : [ 0xc, { 'Action' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'Flags' : [ 0x4, ['unsigned long']], 'EventCode' : [ 0x8, ['unsigned long']], } ], 'PO_MEMORY_IMAGE' : [ 0xf0, { 'Signature' : [ 0x0, ['unsigned long']], 'ImageType' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'LengthSelf' : [ 0xc, ['unsigned long']], 'PageSelf' : [ 0x10, ['unsigned long']], 'PageSize' : [ 0x14, ['unsigned long']], 'SystemTime' : [ 0x18, ['_LARGE_INTEGER']], 'InterruptTime' : [ 0x20, ['unsigned long long']], 'FeatureFlags' : [ 0x28, ['unsigned long']], 'HiberFlags' : [ 0x2c, ['unsigned char']], 'spare' : [ 0x2d, ['array', 3, ['unsigned char']]], 'NoHiberPtes' : [ 0x30, ['unsigned long']], 'HiberVa' : [ 0x34, ['unsigned long']], 'HiberPte' : [ 0x38, ['_LARGE_INTEGER']], 'NoFreePages' : [ 0x40, ['unsigned long']], 'FreeMapCheck' : [ 0x44, ['unsigned long']], 'WakeCheck' : [ 0x48, ['unsigned long']], 'TotalPages' : [ 0x4c, ['unsigned long']], 'FirstTablePage' : [ 0x50, ['unsigned long']], 'LastFilePage' : [ 0x54, ['unsigned long']], 'PerfInfo' : [ 0x58, ['_PO_HIBER_PERF']], 'FirmwareRuntimeInformationPages' : [ 0xb8, ['unsigned long']], 'FirmwareRuntimeInformation' : [ 0xbc, ['array', 1, ['unsigned long']]], 'NoBootLoaderLogPages' : [ 0xc0, ['unsigned long']], 'BootLoaderLogPages' : [ 0xc4, ['array', 8, ['unsigned long']]], 'NotUsed' : [ 0xe4, ['unsigned long']], 'ResumeContextCheck' : [ 0xe8, ['unsigned long']], 'ResumeContextPages' : [ 0xec, ['unsigned long']], } ], 'EX_QUEUE_WORKER_INFO' : [ 0x4, { 'QueueDisabled' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'MakeThreadsAsNecessary' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'WaitMode' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WorkerCount' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'QueueWorkerInfo' : [ 0x0, ['long']], } ], 'BATTERY_REPORTING_SCALE' : [ 0x8, { 'Granularity' : [ 0x0, ['unsigned long']], 'Capacity' : [ 0x4, ['unsigned long']], } ], '_CURDIR' : [ 0xc, { 'DosPath' : [ 0x0, ['_UNICODE_STRING']], 'Handle' : [ 0x8, ['pointer', ['void']]], } ], '_PO_HIBER_PERF' : [ 0x60, { 'IoTicks' : [ 0x0, ['unsigned long long']], 'InitTicks' : [ 0x8, ['unsigned long long']], 'CopyTicks' : [ 0x10, ['unsigned long long']], 'StartCount' : [ 0x18, ['unsigned long long']], 'ElapsedTime' : [ 0x20, ['unsigned long']], 'IoTime' : [ 0x24, ['unsigned long']], 'CopyTime' : [ 0x28, ['unsigned long']], 'InitTime' : [ 0x2c, ['unsigned long']], 'PagesWritten' : [ 0x30, ['unsigned long']], 'PagesProcessed' : [ 0x34, ['unsigned long']], 'BytesCopied' : [ 0x38, ['unsigned long']], 'DumpCount' : [ 0x3c, ['unsigned long']], 'FileRuns' : [ 0x40, ['unsigned long']], 'ResumeAppStartTime' : [ 0x48, ['unsigned long long']], 'ResumeAppEndTime' : [ 0x50, ['unsigned long long']], 'HiberFileResumeTime' : [ 0x58, ['unsigned long long']], } ], '_DEVICE_FLAGS' : [ 0x4, { 'Failed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Removable' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ConsoleIn' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConsoleOut' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Input' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Output' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], } ], '_RTL_BALANCED_LINKS' : [ 0x10, { 'Parent' : [ 0x0, ['pointer', ['_RTL_BALANCED_LINKS']]], 'LeftChild' : [ 0x4, ['pointer', ['_RTL_BALANCED_LINKS']]], 'RightChild' : [ 0x8, ['pointer', ['_RTL_BALANCED_LINKS']]], 'Balance' : [ 0xc, ['unsigned char']], 'Reserved' : [ 0xd, ['array', 3, ['unsigned char']]], } ], '_MMVIEW' : [ 0x8, { 'Entry' : [ 0x0, ['unsigned long']], 'Writable' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ControlArea' : [ 0x4, ['pointer', ['_CONTROL_AREA']]], } ], '_MM_SESSION_SPACE_FLAGS' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeletePending' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PoolInitialized' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DynamicVaInitialized' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'WsInitialized' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'PoolDestroyed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ObjectInitialized' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Filler' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_RTL_CRITICAL_SECTION_DEBUG' : [ 0x20, { 'Type' : [ 0x0, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x2, ['unsigned short']], 'CriticalSection' : [ 0x4, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'ProcessLocksList' : [ 0x8, ['_LIST_ENTRY']], 'EntryCount' : [ 0x10, ['unsigned long']], 'ContentionCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'CreatorBackTraceIndexHigh' : [ 0x1c, ['unsigned short']], 'SpareUSHORT' : [ 0x1e, ['unsigned short']], } ], '__unnamed_2093' : [ 0x14, { 'ClassGuid' : [ 0x0, ['_GUID']], 'SymbolicLinkName' : [ 0x10, ['array', 1, ['wchar']]], } ], '__unnamed_2095' : [ 0x2, { 'DeviceIds' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2097' : [ 0x2, { 'DeviceId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_2099' : [ 0x8, { 'NotificationStructure' : [ 0x0, ['pointer', ['void']]], 'DeviceIds' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_209b' : [ 0x4, { 'Notification' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_209d' : [ 0x8, { 'NotificationCode' : [ 0x0, ['unsigned long']], 'NotificationData' : [ 0x4, ['unsigned long']], } ], '__unnamed_209f' : [ 0x8, { 'VetoType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]], 'DeviceIdVetoNameBuffer' : [ 0x4, ['array', 1, ['wchar']]], } ], '__unnamed_20a1' : [ 0x10, { 'BlockedDriverGuid' : [ 0x0, ['_GUID']], } ], '__unnamed_20a3' : [ 0x2, { 'ParentId' : [ 0x0, ['array', 1, ['wchar']]], } ], '__unnamed_20a5' : [ 0x1c, { 'PowerSettingGuid' : [ 0x0, ['_GUID']], 'PowerSettingChanged' : [ 0x10, ['unsigned char']], 'DataLength' : [ 0x14, ['unsigned long']], 'Data' : [ 0x18, ['array', 1, ['unsigned char']]], } ], '__unnamed_20a7' : [ 0x1c, { 'DeviceClass' : [ 0x0, ['__unnamed_2093']], 'TargetDevice' : [ 0x0, ['__unnamed_2095']], 'InstallDevice' : [ 0x0, ['__unnamed_2097']], 'CustomNotification' : [ 0x0, ['__unnamed_2099']], 'ProfileNotification' : [ 0x0, ['__unnamed_209b']], 'PowerNotification' : [ 0x0, ['__unnamed_209d']], 'VetoNotification' : [ 0x0, ['__unnamed_209f']], 'BlockedDriverNotification' : [ 0x0, ['__unnamed_20a1']], 'InvalidIDNotification' : [ 0x0, ['__unnamed_20a3']], 'PowerSettingNotification' : [ 0x0, ['__unnamed_20a5']], } ], '_PLUGPLAY_EVENT_BLOCK' : [ 0x40, { 'EventGuid' : [ 0x0, ['_GUID']], 'EventCategory' : [ 0x10, ['Enumeration', dict(target = 'long', choices = {0: 'HardwareProfileChangeEvent', 1: 'TargetDeviceChangeEvent', 2: 'DeviceClassChangeEvent', 3: 'CustomDeviceEvent', 4: 'DeviceInstallEvent', 5: 'DeviceArrivalEvent', 6: 'PowerEvent', 7: 'VetoEvent', 8: 'BlockedDriverEvent', 9: 'InvalidIDEvent', 10: 'PowerSettingChange', 11: 'MaxPlugEventCategory'})]], 'Result' : [ 0x14, ['pointer', ['unsigned long']]], 'Flags' : [ 0x18, ['unsigned long']], 'TotalSize' : [ 0x1c, ['unsigned long']], 'DeviceObject' : [ 0x20, ['pointer', ['void']]], 'u' : [ 0x24, ['__unnamed_20a7']], } ], '_HEADLESS_LOADER_BLOCK' : [ 0x34, { 'UsedBiosSettings' : [ 0x0, ['unsigned char']], 'DataBits' : [ 0x1, ['unsigned char']], 'StopBits' : [ 0x2, ['unsigned char']], 'Parity' : [ 0x3, ['unsigned char']], 'BaudRate' : [ 0x4, ['unsigned long']], 'PortNumber' : [ 0x8, ['unsigned long']], 'PortAddress' : [ 0xc, ['pointer', ['unsigned char']]], 'PciDeviceId' : [ 0x10, ['unsigned short']], 'PciVendorId' : [ 0x12, ['unsigned short']], 'PciBusNumber' : [ 0x14, ['unsigned char']], 'PciBusSegment' : [ 0x16, ['unsigned short']], 'PciSlotNumber' : [ 0x18, ['unsigned char']], 'PciFunctionNumber' : [ 0x19, ['unsigned char']], 'PciFlags' : [ 0x1c, ['unsigned long']], 'SystemGUID' : [ 0x20, ['_GUID']], 'IsMMIODevice' : [ 0x30, ['unsigned char']], 'TerminalType' : [ 0x31, ['unsigned char']], } ], '_POWER_CHANNEL_SUMMARY' : [ 0x14, { 'Signature' : [ 0x0, ['unsigned long']], 'TotalCount' : [ 0x4, ['unsigned long']], 'D0Count' : [ 0x8, ['unsigned long']], 'NotifyList' : [ 0xc, ['_LIST_ENTRY']], } ], '_PO_MEMORY_RANGE_ARRAY' : [ 0x10, { 'Range' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_RANGE']], 'Link' : [ 0x0, ['_PO_MEMORY_RANGE_ARRAY_LINK']], } ], '__unnamed_20be' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned long']], 'CheckSum' : [ 0x4, ['unsigned long']], } ], '__unnamed_20c0' : [ 0x10, { 'DiskId' : [ 0x0, ['_GUID']], } ], '__unnamed_20c2' : [ 0x10, { 'Mbr' : [ 0x0, ['__unnamed_20be']], 'Gpt' : [ 0x0, ['__unnamed_20c0']], } ], '_DUMP_INITIALIZATION_CONTEXT' : [ 0x70, { 'Length' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'MemoryBlock' : [ 0x8, ['pointer', ['void']]], 'CommonBuffer' : [ 0xc, ['array', 2, ['pointer', ['void']]]], 'PhysicalAddress' : [ 0x18, ['array', 2, ['_LARGE_INTEGER']]], 'StallRoutine' : [ 0x28, ['pointer', ['void']]], 'OpenRoutine' : [ 0x2c, ['pointer', ['void']]], 'WriteRoutine' : [ 0x30, ['pointer', ['void']]], 'FinishRoutine' : [ 0x34, ['pointer', ['void']]], 'AdapterObject' : [ 0x38, ['pointer', ['_ADAPTER_OBJECT']]], 'MappedRegisterBase' : [ 0x3c, ['pointer', ['void']]], 'PortConfiguration' : [ 0x40, ['pointer', ['void']]], 'CrashDump' : [ 0x44, ['unsigned char']], 'MaximumTransferSize' : [ 0x48, ['unsigned long']], 'CommonBufferSize' : [ 0x4c, ['unsigned long']], 'TargetAddress' : [ 0x50, ['pointer', ['void']]], 'WritePendingRoutine' : [ 0x54, ['pointer', ['void']]], 'PartitionStyle' : [ 0x58, ['unsigned long']], 'DiskInfo' : [ 0x5c, ['__unnamed_20c2']], } ], '_MI_SYSTEM_PTE_TYPE' : [ 0x2c, { 'Bitmap' : [ 0x0, ['_RTL_BITMAP']], 'Hint' : [ 0x8, ['unsigned long']], 'BasePte' : [ 0xc, ['pointer', ['_MMPTE']]], 'FailureCount' : [ 0x10, ['pointer', ['unsigned long']]], 'Vm' : [ 0x14, ['pointer', ['_MMSUPPORT']]], 'TotalSystemPtes' : [ 0x18, ['long']], 'TotalFreeSystemPtes' : [ 0x1c, ['long']], 'CachedPteCount' : [ 0x20, ['long']], 'PteFailures' : [ 0x24, ['unsigned long']], 'GlobalMutex' : [ 0x28, ['pointer', ['_KGUARDED_MUTEX']]], } ], '_NETWORK_LOADER_BLOCK' : [ 0x10, { 'DHCPServerACK' : [ 0x0, ['pointer', ['unsigned char']]], 'DHCPServerACKLength' : [ 0x4, ['unsigned long']], 'BootServerReplyPacket' : [ 0x8, ['pointer', ['unsigned char']]], 'BootServerReplyPacketLength' : [ 0xc, ['unsigned long']], } ], '_CM_KEY_SECURITY' : [ 0x28, { 'Signature' : [ 0x0, ['unsigned short']], 'Reserved' : [ 0x2, ['unsigned short']], 'Flink' : [ 0x4, ['unsigned long']], 'Blink' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['unsigned long']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'Descriptor' : [ 0x14, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_PO_DEVICE_NOTIFY_ORDER' : [ 0x148, { 'Locked' : [ 0x0, ['unsigned char']], 'WarmEjectPdoPointer' : [ 0x4, ['pointer', ['pointer', ['_DEVICE_OBJECT']]]], 'OrderLevel' : [ 0x8, ['array', 8, ['_PO_NOTIFY_ORDER_LEVEL']]], } ], '_IA64_DBGKD_CONTROL_SET' : [ 0x14, { 'Continue' : [ 0x0, ['unsigned long']], 'CurrentSymbolStart' : [ 0x4, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_RANGE' : [ 0x10, { 'PageNo' : [ 0x0, ['unsigned long']], 'StartPage' : [ 0x4, ['unsigned long']], 'EndPage' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], } ], '_ARBITER_CONFLICT_INFO' : [ 0x18, { 'OwningObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Start' : [ 0x8, ['unsigned long long']], 'End' : [ 0x10, ['unsigned long long']], } ], '_PO_NOTIFY_ORDER_LEVEL' : [ 0x28, { 'DeviceCount' : [ 0x0, ['unsigned long']], 'ActiveCount' : [ 0x4, ['unsigned long']], 'WaitSleep' : [ 0x8, ['_LIST_ENTRY']], 'ReadySleep' : [ 0x10, ['_LIST_ENTRY']], 'ReadyS0' : [ 0x18, ['_LIST_ENTRY']], 'WaitS0' : [ 0x20, ['_LIST_ENTRY']], } ], '_VI_DEADLOCK_ADDRESS_RANGE' : [ 0x8, { 'Start' : [ 0x0, ['pointer', ['unsigned char']]], 'End' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_AMD64_DBGKD_CONTROL_SET' : [ 0x1c, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long long']], 'CurrentSymbolStart' : [ 0xc, ['unsigned long long']], 'CurrentSymbolEnd' : [ 0x14, ['unsigned long long']], } ], '_PO_MEMORY_RANGE_ARRAY_LINK' : [ 0x10, { 'Next' : [ 0x0, ['pointer', ['_PO_MEMORY_RANGE_ARRAY']]], 'NextTable' : [ 0x4, ['unsigned long']], 'CheckSum' : [ 0x8, ['unsigned long']], 'EntryCount' : [ 0xc, ['unsigned long']], } ], '_ETW_REPLY_QUEUE' : [ 0x2c, { 'Queue' : [ 0x0, ['_KQUEUE']], 'EventsLost' : [ 0x28, ['long']], } ], '_ARBITER_QUERY_ALLOCATED_RESOURCES_PARAMETERS' : [ 0x4, { 'AllocatedResources' : [ 0x0, ['pointer', ['pointer', ['_CM_PARTIAL_RESOURCE_LIST']]]], } ], '_KSPECIAL_REGISTERS' : [ 0x54, { 'Cr0' : [ 0x0, ['unsigned long']], 'Cr2' : [ 0x4, ['unsigned long']], 'Cr3' : [ 0x8, ['unsigned long']], 'Cr4' : [ 0xc, ['unsigned long']], 'KernelDr0' : [ 0x10, ['unsigned long']], 'KernelDr1' : [ 0x14, ['unsigned long']], 'KernelDr2' : [ 0x18, ['unsigned long']], 'KernelDr3' : [ 0x1c, ['unsigned long']], 'KernelDr6' : [ 0x20, ['unsigned long']], 'KernelDr7' : [ 0x24, ['unsigned long']], 'Gdtr' : [ 0x28, ['_DESCRIPTOR']], 'Idtr' : [ 0x30, ['_DESCRIPTOR']], 'Tr' : [ 0x38, ['unsigned short']], 'Ldtr' : [ 0x3a, ['unsigned short']], 'Reserved' : [ 0x3c, ['array', 6, ['unsigned long']]], } ], '_RTL_ACTIVATION_CONTEXT_STACK_FRAME' : [ 0xc, { 'Previous' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'ActivationContext' : [ 0x4, ['pointer', ['_ACTIVATION_CONTEXT']]], 'Flags' : [ 0x8, ['unsigned long']], } ], '_ARBITER_ORDERING' : [ 0x10, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], } ], '_RTL_AVL_TABLE' : [ 0x38, { 'BalancedRoot' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'OrderedPointer' : [ 0x10, ['pointer', ['void']]], 'WhichOrderedElement' : [ 0x14, ['unsigned long']], 'NumberGenericTableElements' : [ 0x18, ['unsigned long']], 'DepthOfTree' : [ 0x1c, ['unsigned long']], 'RestartKey' : [ 0x20, ['pointer', ['_RTL_BALANCED_LINKS']]], 'DeleteCount' : [ 0x24, ['unsigned long']], 'CompareRoutine' : [ 0x28, ['pointer', ['void']]], 'AllocateRoutine' : [ 0x2c, ['pointer', ['void']]], 'FreeRoutine' : [ 0x30, ['pointer', ['void']]], 'TableContext' : [ 0x34, ['pointer', ['void']]], } ], '_KTRANSACTION_HISTORY' : [ 0x8, { 'RecordType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {1: 'KTMOH_CommitTransaction_Result', 2: 'KTMOH_RollbackTransaction_Result'})]], 'Payload' : [ 0x4, ['unsigned long']], } ], '_DESCRIPTOR' : [ 0x8, { 'Pad' : [ 0x0, ['unsigned short']], 'Limit' : [ 0x2, ['unsigned short']], 'Base' : [ 0x4, ['unsigned long']], } ], 'LIST_ENTRY64' : [ 0x10, { 'Flink' : [ 0x0, ['unsigned long long']], 'Blink' : [ 0x8, ['unsigned long long']], } ], 'LIST_ENTRY32' : [ 0x8, { 'Flink' : [ 0x0, ['unsigned long']], 'Blink' : [ 0x4, ['unsigned long']], } ], '__unnamed_1019' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], } ], '_ULARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['unsigned long']], 'u' : [ 0x0, ['__unnamed_1019']], 'QuadPart' : [ 0x0, ['unsigned long long']], } ], '__unnamed_101e' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_LARGE_INTEGER' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], 'u' : [ 0x0, ['__unnamed_101e']], 'QuadPart' : [ 0x0, ['long long']], } ], '__unnamed_1037' : [ 0x4, { 'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Private' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1039' : [ 0x4, { 'Flags' : [ 0x0, ['unsigned long']], 's' : [ 0x0, ['__unnamed_1037']], } ], '_TP_CALLBACK_ENVIRON' : [ 0x20, { 'Version' : [ 0x0, ['unsigned long']], 'Pool' : [ 0x4, ['pointer', ['_TP_POOL']]], 'CleanupGroup' : [ 0x8, ['pointer', ['_TP_CLEANUP_GROUP']]], 'CleanupGroupCancelCallback' : [ 0xc, ['pointer', ['void']]], 'RaceDll' : [ 0x10, ['pointer', ['void']]], 'ActivationContext' : [ 0x14, ['pointer', ['_ACTIVATION_CONTEXT']]], 'FinalizationCallback' : [ 0x18, ['pointer', ['void']]], 'u' : [ 0x1c, ['__unnamed_1039']], } ], '_TP_TASK_CALLBACKS' : [ 0x8, { 'ExecuteCallback' : [ 0x0, ['pointer', ['void']]], 'Unposted' : [ 0x4, ['pointer', ['void']]], } ], '_TP_TASK' : [ 0x4, { 'Callbacks' : [ 0x0, ['pointer', ['_TP_TASK_CALLBACKS']]], } ], '_TP_DIRECT' : [ 0x4, { 'Callback' : [ 0x0, ['pointer', ['void']]], } ], '_LIST_ENTRY' : [ 0x8, { 'Flink' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'Blink' : [ 0x4, ['pointer', ['_LIST_ENTRY']]], } ], '_SINGLE_LIST_ENTRY' : [ 0x4, { 'Next' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_UNICODE_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned short']]], } ], '_STRING' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'MaximumLength' : [ 0x2, ['unsigned short']], 'Buffer' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_LUID' : [ 0x8, { 'LowPart' : [ 0x0, ['unsigned long']], 'HighPart' : [ 0x4, ['long']], } ], '_IMAGE_NT_HEADERS' : [ 0xf8, { 'Signature' : [ 0x0, ['unsigned long']], 'FileHeader' : [ 0x4, ['_IMAGE_FILE_HEADER']], 'OptionalHeader' : [ 0x18, ['_IMAGE_OPTIONAL_HEADER']], } ], '_KPRCB' : [ 0x2008, { 'MinorVersion' : [ 0x0, ['unsigned short']], 'MajorVersion' : [ 0x2, ['unsigned short']], 'CurrentThread' : [ 0x4, ['pointer', ['_KTHREAD']]], 'NextThread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'IdleThread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'Number' : [ 0x10, ['unsigned char']], 'NestingLevel' : [ 0x11, ['unsigned char']], 'BuildType' : [ 0x12, ['unsigned short']], 'SetMember' : [ 0x14, ['unsigned long']], 'CpuType' : [ 0x18, ['unsigned char']], 'CpuID' : [ 0x19, ['unsigned char']], 'CpuStep' : [ 0x1a, ['unsigned short']], 'CpuStepping' : [ 0x1a, ['unsigned char']], 'CpuModel' : [ 0x1b, ['unsigned char']], 'ProcessorState' : [ 0x1c, ['_KPROCESSOR_STATE']], 'KernelReserved' : [ 0x33c, ['array', 16, ['unsigned long']]], 'HalReserved' : [ 0x37c, ['array', 16, ['unsigned long']]], 'CFlushSize' : [ 0x3bc, ['unsigned long']], 'CoresPerPhysicalProcessor' : [ 0x3c0, ['unsigned char']], 'LogicalProcessorsPerCore' : [ 0x3c1, ['unsigned char']], 'PrcbPad0' : [ 0x3c2, ['array', 2, ['unsigned char']]], 'MHz' : [ 0x3c4, ['unsigned long']], 'PrcbPad1' : [ 0x3c8, ['array', 80, ['unsigned char']]], 'LockQueue' : [ 0x418, ['array', 49, ['_KSPIN_LOCK_QUEUE']]], 'NpxThread' : [ 0x5a0, ['pointer', ['_KTHREAD']]], 'InterruptCount' : [ 0x5a4, ['unsigned long']], 'KernelTime' : [ 0x5a8, ['unsigned long']], 'UserTime' : [ 0x5ac, ['unsigned long']], 'DpcTime' : [ 0x5b0, ['unsigned long']], 'DpcTimeCount' : [ 0x5b4, ['unsigned long']], 'InterruptTime' : [ 0x5b8, ['unsigned long']], 'AdjustDpcThreshold' : [ 0x5bc, ['unsigned long']], 'PageColor' : [ 0x5c0, ['unsigned long']], 'SkipTick' : [ 0x5c4, ['unsigned char']], 'DebuggerSavedIRQL' : [ 0x5c5, ['unsigned char']], 'NodeColor' : [ 0x5c6, ['unsigned char']], 'PollSlot' : [ 0x5c7, ['unsigned char']], 'NodeShiftedColor' : [ 0x5c8, ['unsigned long']], 'ParentNode' : [ 0x5cc, ['pointer', ['_KNODE']]], 'MultiThreadProcessorSet' : [ 0x5d0, ['unsigned long']], 'MultiThreadSetMaster' : [ 0x5d4, ['pointer', ['_KPRCB']]], 'SecondaryColorMask' : [ 0x5d8, ['unsigned long']], 'DpcTimeLimit' : [ 0x5dc, ['unsigned long']], 'CcFastReadNoWait' : [ 0x5e0, ['unsigned long']], 'CcFastReadWait' : [ 0x5e4, ['unsigned long']], 'CcFastReadNotPossible' : [ 0x5e8, ['unsigned long']], 'CcCopyReadNoWait' : [ 0x5ec, ['unsigned long']], 'CcCopyReadWait' : [ 0x5f0, ['unsigned long']], 'CcCopyReadNoWaitMiss' : [ 0x5f4, ['unsigned long']], 'MmSpinLockOrdering' : [ 0x5f8, ['long']], 'IoReadOperationCount' : [ 0x5fc, ['long']], 'IoWriteOperationCount' : [ 0x600, ['long']], 'IoOtherOperationCount' : [ 0x604, ['long']], 'IoReadTransferCount' : [ 0x608, ['_LARGE_INTEGER']], 'IoWriteTransferCount' : [ 0x610, ['_LARGE_INTEGER']], 'IoOtherTransferCount' : [ 0x618, ['_LARGE_INTEGER']], 'CcFastMdlReadNoWait' : [ 0x620, ['unsigned long']], 'CcFastMdlReadWait' : [ 0x624, ['unsigned long']], 'CcFastMdlReadNotPossible' : [ 0x628, ['unsigned long']], 'CcMapDataNoWait' : [ 0x62c, ['unsigned long']], 'CcMapDataWait' : [ 0x630, ['unsigned long']], 'CcPinMappedDataCount' : [ 0x634, ['unsigned long']], 'CcPinReadNoWait' : [ 0x638, ['unsigned long']], 'CcPinReadWait' : [ 0x63c, ['unsigned long']], 'CcMdlReadNoWait' : [ 0x640, ['unsigned long']], 'CcMdlReadWait' : [ 0x644, ['unsigned long']], 'CcLazyWriteHotSpots' : [ 0x648, ['unsigned long']], 'CcLazyWriteIos' : [ 0x64c, ['unsigned long']], 'CcLazyWritePages' : [ 0x650, ['unsigned long']], 'CcDataFlushes' : [ 0x654, ['unsigned long']], 'CcDataPages' : [ 0x658, ['unsigned long']], 'CcLostDelayedWrites' : [ 0x65c, ['unsigned long']], 'CcFastReadResourceMiss' : [ 0x660, ['unsigned long']], 'CcCopyReadWaitMiss' : [ 0x664, ['unsigned long']], 'CcFastMdlReadResourceMiss' : [ 0x668, ['unsigned long']], 'CcMapDataNoWaitMiss' : [ 0x66c, ['unsigned long']], 'CcMapDataWaitMiss' : [ 0x670, ['unsigned long']], 'CcPinReadNoWaitMiss' : [ 0x674, ['unsigned long']], 'CcPinReadWaitMiss' : [ 0x678, ['unsigned long']], 'CcMdlReadNoWaitMiss' : [ 0x67c, ['unsigned long']], 'CcMdlReadWaitMiss' : [ 0x680, ['unsigned long']], 'CcReadAheadIos' : [ 0x684, ['unsigned long']], 'KeAlignmentFixupCount' : [ 0x688, ['unsigned long']], 'KeExceptionDispatchCount' : [ 0x68c, ['unsigned long']], 'KeSystemCalls' : [ 0x690, ['unsigned long']], 'PrcbPad2' : [ 0x694, ['array', 3, ['unsigned long']]], 'PPLookasideList' : [ 0x6a0, ['array', 16, ['_PP_LOOKASIDE_LIST']]], 'PPNPagedLookasideList' : [ 0x720, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PPPagedLookasideList' : [ 0x1020, ['array', 32, ['_GENERAL_LOOKASIDE_POOL']]], 'PacketBarrier' : [ 0x1920, ['unsigned long']], 'ReverseStall' : [ 0x1924, ['long']], 'IpiFrame' : [ 0x1928, ['pointer', ['void']]], 'PrcbPad3' : [ 0x192c, ['array', 52, ['unsigned char']]], 'CurrentPacket' : [ 0x1960, ['array', 3, ['pointer', ['void']]]], 'TargetSet' : [ 0x196c, ['unsigned long']], 'WorkerRoutine' : [ 0x1970, ['pointer', ['void']]], 'IpiFrozen' : [ 0x1974, ['unsigned long']], 'PrcbPad4' : [ 0x1978, ['array', 40, ['unsigned char']]], 'RequestSummary' : [ 0x19a0, ['unsigned long']], 'SignalDone' : [ 0x19a4, ['pointer', ['_KPRCB']]], 'PrcbPad5' : [ 0x19a8, ['array', 56, ['unsigned char']]], 'DpcData' : [ 0x19e0, ['array', 2, ['_KDPC_DATA']]], 'DpcStack' : [ 0x1a08, ['pointer', ['void']]], 'MaximumDpcQueueDepth' : [ 0x1a0c, ['long']], 'DpcRequestRate' : [ 0x1a10, ['unsigned long']], 'MinimumDpcRate' : [ 0x1a14, ['unsigned long']], 'DpcInterruptRequested' : [ 0x1a18, ['unsigned char']], 'DpcThreadRequested' : [ 0x1a19, ['unsigned char']], 'DpcRoutineActive' : [ 0x1a1a, ['unsigned char']], 'DpcThreadActive' : [ 0x1a1b, ['unsigned char']], 'PrcbLock' : [ 0x1a1c, ['unsigned long']], 'DpcLastCount' : [ 0x1a20, ['unsigned long']], 'TimerHand' : [ 0x1a24, ['unsigned long']], 'TimerRequest' : [ 0x1a28, ['unsigned long']], 'PrcbPad41' : [ 0x1a2c, ['pointer', ['void']]], 'DpcEvent' : [ 0x1a30, ['_KEVENT']], 'ThreadDpcEnable' : [ 0x1a40, ['unsigned char']], 'QuantumEnd' : [ 0x1a41, ['unsigned char']], 'PrcbPad50' : [ 0x1a42, ['unsigned char']], 'IdleSchedule' : [ 0x1a43, ['unsigned char']], 'DpcSetEventRequest' : [ 0x1a44, ['long']], 'Sleeping' : [ 0x1a48, ['long']], 'PeriodicCount' : [ 0x1a4c, ['unsigned long']], 'PeriodicBias' : [ 0x1a50, ['unsigned long']], 'PrcbPad51' : [ 0x1a54, ['array', 6, ['unsigned char']]], 'TickOffset' : [ 0x1a5c, ['long']], 'CallDpc' : [ 0x1a60, ['_KDPC']], 'ClockKeepAlive' : [ 0x1a80, ['long']], 'ClockCheckSlot' : [ 0x1a84, ['unsigned char']], 'ClockPollCycle' : [ 0x1a85, ['unsigned char']], 'PrcbPad6' : [ 0x1a86, ['array', 2, ['unsigned char']]], 'DpcWatchdogPeriod' : [ 0x1a88, ['long']], 'DpcWatchdogCount' : [ 0x1a8c, ['long']], 'ThreadWatchdogPeriod' : [ 0x1a90, ['long']], 'ThreadWatchdogCount' : [ 0x1a94, ['long']], 'PrcbPad70' : [ 0x1a98, ['array', 2, ['unsigned long']]], 'WaitListHead' : [ 0x1aa0, ['_LIST_ENTRY']], 'WaitLock' : [ 0x1aa8, ['unsigned long']], 'ReadySummary' : [ 0x1aac, ['unsigned long']], 'QueueIndex' : [ 0x1ab0, ['unsigned long']], 'DeferredReadyListHead' : [ 0x1ab4, ['_SINGLE_LIST_ENTRY']], 'StartCycles' : [ 0x1ab8, ['unsigned long long']], 'CycleTime' : [ 0x1ac0, ['unsigned long long']], 'PrcbPad71' : [ 0x1ac8, ['array', 3, ['unsigned long long']]], 'DispatcherReadyListHead' : [ 0x1ae0, ['array', 32, ['_LIST_ENTRY']]], 'ChainedInterruptList' : [ 0x1be0, ['pointer', ['void']]], 'LookasideIrpFloat' : [ 0x1be4, ['long']], 'MmPageFaultCount' : [ 0x1be8, ['long']], 'MmCopyOnWriteCount' : [ 0x1bec, ['long']], 'MmTransitionCount' : [ 0x1bf0, ['long']], 'MmCacheTransitionCount' : [ 0x1bf4, ['long']], 'MmDemandZeroCount' : [ 0x1bf8, ['long']], 'MmPageReadCount' : [ 0x1bfc, ['long']], 'MmPageReadIoCount' : [ 0x1c00, ['long']], 'MmCacheReadCount' : [ 0x1c04, ['long']], 'MmCacheIoCount' : [ 0x1c08, ['long']], 'MmDirtyPagesWriteCount' : [ 0x1c0c, ['long']], 'MmDirtyWriteIoCount' : [ 0x1c10, ['long']], 'MmMappedPagesWriteCount' : [ 0x1c14, ['long']], 'MmMappedWriteIoCount' : [ 0x1c18, ['long']], 'CachedCommit' : [ 0x1c1c, ['unsigned long']], 'CachedResidentAvailable' : [ 0x1c20, ['unsigned long']], 'HyperPte' : [ 0x1c24, ['pointer', ['void']]], 'CpuVendor' : [ 0x1c28, ['unsigned char']], 'PrcbPad8' : [ 0x1c29, ['array', 3, ['unsigned char']]], 'VendorString' : [ 0x1c2c, ['array', 13, ['unsigned char']]], 'InitialApicId' : [ 0x1c39, ['unsigned char']], 'LogicalProcessorsPerPhysicalProcessor' : [ 0x1c3a, ['unsigned char']], 'PrcbPad9' : [ 0x1c3b, ['array', 5, ['unsigned char']]], 'FeatureBits' : [ 0x1c40, ['unsigned long']], 'UpdateSignature' : [ 0x1c48, ['_LARGE_INTEGER']], 'IsrTime' : [ 0x1c50, ['unsigned long long']], 'SpareField1' : [ 0x1c58, ['unsigned long long']], 'NpxSaveArea' : [ 0x1c60, ['_FX_SAVE_AREA']], 'PowerState' : [ 0x1e70, ['_PROCESSOR_POWER_STATE']], 'DpcWatchdogDpc' : [ 0x1f38, ['_KDPC']], 'DpcWatchdogTimer' : [ 0x1f58, ['_KTIMER']], 'WheaInfo' : [ 0x1f80, ['pointer', ['void']]], 'EtwSupport' : [ 0x1f84, ['pointer', ['void']]], 'InterruptObjectPool' : [ 0x1f88, ['_SLIST_HEADER']], 'HypercallPageList' : [ 0x1f90, ['_SLIST_HEADER']], 'HypercallPageVirtual' : [ 0x1f98, ['pointer', ['void']]], 'VirtualApicAssist' : [ 0x1f9c, ['pointer', ['void']]], 'StatisticsPage' : [ 0x1fa0, ['pointer', ['unsigned long long']]], 'RateControl' : [ 0x1fa4, ['pointer', ['void']]], 'Cache' : [ 0x1fa8, ['array', 5, ['_CACHE_DESCRIPTOR']]], 'CacheCount' : [ 0x1fe4, ['unsigned long']], 'CacheProcessorMask' : [ 0x1fe8, ['array', 5, ['unsigned long']]], 'PackageProcessorSet' : [ 0x1ffc, ['unsigned long']], 'CoreProcessorSet' : [ 0x2000, ['unsigned long']], } ], '_KPCR' : [ 0x2128, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'Used_ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Used_StackBase' : [ 0x4, ['pointer', ['void']]], 'Spare2' : [ 0x8, ['pointer', ['void']]], 'TssCopy' : [ 0xc, ['pointer', ['void']]], 'ContextSwitches' : [ 0x10, ['unsigned long']], 'SetMemberCopy' : [ 0x14, ['unsigned long']], 'Used_Self' : [ 0x18, ['pointer', ['void']]], 'SelfPcr' : [ 0x1c, ['pointer', ['_KPCR']]], 'Prcb' : [ 0x20, ['pointer', ['_KPRCB']]], 'Irql' : [ 0x24, ['unsigned char']], 'IRR' : [ 0x28, ['unsigned long']], 'IrrActive' : [ 0x2c, ['unsigned long']], 'IDR' : [ 0x30, ['unsigned long']], 'KdVersionBlock' : [ 0x34, ['pointer', ['void']]], 'IDT' : [ 0x38, ['pointer', ['_KIDTENTRY']]], 'GDT' : [ 0x3c, ['pointer', ['_KGDTENTRY']]], 'TSS' : [ 0x40, ['pointer', ['_KTSS']]], 'MajorVersion' : [ 0x44, ['unsigned short']], 'MinorVersion' : [ 0x46, ['unsigned short']], 'SetMember' : [ 0x48, ['unsigned long']], 'StallScaleFactor' : [ 0x4c, ['unsigned long']], 'SpareUnused' : [ 0x50, ['unsigned char']], 'Number' : [ 0x51, ['unsigned char']], 'Spare0' : [ 0x52, ['unsigned char']], 'SecondLevelCacheAssociativity' : [ 0x53, ['unsigned char']], 'VdmAlert' : [ 0x54, ['unsigned long']], 'KernelReserved' : [ 0x58, ['array', 14, ['unsigned long']]], 'SecondLevelCacheSize' : [ 0x90, ['unsigned long']], 'HalReserved' : [ 0x94, ['array', 16, ['unsigned long']]], 'InterruptMode' : [ 0xd4, ['unsigned long']], 'Spare1' : [ 0xd8, ['unsigned char']], 'KernelReserved2' : [ 0xdc, ['array', 17, ['unsigned long']]], 'PrcbData' : [ 0x120, ['_KPRCB']], } ], '_KAPC' : [ 0x30, { 'Type' : [ 0x0, ['unsigned char']], 'SpareByte0' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'SpareByte1' : [ 0x3, ['unsigned char']], 'SpareLong0' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'ApcListEntry' : [ 0xc, ['_LIST_ENTRY']], 'KernelRoutine' : [ 0x14, ['pointer', ['void']]], 'RundownRoutine' : [ 0x18, ['pointer', ['void']]], 'NormalRoutine' : [ 0x1c, ['pointer', ['void']]], 'NormalContext' : [ 0x20, ['pointer', ['void']]], 'SystemArgument1' : [ 0x24, ['pointer', ['void']]], 'SystemArgument2' : [ 0x28, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x2c, ['unsigned char']], 'ApcMode' : [ 0x2d, ['unsigned char']], 'Inserted' : [ 0x2e, ['unsigned char']], } ], '_KTHREAD' : [ 0x1e0, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'CycleTime' : [ 0x10, ['unsigned long long']], 'HighCycleTime' : [ 0x18, ['unsigned long']], 'QuantumTarget' : [ 0x20, ['unsigned long long']], 'InitialStack' : [ 0x28, ['pointer', ['void']]], 'StackLimit' : [ 0x2c, ['pointer', ['void']]], 'KernelStack' : [ 0x30, ['pointer', ['void']]], 'ThreadLock' : [ 0x34, ['unsigned long']], 'ApcState' : [ 0x38, ['_KAPC_STATE']], 'ApcStateFill' : [ 0x38, ['array', 23, ['unsigned char']]], 'Priority' : [ 0x4f, ['unsigned char']], 'NextProcessor' : [ 0x50, ['unsigned short']], 'DeferredProcessor' : [ 0x52, ['unsigned short']], 'ApcQueueLock' : [ 0x54, ['unsigned long']], 'ContextSwitches' : [ 0x58, ['unsigned long']], 'State' : [ 0x5c, ['unsigned char']], 'NpxState' : [ 0x5d, ['unsigned char']], 'WaitIrql' : [ 0x5e, ['unsigned char']], 'WaitMode' : [ 0x5f, ['unsigned char']], 'WaitStatus' : [ 0x60, ['long']], 'WaitBlockList' : [ 0x64, ['pointer', ['_KWAIT_BLOCK']]], 'GateObject' : [ 0x64, ['pointer', ['_KGATE']]], 'KernelStackResident' : [ 0x68, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ReadyTransition' : [ 0x68, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessReadyQueue' : [ 0x68, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WaitNext' : [ 0x68, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemAffinityActive' : [ 0x68, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Alertable' : [ 0x68, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'GdiFlushActive' : [ 0x68, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'UserStackWalkActive' : [ 0x68, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x68, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'MiscFlags' : [ 0x68, ['long']], 'WaitReason' : [ 0x6c, ['unsigned char']], 'SwapBusy' : [ 0x6d, ['unsigned char']], 'Alerted' : [ 0x6e, ['array', 2, ['unsigned char']]], 'WaitListEntry' : [ 0x70, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x70, ['_SINGLE_LIST_ENTRY']], 'Queue' : [ 0x78, ['pointer', ['_KQUEUE']]], 'WaitTime' : [ 0x7c, ['unsigned long']], 'KernelApcDisable' : [ 0x80, ['short']], 'SpecialApcDisable' : [ 0x82, ['short']], 'CombinedApcDisable' : [ 0x80, ['unsigned long']], 'Teb' : [ 0x84, ['pointer', ['void']]], 'Timer' : [ 0x88, ['_KTIMER']], 'TimerFill' : [ 0x88, ['array', 40, ['unsigned char']]], 'AutoAlignment' : [ 0xb0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DisableBoost' : [ 0xb0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'EtwStackTraceApc1Inserted' : [ 0xb0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EtwStackTraceApc2Inserted' : [ 0xb0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CycleChargePending' : [ 0xb0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'CalloutActive' : [ 0xb0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ApcQueueable' : [ 0xb0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'EnableStackSwap' : [ 0xb0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'GuiThread' : [ 0xb0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'ReservedFlags' : [ 0xb0, ['BitField', dict(start_bit = 9, end_bit = 32, native_type='unsigned long')]], 'ThreadFlags' : [ 0xb0, ['long']], 'WaitBlock' : [ 0xb8, ['array', 4, ['_KWAIT_BLOCK']]], 'WaitBlockFill0' : [ 0xb8, ['array', 23, ['unsigned char']]], 'IdealProcessor' : [ 0xcf, ['unsigned char']], 'WaitBlockFill1' : [ 0xb8, ['array', 47, ['unsigned char']]], 'PreviousMode' : [ 0xe7, ['unsigned char']], 'WaitBlockFill2' : [ 0xb8, ['array', 71, ['unsigned char']]], 'ResourceIndex' : [ 0xff, ['unsigned char']], 'WaitBlockFill3' : [ 0xb8, ['array', 95, ['unsigned char']]], 'LargeStack' : [ 0x117, ['unsigned char']], 'QueueListEntry' : [ 0x118, ['_LIST_ENTRY']], 'TrapFrame' : [ 0x120, ['pointer', ['_KTRAP_FRAME']]], 'FirstArgument' : [ 0x124, ['pointer', ['void']]], 'CallbackStack' : [ 0x128, ['pointer', ['void']]], 'CallbackDepth' : [ 0x128, ['unsigned long']], 'ServiceTable' : [ 0x12c, ['pointer', ['void']]], 'ApcStateIndex' : [ 0x130, ['unsigned char']], 'BasePriority' : [ 0x131, ['unsigned char']], 'PriorityDecrement' : [ 0x132, ['unsigned char']], 'Preempted' : [ 0x133, ['unsigned char']], 'AdjustReason' : [ 0x134, ['unsigned char']], 'AdjustIncrement' : [ 0x135, ['unsigned char']], 'Spare01' : [ 0x136, ['unsigned char']], 'Saturation' : [ 0x137, ['unsigned char']], 'SystemCallNumber' : [ 0x138, ['unsigned long']], 'FreezeCount' : [ 0x13c, ['unsigned long']], 'UserAffinity' : [ 0x140, ['unsigned long']], 'Process' : [ 0x144, ['pointer', ['_KPROCESS']]], 'Affinity' : [ 0x148, ['unsigned long']], 'ApcStatePointer' : [ 0x14c, ['array', 2, ['pointer', ['_KAPC_STATE']]]], 'SavedApcState' : [ 0x154, ['_KAPC_STATE']], 'SavedApcStateFill' : [ 0x154, ['array', 23, ['unsigned char']]], 'Spare02' : [ 0x16b, ['unsigned char']], 'SuspendCount' : [ 0x16c, ['unsigned char']], 'UserIdealProcessor' : [ 0x16d, ['unsigned char']], 'Spare03' : [ 0x16e, ['unsigned char']], 'OtherPlatformFill' : [ 0x16f, ['unsigned char']], 'Win32Thread' : [ 0x170, ['pointer', ['void']]], 'StackBase' : [ 0x174, ['pointer', ['void']]], 'SuspendApc' : [ 0x178, ['_KAPC']], 'SuspendApcFill0' : [ 0x178, ['array', 1, ['unsigned char']]], 'Spare04' : [ 0x179, ['unsigned char']], 'SuspendApcFill1' : [ 0x178, ['array', 3, ['unsigned char']]], 'QuantumReset' : [ 0x17b, ['unsigned char']], 'SuspendApcFill2' : [ 0x178, ['array', 4, ['unsigned char']]], 'KernelTime' : [ 0x17c, ['unsigned long']], 'SuspendApcFill3' : [ 0x178, ['array', 36, ['unsigned char']]], 'WaitPrcb' : [ 0x19c, ['pointer', ['_KPRCB']]], 'SuspendApcFill4' : [ 0x178, ['array', 40, ['unsigned char']]], 'LegoData' : [ 0x1a0, ['pointer', ['void']]], 'SuspendApcFill5' : [ 0x178, ['array', 47, ['unsigned char']]], 'PowerState' : [ 0x1a7, ['unsigned char']], 'UserTime' : [ 0x1a8, ['unsigned long']], 'SuspendSemaphore' : [ 0x1ac, ['_KSEMAPHORE']], 'SuspendSemaphorefill' : [ 0x1ac, ['array', 20, ['unsigned char']]], 'SListFaultCount' : [ 0x1c0, ['unsigned long']], 'ThreadListEntry' : [ 0x1c4, ['_LIST_ENTRY']], 'MutantListHead' : [ 0x1cc, ['_LIST_ENTRY']], 'SListFaultAddress' : [ 0x1d4, ['pointer', ['void']]], 'MdlForLockedTeb' : [ 0x1d8, ['pointer', ['void']]], } ], '_FAST_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KEVENT']], 'OldIrql' : [ 0x1c, ['unsigned long']], } ], '_SLIST_HEADER' : [ 0x8, { 'Alignment' : [ 0x0, ['unsigned long long']], 'Next' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x4, ['unsigned short']], 'Sequence' : [ 0x6, ['unsigned short']], } ], '_LOOKASIDE_LIST_EX' : [ 0x48, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE_POOL']], } ], '_NPAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['unsigned long']], } ], '_PAGED_LOOKASIDE_LIST' : [ 0xc0, { 'L' : [ 0x0, ['_GENERAL_LOOKASIDE']], 'Lock__ObsoleteButDoNotDelete' : [ 0x80, ['_FAST_MUTEX']], } ], '_QUAD' : [ 0x8, { 'UseThisFieldToCopy' : [ 0x0, ['long long']], 'DoNotUseThisField' : [ 0x0, ['double']], } ], '_IO_STATUS_BLOCK' : [ 0x8, { 'Status' : [ 0x0, ['long']], 'Pointer' : [ 0x0, ['pointer', ['void']]], 'Information' : [ 0x4, ['unsigned long']], } ], '_EX_PUSH_LOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_EX_PUSH_LOCK_CACHE_AWARE' : [ 0x80, { 'Locks' : [ 0x0, ['array', 32, ['pointer', ['_EX_PUSH_LOCK']]]], } ], '_GENERAL_LOOKASIDE' : [ 0x80, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_EX_FAST_REF' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], 'RefCnt' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], } ], '_EX_PUSH_LOCK_WAIT_BLOCK' : [ 0x30, { 'WakeGate' : [ 0x0, ['_KGATE']], 'WakeEvent' : [ 0x0, ['_KEVENT']], 'Next' : [ 0x10, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Last' : [ 0x14, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'Previous' : [ 0x18, ['pointer', ['_EX_PUSH_LOCK_WAIT_BLOCK']]], 'ShareCount' : [ 0x1c, ['long']], 'Flags' : [ 0x20, ['long']], } ], '_ETHREAD' : [ 0x288, { 'Tcb' : [ 0x0, ['_KTHREAD']], 'CreateTime' : [ 0x1e0, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x1e8, ['_LARGE_INTEGER']], 'KeyedWaitChain' : [ 0x1e8, ['_LIST_ENTRY']], 'ExitStatus' : [ 0x1f0, ['long']], 'OfsChain' : [ 0x1f0, ['pointer', ['void']]], 'PostBlockList' : [ 0x1f4, ['_LIST_ENTRY']], 'ForwardLinkShadow' : [ 0x1f4, ['pointer', ['void']]], 'StartAddress' : [ 0x1f8, ['pointer', ['void']]], 'TerminationPort' : [ 0x1fc, ['pointer', ['_TERMINATION_PORT']]], 'ReaperLink' : [ 0x1fc, ['pointer', ['_ETHREAD']]], 'KeyedWaitValue' : [ 0x1fc, ['pointer', ['void']]], 'Win32StartParameter' : [ 0x1fc, ['pointer', ['void']]], 'ActiveTimerListLock' : [ 0x200, ['unsigned long']], 'ActiveTimerListHead' : [ 0x204, ['_LIST_ENTRY']], 'Cid' : [ 0x20c, ['_CLIENT_ID']], 'KeyedWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'AlpcWaitSemaphore' : [ 0x214, ['_KSEMAPHORE']], 'ClientSecurity' : [ 0x228, ['_PS_CLIENT_SECURITY_CONTEXT']], 'IrpList' : [ 0x22c, ['_LIST_ENTRY']], 'TopLevelIrp' : [ 0x234, ['unsigned long']], 'DeviceToVerify' : [ 0x238, ['pointer', ['_DEVICE_OBJECT']]], 'RateControlApc' : [ 0x23c, ['pointer', ['_PSP_RATE_APC']]], 'Win32StartAddress' : [ 0x240, ['pointer', ['void']]], 'SparePtr0' : [ 0x244, ['pointer', ['void']]], 'ThreadListEntry' : [ 0x248, ['_LIST_ENTRY']], 'RundownProtect' : [ 0x250, ['_EX_RUNDOWN_REF']], 'ThreadLock' : [ 0x254, ['_EX_PUSH_LOCK']], 'ReadClusterSize' : [ 0x258, ['unsigned long']], 'MmLockOrdering' : [ 0x25c, ['long']], 'CrossThreadFlags' : [ 0x260, ['unsigned long']], 'Terminated' : [ 0x260, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ThreadInserted' : [ 0x260, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HideFromDebugger' : [ 0x260, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ActiveImpersonationInfo' : [ 0x260, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'SystemThread' : [ 0x260, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'HardErrorsAreDisabled' : [ 0x260, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x260, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SkipCreationMsg' : [ 0x260, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SkipTerminationMsg' : [ 0x260, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyTokenOnOpen' : [ 0x260, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ThreadIoPriority' : [ 0x260, ['BitField', dict(start_bit = 10, end_bit = 13, native_type='unsigned long')]], 'ThreadPagePriority' : [ 0x260, ['BitField', dict(start_bit = 13, end_bit = 16, native_type='unsigned long')]], 'RundownFail' : [ 0x260, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'SameThreadPassiveFlags' : [ 0x264, ['unsigned long']], 'ActiveExWorker' : [ 0x264, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ExWorkerCanWaitUser' : [ 0x264, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'MemoryMaker' : [ 0x264, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ClonedThread' : [ 0x264, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'KeyedEventInUse' : [ 0x264, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'RateApcState' : [ 0x264, ['BitField', dict(start_bit = 5, end_bit = 7, native_type='unsigned long')]], 'SelfTerminate' : [ 0x264, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SameThreadApcFlags' : [ 0x268, ['unsigned long']], 'Spare' : [ 0x268, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'StartAddressInvalid' : [ 0x268, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'EtwPageFaultCalloutActive' : [ 0x268, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'OwnsProcessWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'OwnsProcessWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsSystemWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsSystemWorkingSetShared' : [ 0x268, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsSessionWorkingSetExclusive' : [ 0x268, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'OwnsSessionWorkingSetShared' : [ 0x269, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'OwnsProcessAddressSpaceExclusive' : [ 0x269, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'OwnsProcessAddressSpaceShared' : [ 0x269, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SuppressSymbolLoad' : [ 0x269, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Prefetching' : [ 0x269, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'OwnsDynamicMemoryShared' : [ 0x269, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'OwnsChangeControlAreaExclusive' : [ 0x269, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'OwnsChangeControlAreaShared' : [ 0x269, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'Spare1' : [ 0x26a, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'PriorityRegionActive' : [ 0x26b, ['unsigned char']], 'CacheManagerActive' : [ 0x26c, ['unsigned char']], 'DisablePageFaultClustering' : [ 0x26d, ['unsigned char']], 'ActiveFaultCount' : [ 0x26e, ['unsigned char']], 'AlpcMessageId' : [ 0x270, ['unsigned long']], 'AlpcMessage' : [ 0x274, ['pointer', ['void']]], 'AlpcReceiveAttributeSet' : [ 0x274, ['unsigned long']], 'AlpcWaitListEntry' : [ 0x278, ['_LIST_ENTRY']], 'CacheManagerCount' : [ 0x280, ['unsigned long']], } ], '_EPROCESS' : [ 0x270, { 'Pcb' : [ 0x0, ['_KPROCESS']], 'ProcessLock' : [ 0x80, ['_EX_PUSH_LOCK']], 'CreateTime' : [ 0x88, ['_LARGE_INTEGER']], 'ExitTime' : [ 0x90, ['_LARGE_INTEGER']], 'RundownProtect' : [ 0x98, ['_EX_RUNDOWN_REF']], 'UniqueProcessId' : [ 0x9c, ['pointer', ['void']]], 'ActiveProcessLinks' : [ 0xa0, ['_LIST_ENTRY']], 'QuotaUsage' : [ 0xa8, ['array', 3, ['unsigned long']]], 'QuotaPeak' : [ 0xb4, ['array', 3, ['unsigned long']]], 'CommitCharge' : [ 0xc0, ['unsigned long']], 'PeakVirtualSize' : [ 0xc4, ['unsigned long']], 'VirtualSize' : [ 0xc8, ['unsigned long']], 'SessionProcessLinks' : [ 0xcc, ['_LIST_ENTRY']], 'DebugPort' : [ 0xd4, ['pointer', ['void']]], 'ExceptionPortData' : [ 0xd8, ['pointer', ['void']]], 'ExceptionPortValue' : [ 0xd8, ['unsigned long']], 'ExceptionPortState' : [ 0xd8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'ObjectTable' : [ 0xdc, ['pointer', ['_HANDLE_TABLE']]], 'Token' : [ 0xe0, ['_EX_FAST_REF']], 'WorkingSetPage' : [ 0xe4, ['unsigned long']], 'AddressCreationLock' : [ 0xe8, ['_EX_PUSH_LOCK']], 'RotateInProgress' : [ 0xec, ['pointer', ['_ETHREAD']]], 'ForkInProgress' : [ 0xf0, ['pointer', ['_ETHREAD']]], 'HardwareTrigger' : [ 0xf4, ['unsigned long']], 'PhysicalVadRoot' : [ 0xf8, ['pointer', ['_MM_AVL_TABLE']]], 'CloneRoot' : [ 0xfc, ['pointer', ['void']]], 'NumberOfPrivatePages' : [ 0x100, ['unsigned long']], 'NumberOfLockedPages' : [ 0x104, ['unsigned long']], 'Win32Process' : [ 0x108, ['pointer', ['void']]], 'Job' : [ 0x10c, ['pointer', ['_EJOB']]], 'SectionObject' : [ 0x110, ['pointer', ['void']]], 'SectionBaseAddress' : [ 0x114, ['pointer', ['void']]], 'QuotaBlock' : [ 0x118, ['pointer', ['_EPROCESS_QUOTA_BLOCK']]], 'WorkingSetWatch' : [ 0x11c, ['pointer', ['_PAGEFAULT_HISTORY']]], 'Win32WindowStation' : [ 0x120, ['pointer', ['void']]], 'InheritedFromUniqueProcessId' : [ 0x124, ['pointer', ['void']]], 'LdtInformation' : [ 0x128, ['pointer', ['void']]], 'Spare' : [ 0x12c, ['pointer', ['void']]], 'VdmObjects' : [ 0x130, ['pointer', ['void']]], 'DeviceMap' : [ 0x134, ['pointer', ['void']]], 'EtwDataSource' : [ 0x138, ['pointer', ['void']]], 'FreeTebHint' : [ 0x13c, ['pointer', ['void']]], 'PageDirectoryPte' : [ 0x140, ['_HARDWARE_PTE']], 'Filler' : [ 0x140, ['unsigned long long']], 'Session' : [ 0x148, ['pointer', ['void']]], 'ImageFileName' : [ 0x14c, ['array', 16, ['unsigned char']]], 'JobLinks' : [ 0x15c, ['_LIST_ENTRY']], 'LockedPagesList' : [ 0x164, ['pointer', ['void']]], 'ThreadListHead' : [ 0x168, ['_LIST_ENTRY']], 'SecurityPort' : [ 0x170, ['pointer', ['void']]], 'PaeTop' : [ 0x174, ['pointer', ['void']]], 'ActiveThreads' : [ 0x178, ['unsigned long']], 'ImagePathHash' : [ 0x17c, ['unsigned long']], 'DefaultHardErrorProcessing' : [ 0x180, ['unsigned long']], 'LastThreadExitStatus' : [ 0x184, ['long']], 'Peb' : [ 0x188, ['pointer', ['_PEB']]], 'PrefetchTrace' : [ 0x18c, ['_EX_FAST_REF']], 'ReadOperationCount' : [ 0x190, ['_LARGE_INTEGER']], 'WriteOperationCount' : [ 0x198, ['_LARGE_INTEGER']], 'OtherOperationCount' : [ 0x1a0, ['_LARGE_INTEGER']], 'ReadTransferCount' : [ 0x1a8, ['_LARGE_INTEGER']], 'WriteTransferCount' : [ 0x1b0, ['_LARGE_INTEGER']], 'OtherTransferCount' : [ 0x1b8, ['_LARGE_INTEGER']], 'CommitChargeLimit' : [ 0x1c0, ['unsigned long']], 'CommitChargePeak' : [ 0x1c4, ['unsigned long']], 'AweInfo' : [ 0x1c8, ['pointer', ['void']]], 'SeAuditProcessCreationInfo' : [ 0x1cc, ['_SE_AUDIT_PROCESS_CREATION_INFO']], 'Vm' : [ 0x1d0, ['_MMSUPPORT']], 'MmProcessLinks' : [ 0x218, ['_LIST_ENTRY']], 'ModifiedPageCount' : [ 0x220, ['unsigned long']], 'Flags2' : [ 0x224, ['unsigned long']], 'JobNotReallyActive' : [ 0x224, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AccountingFolded' : [ 0x224, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'NewProcessReported' : [ 0x224, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ExitProcessReported' : [ 0x224, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReportCommitChanges' : [ 0x224, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LastReportMemory' : [ 0x224, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'ReportPhysicalPageChanges' : [ 0x224, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'HandleTableRundown' : [ 0x224, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'NeedsHandleRundown' : [ 0x224, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'RefTraceEnabled' : [ 0x224, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'NumaAware' : [ 0x224, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtectedProcess' : [ 0x224, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'DefaultPagePriority' : [ 0x224, ['BitField', dict(start_bit = 12, end_bit = 15, native_type='unsigned long')]], 'PrimaryTokenFrozen' : [ 0x224, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessVerifierTarget' : [ 0x224, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'StackRandomizationDisabled' : [ 0x224, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'AffinityPermanent' : [ 0x224, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'AffinityUpdateEnable' : [ 0x224, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'CrossSessionCreate' : [ 0x224, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Flags' : [ 0x228, ['unsigned long']], 'CreateReported' : [ 0x228, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDebugInherit' : [ 0x228, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessExiting' : [ 0x228, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessDelete' : [ 0x228, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow64SplitPages' : [ 0x228, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'VmDeleted' : [ 0x228, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'OutswapEnabled' : [ 0x228, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Outswapped' : [ 0x228, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ForkFailed' : [ 0x228, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Wow64VaSpace4Gb' : [ 0x228, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'AddressSpaceInitialized' : [ 0x228, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'SetTimerResolution' : [ 0x228, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'BreakOnTermination' : [ 0x228, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'DeprioritizeViews' : [ 0x228, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WriteWatch' : [ 0x228, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'ProcessInSession' : [ 0x228, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'OverrideAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'HasAddressSpace' : [ 0x228, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'LaunchPrefetched' : [ 0x228, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'InjectInpageErrors' : [ 0x228, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'VmTopDown' : [ 0x228, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'ImageNotifyDone' : [ 0x228, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'PdeUpdateNeeded' : [ 0x228, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'VdmAllowed' : [ 0x228, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'SmapAllowed' : [ 0x228, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'ProcessInserted' : [ 0x228, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'DefaultIoPriority' : [ 0x228, ['BitField', dict(start_bit = 27, end_bit = 30, native_type='unsigned long')]], 'ProcessSelfDelete' : [ 0x228, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'SpareProcessFlags' : [ 0x228, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'ExitStatus' : [ 0x22c, ['long']], 'Spare7' : [ 0x230, ['unsigned short']], 'SubSystemMinorVersion' : [ 0x232, ['unsigned char']], 'SubSystemMajorVersion' : [ 0x233, ['unsigned char']], 'SubSystemVersion' : [ 0x232, ['unsigned short']], 'PriorityClass' : [ 0x234, ['unsigned char']], 'VadRoot' : [ 0x238, ['_MM_AVL_TABLE']], 'Cookie' : [ 0x258, ['unsigned long']], 'AlpcContext' : [ 0x25c, ['_ALPC_PROCESS_CONTEXT']], } ], '__unnamed_11d8' : [ 0x2c, { 'InitialPrivilegeSet' : [ 0x0, ['_INITIAL_PRIVILEGE_SET']], 'PrivilegeSet' : [ 0x0, ['_PRIVILEGE_SET']], } ], '_ACCESS_STATE' : [ 0x74, { 'OperationID' : [ 0x0, ['_LUID']], 'SecurityEvaluated' : [ 0x8, ['unsigned char']], 'GenerateAudit' : [ 0x9, ['unsigned char']], 'GenerateOnClose' : [ 0xa, ['unsigned char']], 'PrivilegesAllocated' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned long']], 'RemainingDesiredAccess' : [ 0x10, ['unsigned long']], 'PreviouslyGrantedAccess' : [ 0x14, ['unsigned long']], 'OriginalDesiredAccess' : [ 0x18, ['unsigned long']], 'SubjectSecurityContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], 'SecurityDescriptor' : [ 0x2c, ['pointer', ['void']]], 'AuxData' : [ 0x30, ['pointer', ['void']]], 'Privileges' : [ 0x34, ['__unnamed_11d8']], 'AuditPrivileges' : [ 0x60, ['unsigned char']], 'ObjectName' : [ 0x64, ['_UNICODE_STRING']], 'ObjectTypeName' : [ 0x6c, ['_UNICODE_STRING']], } ], '__unnamed_11e6' : [ 0x4, { 'MasterIrp' : [ 0x0, ['pointer', ['_IRP']]], 'IrpCount' : [ 0x0, ['long']], 'SystemBuffer' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_11eb' : [ 0x8, { 'UserApcRoutine' : [ 0x0, ['pointer', ['void']]], 'IssuingProcess' : [ 0x0, ['pointer', ['void']]], 'UserApcContext' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_11ed' : [ 0x8, { 'AsynchronousParameters' : [ 0x0, ['__unnamed_11eb']], 'AllocationSize' : [ 0x0, ['_LARGE_INTEGER']], } ], '__unnamed_11f8' : [ 0x28, { 'DeviceQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DriverContext' : [ 0x0, ['array', 4, ['pointer', ['void']]]], 'Thread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'AuxiliaryBuffer' : [ 0x14, ['pointer', ['unsigned char']]], 'ListEntry' : [ 0x18, ['_LIST_ENTRY']], 'CurrentStackLocation' : [ 0x20, ['pointer', ['_IO_STACK_LOCATION']]], 'PacketType' : [ 0x20, ['unsigned long']], 'OriginalFileObject' : [ 0x24, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_11fa' : [ 0x30, { 'Overlay' : [ 0x0, ['__unnamed_11f8']], 'Apc' : [ 0x0, ['_KAPC']], 'CompletionKey' : [ 0x0, ['pointer', ['void']]], } ], '_IRP' : [ 0x70, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'MdlAddress' : [ 0x4, ['pointer', ['_MDL']]], 'Flags' : [ 0x8, ['unsigned long']], 'AssociatedIrp' : [ 0xc, ['__unnamed_11e6']], 'ThreadListEntry' : [ 0x10, ['_LIST_ENTRY']], 'IoStatus' : [ 0x18, ['_IO_STATUS_BLOCK']], 'RequestorMode' : [ 0x20, ['unsigned char']], 'PendingReturned' : [ 0x21, ['unsigned char']], 'StackCount' : [ 0x22, ['unsigned char']], 'CurrentLocation' : [ 0x23, ['unsigned char']], 'Cancel' : [ 0x24, ['unsigned char']], 'CancelIrql' : [ 0x25, ['unsigned char']], 'ApcEnvironment' : [ 0x26, ['unsigned char']], 'AllocationFlags' : [ 0x27, ['unsigned char']], 'UserIosb' : [ 0x28, ['pointer', ['_IO_STATUS_BLOCK']]], 'UserEvent' : [ 0x2c, ['pointer', ['_KEVENT']]], 'Overlay' : [ 0x30, ['__unnamed_11ed']], 'CancelRoutine' : [ 0x38, ['pointer', ['void']]], 'UserBuffer' : [ 0x3c, ['pointer', ['void']]], 'Tail' : [ 0x40, ['__unnamed_11fa']], } ], '__unnamed_1200' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'FileAttributes' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'EaLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1204' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_NAMED_PIPE_CREATE_PARAMETERS']]], } ], '__unnamed_1208' : [ 0x10, { 'SecurityContext' : [ 0x0, ['pointer', ['_IO_SECURITY_CONTEXT']]], 'Options' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned short']], 'ShareAccess' : [ 0xa, ['unsigned short']], 'Parameters' : [ 0xc, ['pointer', ['_MAILSLOT_CREATE_PARAMETERS']]], } ], '__unnamed_120a' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_120e' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileName' : [ 0x4, ['pointer', ['_UNICODE_STRING']]], 'FileInformationClass' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1210' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'CompletionFilter' : [ 0x4, ['unsigned long']], } ], '__unnamed_1212' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], } ], '__unnamed_1214' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'FileInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileDirectoryInformation', 2: 'FileFullDirectoryInformation', 3: 'FileBothDirectoryInformation', 4: 'FileBasicInformation', 5: 'FileStandardInformation', 6: 'FileInternalInformation', 7: 'FileEaInformation', 8: 'FileAccessInformation', 9: 'FileNameInformation', 10: 'FileRenameInformation', 11: 'FileLinkInformation', 12: 'FileNamesInformation', 13: 'FileDispositionInformation', 14: 'FilePositionInformation', 15: 'FileFullEaInformation', 16: 'FileModeInformation', 17: 'FileAlignmentInformation', 18: 'FileAllInformation', 19: 'FileAllocationInformation', 20: 'FileEndOfFileInformation', 21: 'FileAlternateNameInformation', 22: 'FileStreamInformation', 23: 'FilePipeInformation', 24: 'FilePipeLocalInformation', 25: 'FilePipeRemoteInformation', 26: 'FileMailslotQueryInformation', 27: 'FileMailslotSetInformation', 28: 'FileCompressionInformation', 29: 'FileObjectIdInformation', 30: 'FileCompletionInformation', 31: 'FileMoveClusterInformation', 32: 'FileQuotaInformation', 33: 'FileReparsePointInformation', 34: 'FileNetworkOpenInformation', 35: 'FileAttributeTagInformation', 36: 'FileTrackingInformation', 37: 'FileIdBothDirectoryInformation', 38: 'FileIdFullDirectoryInformation', 39: 'FileValidDataLengthInformation', 40: 'FileShortNameInformation', 41: 'FileIoCompletionNotificationInformation', 42: 'FileIoStatusBlockRangeInformation', 43: 'FileIoPriorityHintInformation', 44: 'FileSfioReserveInformation', 45: 'FileSfioVolumeInformation', 46: 'FileHardLinkInformation', 47: 'FileProcessIdsUsingFileInformation', 48: 'FileNormalizedNameInformation', 49: 'FileNetworkPhysicalNameInformation', 50: 'FileIdGlobalTxDirectoryInformation', 51: 'FileMaximumInformation'})]], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'ReplaceIfExists' : [ 0xc, ['unsigned char']], 'AdvanceOnly' : [ 0xd, ['unsigned char']], 'ClusterCount' : [ 0xc, ['unsigned long']], 'DeleteHandle' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1216' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'EaList' : [ 0x4, ['pointer', ['void']]], 'EaListLength' : [ 0x8, ['unsigned long']], 'EaIndex' : [ 0xc, ['unsigned long']], } ], '__unnamed_1218' : [ 0x4, { 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_121c' : [ 0x8, { 'Length' : [ 0x0, ['unsigned long']], 'FsInformationClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {1: 'FileFsVolumeInformation', 2: 'FileFsLabelInformation', 3: 'FileFsSizeInformation', 4: 'FileFsDeviceInformation', 5: 'FileFsAttributeInformation', 6: 'FileFsControlInformation', 7: 'FileFsFullSizeInformation', 8: 'FileFsObjectIdInformation', 9: 'FileFsDriverPathInformation', 10: 'FileFsVolumeFlagsInformation', 11: 'FileFsMaximumInformation'})]], } ], '__unnamed_121e' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'FsControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1221' : [ 0x10, { 'Length' : [ 0x0, ['pointer', ['_LARGE_INTEGER']]], 'Key' : [ 0x4, ['unsigned long']], 'ByteOffset' : [ 0x8, ['_LARGE_INTEGER']], } ], '__unnamed_1223' : [ 0x10, { 'OutputBufferLength' : [ 0x0, ['unsigned long']], 'InputBufferLength' : [ 0x4, ['unsigned long']], 'IoControlCode' : [ 0x8, ['unsigned long']], 'Type3InputBuffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1225' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], } ], '__unnamed_1227' : [ 0x8, { 'SecurityInformation' : [ 0x0, ['unsigned long']], 'SecurityDescriptor' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_122b' : [ 0x8, { 'Vpb' : [ 0x0, ['pointer', ['_VPB']]], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], } ], '__unnamed_122f' : [ 0x4, { 'Srb' : [ 0x0, ['pointer', ['_SCSI_REQUEST_BLOCK']]], } ], '__unnamed_1233' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'StartSid' : [ 0x4, ['pointer', ['void']]], 'SidList' : [ 0x8, ['pointer', ['_FILE_GET_QUOTA_INFORMATION']]], 'SidListLength' : [ 0xc, ['unsigned long']], } ], '__unnamed_1237' : [ 0x4, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusRelations', 1: 'EjectionRelations', 2: 'PowerRelations', 3: 'RemovalRelations', 4: 'TargetDeviceRelation', 5: 'SingleBusRelations'})]], } ], '__unnamed_123e' : [ 0x10, { 'InterfaceType' : [ 0x0, ['pointer', ['_GUID']]], 'Size' : [ 0x4, ['unsigned short']], 'Version' : [ 0x6, ['unsigned short']], 'Interface' : [ 0x8, ['pointer', ['_INTERFACE']]], 'InterfaceSpecificData' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1242' : [ 0x4, { 'Capabilities' : [ 0x0, ['pointer', ['_DEVICE_CAPABILITIES']]], } ], '__unnamed_1246' : [ 0x4, { 'IoResourceRequirementList' : [ 0x0, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], } ], '__unnamed_1248' : [ 0x10, { 'WhichSpace' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['void']]], 'Offset' : [ 0x8, ['unsigned long']], 'Length' : [ 0xc, ['unsigned long']], } ], '__unnamed_124a' : [ 0x1, { 'Lock' : [ 0x0, ['unsigned char']], } ], '__unnamed_124e' : [ 0x4, { 'IdType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BusQueryDeviceID', 1: 'BusQueryHardwareIDs', 2: 'BusQueryCompatibleIDs', 3: 'BusQueryInstanceID', 4: 'BusQueryDeviceSerialNumber'})]], } ], '__unnamed_1252' : [ 0x8, { 'DeviceTextType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceTextDescription', 1: 'DeviceTextLocationInformation'})]], 'LocaleId' : [ 0x4, ['unsigned long']], } ], '__unnamed_1256' : [ 0x8, { 'InPath' : [ 0x0, ['unsigned char']], 'Reserved' : [ 0x1, ['array', 3, ['unsigned char']]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'DeviceUsageTypeUndefined', 1: 'DeviceUsageTypePaging', 2: 'DeviceUsageTypeHibernation', 3: 'DeviceUsageTypeDumpFile'})]], } ], '__unnamed_125a' : [ 0x4, { 'PowerState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '__unnamed_125e' : [ 0x4, { 'PowerSequence' : [ 0x0, ['pointer', ['_POWER_SEQUENCE']]], } ], '__unnamed_1266' : [ 0x10, { 'SystemContext' : [ 0x0, ['unsigned long']], 'SystemPowerStateContext' : [ 0x0, ['_SYSTEM_POWER_STATE_CONTEXT']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SystemPowerState', 1: 'DevicePowerState'})]], 'State' : [ 0x8, ['_POWER_STATE']], 'ShutdownType' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], } ], '__unnamed_126a' : [ 0x8, { 'AllocatedResources' : [ 0x0, ['pointer', ['_CM_RESOURCE_LIST']]], 'AllocatedResourcesTranslated' : [ 0x4, ['pointer', ['_CM_RESOURCE_LIST']]], } ], '__unnamed_126c' : [ 0x10, { 'ProviderId' : [ 0x0, ['unsigned long']], 'DataPath' : [ 0x4, ['pointer', ['void']]], 'BufferSize' : [ 0x8, ['unsigned long']], 'Buffer' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_126e' : [ 0x10, { 'Argument1' : [ 0x0, ['pointer', ['void']]], 'Argument2' : [ 0x4, ['pointer', ['void']]], 'Argument3' : [ 0x8, ['pointer', ['void']]], 'Argument4' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1270' : [ 0x10, { 'Create' : [ 0x0, ['__unnamed_1200']], 'CreatePipe' : [ 0x0, ['__unnamed_1204']], 'CreateMailslot' : [ 0x0, ['__unnamed_1208']], 'Read' : [ 0x0, ['__unnamed_120a']], 'Write' : [ 0x0, ['__unnamed_120a']], 'QueryDirectory' : [ 0x0, ['__unnamed_120e']], 'NotifyDirectory' : [ 0x0, ['__unnamed_1210']], 'QueryFile' : [ 0x0, ['__unnamed_1212']], 'SetFile' : [ 0x0, ['__unnamed_1214']], 'QueryEa' : [ 0x0, ['__unnamed_1216']], 'SetEa' : [ 0x0, ['__unnamed_1218']], 'QueryVolume' : [ 0x0, ['__unnamed_121c']], 'SetVolume' : [ 0x0, ['__unnamed_121c']], 'FileSystemControl' : [ 0x0, ['__unnamed_121e']], 'LockControl' : [ 0x0, ['__unnamed_1221']], 'DeviceIoControl' : [ 0x0, ['__unnamed_1223']], 'QuerySecurity' : [ 0x0, ['__unnamed_1225']], 'SetSecurity' : [ 0x0, ['__unnamed_1227']], 'MountVolume' : [ 0x0, ['__unnamed_122b']], 'VerifyVolume' : [ 0x0, ['__unnamed_122b']], 'Scsi' : [ 0x0, ['__unnamed_122f']], 'QueryQuota' : [ 0x0, ['__unnamed_1233']], 'SetQuota' : [ 0x0, ['__unnamed_1218']], 'QueryDeviceRelations' : [ 0x0, ['__unnamed_1237']], 'QueryInterface' : [ 0x0, ['__unnamed_123e']], 'DeviceCapabilities' : [ 0x0, ['__unnamed_1242']], 'FilterResourceRequirements' : [ 0x0, ['__unnamed_1246']], 'ReadWriteConfig' : [ 0x0, ['__unnamed_1248']], 'SetLock' : [ 0x0, ['__unnamed_124a']], 'QueryId' : [ 0x0, ['__unnamed_124e']], 'QueryDeviceText' : [ 0x0, ['__unnamed_1252']], 'UsageNotification' : [ 0x0, ['__unnamed_1256']], 'WaitWake' : [ 0x0, ['__unnamed_125a']], 'PowerSequence' : [ 0x0, ['__unnamed_125e']], 'Power' : [ 0x0, ['__unnamed_1266']], 'StartDevice' : [ 0x0, ['__unnamed_126a']], 'WMI' : [ 0x0, ['__unnamed_126c']], 'Others' : [ 0x0, ['__unnamed_126e']], } ], '_IO_STACK_LOCATION' : [ 0x24, { 'MajorFunction' : [ 0x0, ['unsigned char']], 'MinorFunction' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned char']], 'Control' : [ 0x3, ['unsigned char']], 'Parameters' : [ 0x4, ['__unnamed_1270']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'CompletionRoutine' : [ 0x1c, ['pointer', ['void']]], 'Context' : [ 0x20, ['pointer', ['void']]], } ], '_IO_DRIVER_CREATE_CONTEXT' : [ 0x10, { 'Size' : [ 0x0, ['short']], 'ExtraCreateParameter' : [ 0x4, ['pointer', ['_ECP_LIST']]], 'DeviceObjectHint' : [ 0x8, ['pointer', ['void']]], 'TxnParameters' : [ 0xc, ['pointer', ['_TXN_PARAMETER_BLOCK']]], } ], '_IO_PRIORITY_INFO' : [ 0x10, { 'Size' : [ 0x0, ['unsigned long']], 'ThreadPriority' : [ 0x4, ['unsigned long']], 'PagePriority' : [ 0x8, ['unsigned long']], 'IoPriority' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IoPriorityVeryLow', 1: 'IoPriorityLow', 2: 'IoPriorityNormal', 3: 'IoPriorityHigh', 4: 'IoPriorityCritical', 5: 'MaxIoPriorityTypes'})]], } ], '_OBJECT_ATTRIBUTES' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ObjectName' : [ 0x8, ['pointer', ['_UNICODE_STRING']]], 'Attributes' : [ 0xc, ['unsigned long']], 'SecurityDescriptor' : [ 0x10, ['pointer', ['void']]], 'SecurityQualityOfService' : [ 0x14, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_INFORMATION' : [ 0x8, { 'HandleAttributes' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], } ], '_OBJECT_HEADER' : [ 0x20, { 'PointerCount' : [ 0x0, ['long']], 'HandleCount' : [ 0x4, ['long']], 'NextToFree' : [ 0x4, ['pointer', ['void']]], 'Type' : [ 0x8, ['pointer', ['_OBJECT_TYPE']]], 'NameInfoOffset' : [ 0xc, ['unsigned char']], 'HandleInfoOffset' : [ 0xd, ['unsigned char']], 'QuotaInfoOffset' : [ 0xe, ['unsigned char']], 'Flags' : [ 0xf, ['unsigned char']], 'ObjectCreateInfo' : [ 0x10, ['pointer', ['_OBJECT_CREATE_INFORMATION']]], 'QuotaBlockCharged' : [ 0x10, ['pointer', ['void']]], 'SecurityDescriptor' : [ 0x14, ['pointer', ['void']]], 'Body' : [ 0x18, ['_QUAD']], } ], '_OBJECT_HEADER_QUOTA_INFO' : [ 0x10, { 'PagedPoolCharge' : [ 0x0, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x4, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x8, ['unsigned long']], 'ExclusiveProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], } ], '_OBJECT_HEADER_HANDLE_INFO' : [ 0x8, { 'HandleCountDataBase' : [ 0x0, ['pointer', ['_OBJECT_HANDLE_COUNT_DATABASE']]], 'SingleEntry' : [ 0x0, ['_OBJECT_HANDLE_COUNT_ENTRY']], } ], '_OBJECT_HEADER_NAME_INFO' : [ 0x10, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Name' : [ 0x4, ['_UNICODE_STRING']], 'QueryReferences' : [ 0xc, ['unsigned long']], } ], '_OBJECT_HEADER_CREATOR_INFO' : [ 0x10, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'CreatorUniqueProcess' : [ 0x8, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0xc, ['unsigned short']], 'Reserved' : [ 0xe, ['unsigned short']], } ], '_EVENT_DATA_DESCRIPTOR' : [ 0x10, { 'Ptr' : [ 0x0, ['unsigned long long']], 'Size' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_EVENT_DESCRIPTOR' : [ 0x10, { 'Id' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned char']], 'Channel' : [ 0x3, ['unsigned char']], 'Level' : [ 0x4, ['unsigned char']], 'Opcode' : [ 0x5, ['unsigned char']], 'Task' : [ 0x6, ['unsigned short']], 'Keyword' : [ 0x8, ['unsigned long long']], } ], '_PERFINFO_GROUPMASK' : [ 0x20, { 'Masks' : [ 0x0, ['array', 8, ['unsigned long']]], } ], '_FILE_OBJECT' : [ 0x80, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Vpb' : [ 0x8, ['pointer', ['_VPB']]], 'FsContext' : [ 0xc, ['pointer', ['void']]], 'FsContext2' : [ 0x10, ['pointer', ['void']]], 'SectionObjectPointer' : [ 0x14, ['pointer', ['_SECTION_OBJECT_POINTERS']]], 'PrivateCacheMap' : [ 0x18, ['pointer', ['void']]], 'FinalStatus' : [ 0x1c, ['long']], 'RelatedFileObject' : [ 0x20, ['pointer', ['_FILE_OBJECT']]], 'LockOperation' : [ 0x24, ['unsigned char']], 'DeletePending' : [ 0x25, ['unsigned char']], 'ReadAccess' : [ 0x26, ['unsigned char']], 'WriteAccess' : [ 0x27, ['unsigned char']], 'DeleteAccess' : [ 0x28, ['unsigned char']], 'SharedRead' : [ 0x29, ['unsigned char']], 'SharedWrite' : [ 0x2a, ['unsigned char']], 'SharedDelete' : [ 0x2b, ['unsigned char']], 'Flags' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['_UNICODE_STRING']], 'CurrentByteOffset' : [ 0x38, ['_LARGE_INTEGER']], 'Waiters' : [ 0x40, ['unsigned long']], 'Busy' : [ 0x44, ['unsigned long']], 'LastLock' : [ 0x48, ['pointer', ['void']]], 'Lock' : [ 0x4c, ['_KEVENT']], 'Event' : [ 0x5c, ['_KEVENT']], 'CompletionContext' : [ 0x6c, ['pointer', ['_IO_COMPLETION_CONTEXT']]], 'IrpListLock' : [ 0x70, ['unsigned long']], 'IrpList' : [ 0x74, ['_LIST_ENTRY']], 'FileObjectExtension' : [ 0x7c, ['pointer', ['void']]], } ], '_MM_PAGE_ACCESS_INFO_HEADER' : [ 0x38, { 'Link' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'MmPteAccessType', 1: 'MmCcReadAheadType', 2: 'MmPfnRepurposeType', 3: 'MmMaximumPageAccessType'})]], 'EmptySequenceNumber' : [ 0x8, ['unsigned long']], 'CurrentFileIndex' : [ 0x8, ['unsigned long']], 'CreateTime' : [ 0x10, ['unsigned long long']], 'EmptyTime' : [ 0x18, ['unsigned long long']], 'TempEntry' : [ 0x18, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'PageEntry' : [ 0x20, ['pointer', ['_MM_PAGE_ACCESS_INFO']]], 'FileEntry' : [ 0x24, ['pointer', ['unsigned long']]], 'FirstFileEntry' : [ 0x28, ['pointer', ['unsigned long']]], 'Process' : [ 0x2c, ['pointer', ['_EPROCESS']]], 'SessionId' : [ 0x30, ['unsigned long']], 'PageFrameEntry' : [ 0x20, ['pointer', ['unsigned long']]], 'LastPageFrameEntry' : [ 0x24, ['pointer', ['unsigned long']]], } ], '_PF_HARD_FAULT_INFO' : [ 0x30, { 'KernelTimeStamp' : [ 0x0, ['_ETW_KERNEL_TRACE_TIMESTAMP']], 'HardFaultEvent' : [ 0x10, ['_PERFINFO_HARDPAGEFAULT_INFORMATION']], 'IoTimeInTicks' : [ 0x28, ['_LARGE_INTEGER']], } ], '_WHEA_ERROR_RECORD' : [ 0xc8, { 'Header' : [ 0x0, ['_WHEA_ERROR_RECORD_HEADER']], 'SectionDescriptor' : [ 0x80, ['array', 1, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR']]], } ], '_GUID' : [ 0x10, { 'Data1' : [ 0x0, ['unsigned long']], 'Data2' : [ 0x4, ['unsigned short']], 'Data3' : [ 0x6, ['unsigned short']], 'Data4' : [ 0x8, ['array', 8, ['unsigned char']]], } ], '__unnamed_1320' : [ 0xd0, { 'ProcessorError' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR']], 'MemoryError' : [ 0x0, ['_WHEA_MEMORY_ERROR']], 'NmiError' : [ 0x0, ['_WHEA_NMI_ERROR']], 'PciExpressError' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR']], 'PciXBusError' : [ 0x0, ['_WHEA_PCIXBUS_ERROR']], 'PciXDeviceError' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR']], } ], '_WHEA_ERROR_PACKET' : [ 0x119, { 'Signature' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['_WHEA_ERROR_PACKET_FLAGS']], 'Size' : [ 0x8, ['unsigned long']], 'RawDataLength' : [ 0xc, ['unsigned long']], 'Reserved1' : [ 0x10, ['unsigned long long']], 'Context' : [ 0x18, ['unsigned long long']], 'ErrorType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrTypeProcessor', 1: 'WheaErrTypeMemory', 2: 'WheaErrTypePCIExpress', 3: 'WheaErrTypeNMI', 4: 'WheaErrTypePCIXBus', 5: 'WheaErrTypePCIXDevice', 6: 'WheaErrTypeGeneric'})]], 'ErrorSeverity' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ErrorSourceId' : [ 0x28, ['unsigned long']], 'ErrorSourceType' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSrcTypeMCE', 1: 'WheaErrSrcTypeCMC', 2: 'WheaErrSrcTypeCPE', 3: 'WheaErrSrcTypeNMI', 4: 'WheaErrSrcTypePCIe', 5: 'WheaErrSrcTypeGeneric', 6: 'WheaErrSrcTypeINIT', 7: 'WheaErrSrcTypeBOOT', 8: 'WheaErrSrcTypeSCIGeneric', 9: 'WheaErrSrcTypeIPFMCA', 10: 'WheaErrSrcTypeIPFCMC', 11: 'WheaErrSrcTypeIPFCPE', 12: 'WheaErrSrcTypeMax'})]], 'Reserved2' : [ 0x30, ['unsigned long']], 'Version' : [ 0x34, ['unsigned long']], 'Cpu' : [ 0x38, ['unsigned long long']], 'u' : [ 0x40, ['__unnamed_1320']], 'RawDataFormat' : [ 0x110, ['Enumeration', dict(target = 'long', choices = {0: 'WheaRawDataFormatIPFSalRecord', 1: 'WheaRawDataFormatIA32MCA', 2: 'WheaRawDataFormatIntel64MCA', 3: 'WheaRawDataFormatAMD64MCA', 4: 'WheaRawDataFormatMemory', 5: 'WheaRawDataFormatPCIExpress', 6: 'WheaRawDataFormatNMIPort', 7: 'WheaRawDataFormatPCIXBus', 8: 'WheaRawDataFormatPCIXDevice', 9: 'WheaRawDataFormatGeneric', 10: 'WheaRawDataFormatMax'})]], 'RawDataOffset' : [ 0x114, ['unsigned long']], 'RawData' : [ 0x118, ['array', 1, ['unsigned char']]], } ], '_KPROCESS' : [ 0x80, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'ProfileListHead' : [ 0x10, ['_LIST_ENTRY']], 'DirectoryTableBase' : [ 0x18, ['unsigned long']], 'Unused0' : [ 0x1c, ['unsigned long']], 'LdtDescriptor' : [ 0x20, ['_KGDTENTRY']], 'Int21Descriptor' : [ 0x28, ['_KIDTENTRY']], 'IopmOffset' : [ 0x30, ['unsigned short']], 'Unused1' : [ 0x32, ['unsigned char']], 'Unused2' : [ 0x33, ['unsigned char']], 'ActiveProcessors' : [ 0x34, ['unsigned long']], 'KernelTime' : [ 0x38, ['unsigned long']], 'UserTime' : [ 0x3c, ['unsigned long']], 'ReadyListHead' : [ 0x40, ['_LIST_ENTRY']], 'SwapListEntry' : [ 0x48, ['_SINGLE_LIST_ENTRY']], 'VdmTrapcHandler' : [ 0x4c, ['pointer', ['void']]], 'ThreadListHead' : [ 0x50, ['_LIST_ENTRY']], 'ProcessLock' : [ 0x58, ['unsigned long']], 'Affinity' : [ 0x5c, ['unsigned long']], 'AutoAlignment' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='long')]], 'DisableBoost' : [ 0x60, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='long')]], 'DisableQuantum' : [ 0x60, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='long')]], 'ReservedFlags' : [ 0x60, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='long')]], 'ProcessFlags' : [ 0x60, ['long']], 'BasePriority' : [ 0x64, ['unsigned char']], 'QuantumReset' : [ 0x65, ['unsigned char']], 'State' : [ 0x66, ['unsigned char']], 'ThreadSeed' : [ 0x67, ['unsigned char']], 'PowerState' : [ 0x68, ['unsigned char']], 'IdealNode' : [ 0x69, ['unsigned char']], 'Visited' : [ 0x6a, ['unsigned char']], 'Flags' : [ 0x6b, ['_KEXECUTE_OPTIONS']], 'ExecuteOptions' : [ 0x6b, ['unsigned char']], 'StackCount' : [ 0x6c, ['unsigned long']], 'ProcessListEntry' : [ 0x70, ['_LIST_ENTRY']], 'CycleTime' : [ 0x78, ['unsigned long long']], } ], '__unnamed_13d6' : [ 0x4, { 'Long' : [ 0x0, ['unsigned long']], 'VolatileLong' : [ 0x0, ['unsigned long']], 'Flush' : [ 0x0, ['_HARDWARE_PTE']], 'Hard' : [ 0x0, ['_MMPTE_HARDWARE']], 'Proto' : [ 0x0, ['_MMPTE_PROTOTYPE']], 'Soft' : [ 0x0, ['_MMPTE_SOFTWARE']], 'TimeStamp' : [ 0x0, ['_MMPTE_TIMESTAMP']], 'Trans' : [ 0x0, ['_MMPTE_TRANSITION']], 'Subsect' : [ 0x0, ['_MMPTE_SUBSECTION']], 'List' : [ 0x0, ['_MMPTE_LIST']], } ], '_MMPTE' : [ 0x4, { 'u' : [ 0x0, ['__unnamed_13d6']], } ], '__unnamed_13ea' : [ 0xc, { 'I386' : [ 0x0, ['_I386_LOADER_BLOCK']], 'Alpha' : [ 0x0, ['_ALPHA_LOADER_BLOCK']], 'Ia64' : [ 0x0, ['_IA64_LOADER_BLOCK']], } ], '_LOADER_PARAMETER_BLOCK' : [ 0x7c, { 'LoadOrderListHead' : [ 0x0, ['_LIST_ENTRY']], 'MemoryDescriptorListHead' : [ 0x8, ['_LIST_ENTRY']], 'BootDriverListHead' : [ 0x10, ['_LIST_ENTRY']], 'KernelStack' : [ 0x18, ['unsigned long']], 'Prcb' : [ 0x1c, ['unsigned long']], 'Process' : [ 0x20, ['unsigned long']], 'Thread' : [ 0x24, ['unsigned long']], 'RegistryLength' : [ 0x28, ['unsigned long']], 'RegistryBase' : [ 0x2c, ['pointer', ['void']]], 'ConfigurationRoot' : [ 0x30, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ArcBootDeviceName' : [ 0x34, ['pointer', ['unsigned char']]], 'ArcHalDeviceName' : [ 0x38, ['pointer', ['unsigned char']]], 'NtBootPathName' : [ 0x3c, ['pointer', ['unsigned char']]], 'NtHalPathName' : [ 0x40, ['pointer', ['unsigned char']]], 'LoadOptions' : [ 0x44, ['pointer', ['unsigned char']]], 'NlsData' : [ 0x48, ['pointer', ['_NLS_DATA_BLOCK']]], 'ArcDiskInformation' : [ 0x4c, ['pointer', ['_ARC_DISK_INFORMATION']]], 'OemFontFile' : [ 0x50, ['pointer', ['void']]], 'SetupLoaderBlock' : [ 0x54, ['pointer', ['_SETUP_LOADER_BLOCK']]], 'Extension' : [ 0x58, ['pointer', ['_LOADER_PARAMETER_EXTENSION']]], 'u' : [ 0x5c, ['__unnamed_13ea']], 'FirmwareInformation' : [ 0x68, ['_FIRMWARE_INFORMATION_LOADER_BLOCK']], } ], '_MMPTE_FLUSH_LIST' : [ 0x8c, { 'Count' : [ 0x0, ['unsigned long']], 'MaximumCount' : [ 0x4, ['unsigned long']], 'FlushVa' : [ 0x8, ['array', 33, ['pointer', ['void']]]], } ], '_MI_COLOR_BASE' : [ 0x8, { 'ColorPointer' : [ 0x0, ['pointer', ['unsigned short']]], 'ColorMask' : [ 0x4, ['unsigned short']], 'ColorNode' : [ 0x6, ['unsigned short']], } ], '_MMSUPPORT' : [ 0x48, { 'WorkingSetExpansionLinks' : [ 0x0, ['_LIST_ENTRY']], 'LastTrimStamp' : [ 0x8, ['unsigned short']], 'NextPageColor' : [ 0xa, ['unsigned short']], 'Flags' : [ 0xc, ['_MMSUPPORT_FLAGS']], 'PageFaultCount' : [ 0x10, ['unsigned long']], 'PeakWorkingSetSize' : [ 0x14, ['unsigned long']], 'ChargedWslePages' : [ 0x18, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x1c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0x20, ['unsigned long']], 'VmWorkingSetList' : [ 0x24, ['pointer', ['_MMWSL']]], 'Claim' : [ 0x28, ['unsigned long']], 'ActualWslePages' : [ 0x2c, ['unsigned long']], 'WorkingSetPrivateSize' : [ 0x30, ['unsigned long']], 'WorkingSetSizeOverhead' : [ 0x34, ['unsigned long']], 'WorkingSetSize' : [ 0x38, ['unsigned long']], 'ExitGate' : [ 0x3c, ['pointer', ['_KGATE']]], 'WorkingSetMutex' : [ 0x40, ['_EX_PUSH_LOCK']], 'AccessLog' : [ 0x44, ['pointer', ['void']]], } ], '__unnamed_1424' : [ 0x4, { 'Flink' : [ 0x0, ['unsigned long']], 'WsIndex' : [ 0x0, ['unsigned long']], 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], 'Next' : [ 0x0, ['pointer', ['void']]], 'VolatileNext' : [ 0x0, ['pointer', ['void']]], 'KernelStackOwner' : [ 0x0, ['pointer', ['_KTHREAD']]], 'NextStackPfn' : [ 0x0, ['_SINGLE_LIST_ENTRY']], } ], '__unnamed_1426' : [ 0x4, { 'Blink' : [ 0x0, ['unsigned long']], 'ImageProtoPte' : [ 0x0, ['pointer', ['_MMPTE']]], 'ShareCount' : [ 0x0, ['unsigned long']], } ], '__unnamed_1429' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'VolatileReferenceCount' : [ 0x0, ['short']], 'ShortFlags' : [ 0x2, ['unsigned short']], } ], '__unnamed_142b' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'ByteFlags' : [ 0x2, ['unsigned char']], 'InterlockedByteFlags' : [ 0x3, ['unsigned char']], } ], '__unnamed_142d' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned short']], 'e1' : [ 0x2, ['_MMPFNENTRY']], 'e2' : [ 0x0, ['__unnamed_1429']], 'e3' : [ 0x0, ['__unnamed_142b']], } ], '__unnamed_1432' : [ 0x4, { 'PteFrame' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 25, native_type='unsigned long')]], 'PfnImageVerified' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'AweAllocation' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'PrototypePte' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'PageColor' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 32, native_type='unsigned long')]], } ], '_MMPFN' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_1424']], 'u2' : [ 0x4, ['__unnamed_1426']], 'PteAddress' : [ 0x8, ['pointer', ['_MMPTE']]], 'VolatilePteAddress' : [ 0x8, ['pointer', ['void']]], 'u3' : [ 0xc, ['__unnamed_142d']], 'OriginalPte' : [ 0x10, ['_MMPTE']], 'AweReferenceCount' : [ 0x10, ['long']], 'u4' : [ 0x14, ['__unnamed_1432']], } ], '__unnamed_143c' : [ 0x4, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'Long' : [ 0x0, ['unsigned long']], 'e1' : [ 0x0, ['_MMWSLENTRY']], 'e2' : [ 0x0, ['_MMWSLE_FREE_ENTRY']], } ], '_MMWSLE' : [ 0x4, { 'u1' : [ 0x0, ['__unnamed_143c']], } ], '_MMWSL' : [ 0x6b8, { 'FirstFree' : [ 0x0, ['unsigned long']], 'FirstDynamic' : [ 0x4, ['unsigned long']], 'LastEntry' : [ 0x8, ['unsigned long']], 'NextSlot' : [ 0xc, ['unsigned long']], 'Wsle' : [ 0x10, ['pointer', ['_MMWSLE']]], 'LowestPagableAddress' : [ 0x14, ['pointer', ['void']]], 'LastInitializedWsle' : [ 0x18, ['unsigned long']], 'NextEstimationSlot' : [ 0x1c, ['unsigned long']], 'NextAgingSlot' : [ 0x20, ['unsigned long']], 'EstimatedAvailable' : [ 0x24, ['unsigned long']], 'GrowthSinceLastEstimate' : [ 0x28, ['unsigned long']], 'NumberOfCommittedPageTables' : [ 0x2c, ['unsigned long']], 'VadBitMapHint' : [ 0x30, ['unsigned long']], 'NonDirectCount' : [ 0x34, ['unsigned long']], 'LastVadBit' : [ 0x38, ['unsigned long']], 'MaximumLastVadBit' : [ 0x3c, ['unsigned long']], 'LastAllocationSizeHint' : [ 0x40, ['unsigned long']], 'LastAllocationSize' : [ 0x44, ['unsigned long']], 'NonDirectHash' : [ 0x48, ['pointer', ['_MMWSLE_NONDIRECT_HASH']]], 'HashTableStart' : [ 0x4c, ['pointer', ['_MMWSLE_HASH']]], 'HighestPermittedHashAddress' : [ 0x50, ['pointer', ['_MMWSLE_HASH']]], 'HighestUserAddress' : [ 0x54, ['pointer', ['void']]], 'UsedPageTableEntries' : [ 0x58, ['array', 768, ['unsigned short']]], 'CommittedPageTables' : [ 0x658, ['array', 24, ['unsigned long']]], } ], '__unnamed_1454' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MMSECTION_FLAGS']], } ], '__unnamed_1456' : [ 0x4, { 'ModifiedWriteCount' : [ 0x0, ['unsigned short']], 'FlushInProgressCount' : [ 0x2, ['unsigned short']], } ], '__unnamed_1458' : [ 0x4, { 'e2' : [ 0x0, ['__unnamed_1456']], } ], '__unnamed_1462' : [ 0xc, { 'NumberOfSystemCacheViews' : [ 0x0, ['unsigned long']], 'ImageRelocationStartBit' : [ 0x0, ['unsigned long']], 'WritableUserReferences' : [ 0x4, ['long']], 'ImageRelocationSizeIn64k' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'Unused' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 30, native_type='unsigned long')]], 'BitMap64' : [ 0x4, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'ImageActive' : [ 0x4, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubsectionRoot' : [ 0x8, ['pointer', ['_MM_SUBSECTION_AVL_TABLE']]], 'SeImageStub' : [ 0x8, ['pointer', ['_MI_IMAGE_SECURITY_REFERENCE']]], } ], '__unnamed_1464' : [ 0xc, { 'e2' : [ 0x0, ['__unnamed_1462']], } ], '_CONTROL_AREA' : [ 0x48, { 'Segment' : [ 0x0, ['pointer', ['_SEGMENT']]], 'DereferenceList' : [ 0x4, ['_LIST_ENTRY']], 'NumberOfSectionReferences' : [ 0xc, ['unsigned long']], 'NumberOfPfnReferences' : [ 0x10, ['unsigned long']], 'NumberOfMappedViews' : [ 0x14, ['unsigned long']], 'NumberOfUserReferences' : [ 0x18, ['unsigned long']], 'u' : [ 0x1c, ['__unnamed_1454']], 'u1' : [ 0x20, ['__unnamed_1458']], 'FilePointer' : [ 0x24, ['_EX_FAST_REF']], 'ControlAreaLock' : [ 0x28, ['long']], 'StartingFrame' : [ 0x2c, ['unsigned long']], 'WaitingForDeletion' : [ 0x30, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'u2' : [ 0x34, ['__unnamed_1464']], 'LockedPages' : [ 0x40, ['long long']], } ], '_MMPAGING_FILE' : [ 0x50, { 'Size' : [ 0x0, ['unsigned long']], 'MaximumSize' : [ 0x4, ['unsigned long']], 'MinimumSize' : [ 0x8, ['unsigned long']], 'FreeSpace' : [ 0xc, ['unsigned long']], 'PeakUsage' : [ 0x10, ['unsigned long']], 'HighestPage' : [ 0x14, ['unsigned long']], 'File' : [ 0x18, ['pointer', ['_FILE_OBJECT']]], 'Entry' : [ 0x1c, ['array', 2, ['pointer', ['_MMMOD_WRITER_MDL_ENTRY']]]], 'PageFileName' : [ 0x24, ['_UNICODE_STRING']], 'Bitmap' : [ 0x2c, ['pointer', ['_RTL_BITMAP']]], 'BitmapHint' : [ 0x30, ['unsigned long']], 'LastAllocationSize' : [ 0x34, ['unsigned long']], 'PageFileNumber' : [ 0x38, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned short')]], 'BootPartition' : [ 0x38, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'Spare0' : [ 0x38, ['BitField', dict(start_bit = 5, end_bit = 16, native_type='unsigned short')]], 'AdriftMdls' : [ 0x3a, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Spare1' : [ 0x3a, ['BitField', dict(start_bit = 1, end_bit = 16, native_type='unsigned short')]], 'FileHandle' : [ 0x3c, ['pointer', ['void']]], 'AvailableList' : [ 0x40, ['_SLIST_HEADER']], 'NeedProcessingList' : [ 0x48, ['_SLIST_HEADER']], } ], '_MMPAGING_FILE_FREE_ENTRY' : [ 0x8, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'FreeBit' : [ 0x4, ['unsigned long']], } ], '_RTL_BITMAP' : [ 0x8, { 'SizeOfBitMap' : [ 0x0, ['unsigned long']], 'Buffer' : [ 0x4, ['pointer', ['unsigned long']]], } ], '__unnamed_149d' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMVAD']]], } ], '__unnamed_14a0' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'VadFlags' : [ 0x0, ['_MMVAD_FLAGS']], } ], '__unnamed_14a3' : [ 0x4, { 'LongFlags3' : [ 0x0, ['unsigned long']], 'VadFlags3' : [ 0x0, ['_MMVAD_FLAGS3']], } ], '_MMVAD_SHORT' : [ 0x20, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], } ], '_MM_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMADDRESS_NODE']], 'DepthOfTree' : [ 0x14, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x14, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x14, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x18, ['pointer', ['void']]], 'NodeFreeHint' : [ 0x1c, ['pointer', ['void']]], } ], '__unnamed_14ac' : [ 0x4, { 'LongFlags2' : [ 0x0, ['unsigned long']], 'VadFlags2' : [ 0x0, ['_MMVAD_FLAGS2']], } ], '_MMVAD' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'MappedSubsection' : [ 0x24, ['pointer', ['_MSUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], } ], '__unnamed_14bc' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], } ], '_MMADDRESS_NODE' : [ 0x14, { 'u1' : [ 0x0, ['__unnamed_14bc']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], } ], '__unnamed_14c1' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'SubsectionFlags' : [ 0x0, ['_MMSUBSECTION_FLAGS']], } ], '_SUBSECTION' : [ 0x20, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c1']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], } ], '__unnamed_14c7' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMADDRESS_NODE']]], 'NextToFree' : [ 0x0, ['pointer', ['_MI_PER_SESSION_PROTOS']]], } ], '__unnamed_14c9' : [ 0x4, { 'ReferenceCount' : [ 0x0, ['unsigned long']], 'NumberOfPtesToFree' : [ 0x0, ['unsigned long']], } ], '_MI_PER_SESSION_PROTOS' : [ 0x1c, { 'u1' : [ 0x0, ['__unnamed_14c7']], 'LeftChild' : [ 0x4, ['pointer', ['_MMADDRESS_NODE']]], 'RightChild' : [ 0x8, ['pointer', ['_MMADDRESS_NODE']]], 'SessionId' : [ 0xc, ['unsigned long']], 'StartingVpn' : [ 0xc, ['unsigned long']], 'Subsection' : [ 0xc, ['pointer', ['_SUBSECTION']]], 'EndingVpn' : [ 0x10, ['unsigned long']], 'SubsectionBase' : [ 0x14, ['pointer', ['_MMPTE']]], 'u2' : [ 0x18, ['__unnamed_14c9']], } ], '__unnamed_14d2' : [ 0x8, { 'IoStatus' : [ 0x0, ['_IO_STATUS_BLOCK']], } ], '__unnamed_14d4' : [ 0x4, { 'KeepForever' : [ 0x0, ['unsigned long']], } ], '_MMMOD_WRITER_MDL_ENTRY' : [ 0x60, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'u' : [ 0x8, ['__unnamed_14d2']], 'Irp' : [ 0x10, ['pointer', ['_IRP']]], 'u1' : [ 0x14, ['__unnamed_14d4']], 'PagingFile' : [ 0x18, ['pointer', ['_MMPAGING_FILE']]], 'File' : [ 0x1c, ['pointer', ['_FILE_OBJECT']]], 'ControlArea' : [ 0x20, ['pointer', ['_CONTROL_AREA']]], 'FileResource' : [ 0x24, ['pointer', ['_ERESOURCE']]], 'WriteOffset' : [ 0x28, ['_LARGE_INTEGER']], 'IssueTime' : [ 0x30, ['_LARGE_INTEGER']], 'PointerMdl' : [ 0x38, ['pointer', ['_MDL']]], 'Mdl' : [ 0x3c, ['_MDL']], 'Page' : [ 0x58, ['array', 1, ['unsigned long']]], } ], '__unnamed_14dd' : [ 0x20, { 'Mdl' : [ 0x0, ['_MDL']], 'Page' : [ 0x1c, ['array', 1, ['unsigned long']]], } ], '_MI_PAGEFILE_TRACES' : [ 0x40, { 'Status' : [ 0x0, ['long']], 'Priority' : [ 0x4, ['unsigned char']], 'IrpPriority' : [ 0x5, ['unsigned char']], 'CurrentTime' : [ 0x8, ['_LARGE_INTEGER']], 'AvailablePages' : [ 0x10, ['unsigned long']], 'ModifiedPagesTotal' : [ 0x14, ['unsigned long']], 'ModifiedPagefilePages' : [ 0x18, ['unsigned long']], 'ModifiedNoWritePages' : [ 0x1c, ['unsigned long']], 'MdlHack' : [ 0x20, ['__unnamed_14dd']], } ], '_HHIVE' : [ 0x2e8, { 'Signature' : [ 0x0, ['unsigned long']], 'GetCellRoutine' : [ 0x4, ['pointer', ['void']]], 'ReleaseCellRoutine' : [ 0x8, ['pointer', ['void']]], 'Allocate' : [ 0xc, ['pointer', ['void']]], 'Free' : [ 0x10, ['pointer', ['void']]], 'FileSetSize' : [ 0x14, ['pointer', ['void']]], 'FileWrite' : [ 0x18, ['pointer', ['void']]], 'FileRead' : [ 0x1c, ['pointer', ['void']]], 'FileFlush' : [ 0x20, ['pointer', ['void']]], 'BaseBlock' : [ 0x24, ['pointer', ['_HBASE_BLOCK']]], 'DirtyVector' : [ 0x28, ['_RTL_BITMAP']], 'DirtyCount' : [ 0x30, ['unsigned long']], 'DirtyAlloc' : [ 0x34, ['unsigned long']], 'BaseBlockAlloc' : [ 0x38, ['unsigned long']], 'Cluster' : [ 0x3c, ['unsigned long']], 'Flat' : [ 0x40, ['unsigned char']], 'ReadOnly' : [ 0x41, ['unsigned char']], 'DirtyFlag' : [ 0x42, ['unsigned char']], 'HvBinHeadersUse' : [ 0x44, ['unsigned long']], 'HvFreeCellsUse' : [ 0x48, ['unsigned long']], 'HvUsedCellsUse' : [ 0x4c, ['unsigned long']], 'CmUsedCellsUse' : [ 0x50, ['unsigned long']], 'HiveFlags' : [ 0x54, ['unsigned long']], 'CurrentLog' : [ 0x58, ['unsigned long']], 'LogSize' : [ 0x5c, ['array', 2, ['unsigned long']]], 'RefreshCount' : [ 0x64, ['unsigned long']], 'StorageTypeCount' : [ 0x68, ['unsigned long']], 'Version' : [ 0x6c, ['unsigned long']], 'Storage' : [ 0x70, ['array', 2, ['_DUAL']]], } ], '_iobuf' : [ 0x20, { '_ptr' : [ 0x0, ['pointer', ['unsigned char']]], '_cnt' : [ 0x4, ['long']], '_base' : [ 0x8, ['pointer', ['unsigned char']]], '_flag' : [ 0xc, ['long']], '_file' : [ 0x10, ['long']], '_charbuf' : [ 0x14, ['long']], '_bufsiz' : [ 0x18, ['long']], '_tmpfname' : [ 0x1c, ['pointer', ['unsigned char']]], } ], '_CM_VIEW_OF_FILE' : [ 0x30, { 'MappedViewLinks' : [ 0x0, ['_LIST_ENTRY']], 'PinnedViewLinks' : [ 0x8, ['_LIST_ENTRY']], 'FlushedViewLinks' : [ 0x10, ['_LIST_ENTRY']], 'CmHive' : [ 0x18, ['pointer', ['_CMHIVE']]], 'Bcb' : [ 0x1c, ['pointer', ['void']]], 'ViewAddress' : [ 0x20, ['pointer', ['void']]], 'FileOffset' : [ 0x24, ['unsigned long']], 'Size' : [ 0x28, ['unsigned long']], 'UseCount' : [ 0x2c, ['unsigned long']], } ], '_TEB' : [ 0xff8, { 'NtTib' : [ 0x0, ['_NT_TIB']], 'EnvironmentPointer' : [ 0x1c, ['pointer', ['void']]], 'ClientId' : [ 0x20, ['_CLIENT_ID']], 'ActiveRpcHandle' : [ 0x28, ['pointer', ['void']]], 'ThreadLocalStoragePointer' : [ 0x2c, ['pointer', ['void']]], 'ProcessEnvironmentBlock' : [ 0x30, ['pointer', ['_PEB']]], 'LastErrorValue' : [ 0x34, ['unsigned long']], 'CountOfOwnedCriticalSections' : [ 0x38, ['unsigned long']], 'CsrClientThread' : [ 0x3c, ['pointer', ['void']]], 'Win32ThreadInfo' : [ 0x40, ['pointer', ['void']]], 'User32Reserved' : [ 0x44, ['array', 26, ['unsigned long']]], 'UserReserved' : [ 0xac, ['array', 5, ['unsigned long']]], 'WOW32Reserved' : [ 0xc0, ['pointer', ['void']]], 'CurrentLocale' : [ 0xc4, ['unsigned long']], 'FpSoftwareStatusRegister' : [ 0xc8, ['unsigned long']], 'SystemReserved1' : [ 0xcc, ['array', 54, ['pointer', ['void']]]], 'ExceptionCode' : [ 0x1a4, ['long']], 'ActivationContextStackPointer' : [ 0x1a8, ['pointer', ['_ACTIVATION_CONTEXT_STACK']]], 'SpareBytes1' : [ 0x1ac, ['array', 36, ['unsigned char']]], 'TxFsContext' : [ 0x1d0, ['unsigned long']], 'GdiTebBatch' : [ 0x1d4, ['_GDI_TEB_BATCH']], 'RealClientId' : [ 0x6b4, ['_CLIENT_ID']], 'GdiCachedProcessHandle' : [ 0x6bc, ['pointer', ['void']]], 'GdiClientPID' : [ 0x6c0, ['unsigned long']], 'GdiClientTID' : [ 0x6c4, ['unsigned long']], 'GdiThreadLocalInfo' : [ 0x6c8, ['pointer', ['void']]], 'Win32ClientInfo' : [ 0x6cc, ['array', 62, ['unsigned long']]], 'glDispatchTable' : [ 0x7c4, ['array', 233, ['pointer', ['void']]]], 'glReserved1' : [ 0xb68, ['array', 29, ['unsigned long']]], 'glReserved2' : [ 0xbdc, ['pointer', ['void']]], 'glSectionInfo' : [ 0xbe0, ['pointer', ['void']]], 'glSection' : [ 0xbe4, ['pointer', ['void']]], 'glTable' : [ 0xbe8, ['pointer', ['void']]], 'glCurrentRC' : [ 0xbec, ['pointer', ['void']]], 'glContext' : [ 0xbf0, ['pointer', ['void']]], 'LastStatusValue' : [ 0xbf4, ['unsigned long']], 'StaticUnicodeString' : [ 0xbf8, ['_UNICODE_STRING']], 'StaticUnicodeBuffer' : [ 0xc00, ['array', 261, ['wchar']]], 'DeallocationStack' : [ 0xe0c, ['pointer', ['void']]], 'TlsSlots' : [ 0xe10, ['array', 64, ['pointer', ['void']]]], 'TlsLinks' : [ 0xf10, ['_LIST_ENTRY']], 'Vdm' : [ 0xf18, ['pointer', ['void']]], 'ReservedForNtRpc' : [ 0xf1c, ['pointer', ['void']]], 'DbgSsReserved' : [ 0xf20, ['array', 2, ['pointer', ['void']]]], 'HardErrorMode' : [ 0xf28, ['unsigned long']], 'Instrumentation' : [ 0xf2c, ['array', 9, ['pointer', ['void']]]], 'ActivityId' : [ 0xf50, ['_GUID']], 'SubProcessTag' : [ 0xf60, ['pointer', ['void']]], 'EtwLocalData' : [ 0xf64, ['pointer', ['void']]], 'EtwTraceData' : [ 0xf68, ['pointer', ['void']]], 'WinSockData' : [ 0xf6c, ['pointer', ['void']]], 'GdiBatchCount' : [ 0xf70, ['unsigned long']], 'SpareBool0' : [ 0xf74, ['unsigned char']], 'SpareBool1' : [ 0xf75, ['unsigned char']], 'SpareBool2' : [ 0xf76, ['unsigned char']], 'IdealProcessor' : [ 0xf77, ['unsigned char']], 'GuaranteedStackBytes' : [ 0xf78, ['unsigned long']], 'ReservedForPerf' : [ 0xf7c, ['pointer', ['void']]], 'ReservedForOle' : [ 0xf80, ['pointer', ['void']]], 'WaitingOnLoaderLock' : [ 0xf84, ['unsigned long']], 'SavedPriorityState' : [ 0xf88, ['pointer', ['void']]], 'SoftPatchPtr1' : [ 0xf8c, ['unsigned long']], 'ThreadPoolData' : [ 0xf90, ['pointer', ['void']]], 'TlsExpansionSlots' : [ 0xf94, ['pointer', ['pointer', ['void']]]], 'ImpersonationLocale' : [ 0xf98, ['unsigned long']], 'IsImpersonating' : [ 0xf9c, ['unsigned long']], 'NlsCache' : [ 0xfa0, ['pointer', ['void']]], 'pShimData' : [ 0xfa4, ['pointer', ['void']]], 'HeapVirtualAffinity' : [ 0xfa8, ['unsigned long']], 'CurrentTransactionHandle' : [ 0xfac, ['pointer', ['void']]], 'ActiveFrame' : [ 0xfb0, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'FlsData' : [ 0xfb4, ['pointer', ['void']]], 'PreferredLanguages' : [ 0xfb8, ['pointer', ['void']]], 'UserPrefLanguages' : [ 0xfbc, ['pointer', ['void']]], 'MergedPrefLanguages' : [ 0xfc0, ['pointer', ['void']]], 'MuiImpersonation' : [ 0xfc4, ['unsigned long']], 'CrossTebFlags' : [ 0xfc8, ['unsigned short']], 'SpareCrossTebBits' : [ 0xfc8, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned short')]], 'SameTebFlags' : [ 0xfca, ['unsigned short']], 'DbgSafeThunkCall' : [ 0xfca, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'DbgInDebugPrint' : [ 0xfca, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DbgHasFiberData' : [ 0xfca, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'DbgSkipThreadAttach' : [ 0xfca, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'DbgWerInShipAssertCode' : [ 0xfca, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned short')]], 'DbgRanProcessInit' : [ 0xfca, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned short')]], 'DbgClonedThread' : [ 0xfca, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned short')]], 'DbgSuppressDebugMsg' : [ 0xfca, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned short')]], 'RtlDisableUserStackWalk' : [ 0xfca, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned short')]], 'RtlExceptionAttached' : [ 0xfca, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned short')]], 'SpareSameTebBits' : [ 0xfca, ['BitField', dict(start_bit = 10, end_bit = 16, native_type='unsigned short')]], 'TxnScopeEnterCallback' : [ 0xfcc, ['pointer', ['void']]], 'TxnScopeExitCallback' : [ 0xfd0, ['pointer', ['void']]], 'TxnScopeContext' : [ 0xfd4, ['pointer', ['void']]], 'LockCount' : [ 0xfd8, ['unsigned long']], 'ProcessRundown' : [ 0xfdc, ['unsigned long']], 'LastSwitchTime' : [ 0xfe0, ['unsigned long long']], 'TotalSwitchOutTime' : [ 0xfe8, ['unsigned long long']], 'WaitReasonBitMap' : [ 0xff0, ['_LARGE_INTEGER']], } ], '_KTIMER' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'DueTime' : [ 0x10, ['_ULARGE_INTEGER']], 'TimerListEntry' : [ 0x18, ['_LIST_ENTRY']], 'Dpc' : [ 0x20, ['pointer', ['_KDPC']]], 'Period' : [ 0x24, ['long']], } ], '_KEVENT' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_KLOCK_QUEUE_HANDLE' : [ 0xc, { 'LockQueue' : [ 0x0, ['_KSPIN_LOCK_QUEUE']], 'OldIrql' : [ 0x8, ['unsigned char']], } ], '_KSPIN_LOCK_QUEUE' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_KSPIN_LOCK_QUEUE']]], 'Lock' : [ 0x4, ['pointer', ['unsigned long']]], } ], '_KQUEUE' : [ 0x28, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'EntryListHead' : [ 0x10, ['_LIST_ENTRY']], 'CurrentCount' : [ 0x18, ['unsigned long']], 'MaximumCount' : [ 0x1c, ['unsigned long']], 'ThreadListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '_KWAIT_BLOCK' : [ 0x18, { 'WaitListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Thread' : [ 0x8, ['pointer', ['_KTHREAD']]], 'Object' : [ 0xc, ['pointer', ['void']]], 'NextWaitBlock' : [ 0x10, ['pointer', ['_KWAIT_BLOCK']]], 'WaitKey' : [ 0x14, ['unsigned short']], 'WaitType' : [ 0x16, ['unsigned char']], 'SpareByte' : [ 0x17, ['unsigned char']], } ], '_KTIMER_TABLE_ENTRY' : [ 0x10, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'Time' : [ 0x8, ['_ULARGE_INTEGER']], } ], '__unnamed_15af' : [ 0x8, { 'IdleTransitionTime' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b1' : [ 0x8, { 'LastIdleCheck' : [ 0x0, ['unsigned long long']], } ], '__unnamed_15b8' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'PStateDomain' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'PStateDomainIdleAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], '_PROCESSOR_POWER_STATE' : [ 0xc8, { 'IdleStates' : [ 0x0, ['pointer', ['_PPM_IDLE_STATES']]], 'LastTimeCheck' : [ 0x8, ['unsigned long long']], 'IdleTimeAccumulated' : [ 0x10, ['unsigned long long']], 'Native' : [ 0x18, ['__unnamed_15af']], 'Hv' : [ 0x18, ['__unnamed_15b1']], 'IdleAccounting' : [ 0x20, ['pointer', ['PPM_IDLE_ACCOUNTING']]], 'PerfStates' : [ 0x24, ['pointer', ['_PPM_PERF_STATES']]], 'LastKernelUserTime' : [ 0x28, ['unsigned long']], 'LastIdleThreadKTime' : [ 0x2c, ['unsigned long']], 'LastGlobalTimeHv' : [ 0x30, ['unsigned long long']], 'LastProcessorTimeHv' : [ 0x38, ['unsigned long long']], 'ThermalConstraint' : [ 0x40, ['unsigned char']], 'LastBusyPercentage' : [ 0x41, ['unsigned char']], 'Flags' : [ 0x42, ['__unnamed_15b8']], 'PerfTimer' : [ 0x48, ['_KTIMER']], 'PerfDpc' : [ 0x70, ['_KDPC']], 'LastSysTime' : [ 0x90, ['unsigned long']], 'PStateMaster' : [ 0x94, ['pointer', ['_KPRCB']]], 'PStateSet' : [ 0x98, ['unsigned long']], 'CurrentPState' : [ 0x9c, ['unsigned long']], 'DesiredPState' : [ 0xa0, ['unsigned long']], 'PStateIdleStartTime' : [ 0xa4, ['unsigned long']], 'PStateIdleTime' : [ 0xa8, ['unsigned long']], 'LastPStateIdleTime' : [ 0xac, ['unsigned long']], 'PStateStartTime' : [ 0xb0, ['unsigned long']], 'DiaIndex' : [ 0xb4, ['unsigned long']], 'Reserved0' : [ 0xb8, ['unsigned long']], 'WmiDispatchPtr' : [ 0xbc, ['unsigned long']], 'WmiInterfaceEnabled' : [ 0xc0, ['long']], } ], '__unnamed_15bf' : [ 0x208, { 'FnArea' : [ 0x0, ['_FNSAVE_FORMAT']], 'FxArea' : [ 0x0, ['_FXSAVE_FORMAT']], } ], '_FX_SAVE_AREA' : [ 0x210, { 'U' : [ 0x0, ['__unnamed_15bf']], 'NpxSavedCpu' : [ 0x208, ['unsigned long']], 'Cr0NpxState' : [ 0x20c, ['unsigned long']], } ], '_KERNEL_STACK_CONTROL' : [ 0x1c, { 'PreviousTrapFrame' : [ 0x0, ['pointer', ['_KTRAP_FRAME']]], 'PreviousExceptionList' : [ 0x0, ['pointer', ['void']]], 'StackControlFlags' : [ 0x4, ['unsigned long']], 'PreviousLargeStack' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousSegmentsPresent' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ExpandCalloutStack' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Previous' : [ 0x8, ['_KERNEL_STACK_SEGMENT']], } ], '_PNP_DEVICE_COMPLETION_QUEUE' : [ 0x2c, { 'SpinLock' : [ 0x0, ['unsigned long']], 'DispatchedCount' : [ 0x4, ['unsigned long']], 'DispatchedList' : [ 0x8, ['_LIST_ENTRY']], 'CompletedSemaphore' : [ 0x10, ['_KSEMAPHORE']], 'CompletedList' : [ 0x24, ['_LIST_ENTRY']], } ], '__unnamed_15e8' : [ 0x28, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Wcb' : [ 0x0, ['_WAIT_CONTEXT_BLOCK']], } ], '_DEVICE_OBJECT' : [ 0xb8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'ReferenceCount' : [ 0x4, ['long']], 'DriverObject' : [ 0x8, ['pointer', ['_DRIVER_OBJECT']]], 'NextDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'CurrentIrp' : [ 0x14, ['pointer', ['_IRP']]], 'Timer' : [ 0x18, ['pointer', ['_IO_TIMER']]], 'Flags' : [ 0x1c, ['unsigned long']], 'Characteristics' : [ 0x20, ['unsigned long']], 'Vpb' : [ 0x24, ['pointer', ['_VPB']]], 'DeviceExtension' : [ 0x28, ['pointer', ['void']]], 'DeviceType' : [ 0x2c, ['unsigned long']], 'StackSize' : [ 0x30, ['unsigned char']], 'Queue' : [ 0x34, ['__unnamed_15e8']], 'AlignmentRequirement' : [ 0x5c, ['unsigned long']], 'DeviceQueue' : [ 0x60, ['_KDEVICE_QUEUE']], 'Dpc' : [ 0x74, ['_KDPC']], 'ActiveThreadCount' : [ 0x94, ['unsigned long']], 'SecurityDescriptor' : [ 0x98, ['pointer', ['void']]], 'DeviceLock' : [ 0x9c, ['_KEVENT']], 'SectorSize' : [ 0xac, ['unsigned short']], 'Spare1' : [ 0xae, ['unsigned short']], 'DeviceObjectExtension' : [ 0xb0, ['pointer', ['_DEVOBJ_EXTENSION']]], 'Reserved' : [ 0xb4, ['pointer', ['void']]], } ], '__unnamed_15fa' : [ 0x4, { 'LegacyDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'PendingDeviceRelations' : [ 0x0, ['pointer', ['_DEVICE_RELATIONS']]], 'Information' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_15fc' : [ 0x4, { 'NextResourceDeviceNode' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], } ], '__unnamed_1600' : [ 0x10, { 'DockStatus' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'DOCK_NOTDOCKDEVICE', 1: 'DOCK_QUIESCENT', 2: 'DOCK_ARRIVING', 3: 'DOCK_DEPARTING', 4: 'DOCK_EJECTIRP_COMPLETED'})]], 'ListEntry' : [ 0x4, ['_LIST_ENTRY']], 'SerialNumber' : [ 0xc, ['pointer', ['unsigned short']]], } ], '_DEVICE_NODE' : [ 0x158, { 'Sibling' : [ 0x0, ['pointer', ['_DEVICE_NODE']]], 'Child' : [ 0x4, ['pointer', ['_DEVICE_NODE']]], 'Parent' : [ 0x8, ['pointer', ['_DEVICE_NODE']]], 'LastChild' : [ 0xc, ['pointer', ['_DEVICE_NODE']]], 'Level' : [ 0x10, ['unsigned long']], 'Notify' : [ 0x14, ['_PO_DEVICE_NOTIFY']], 'PoIrpManager' : [ 0x38, ['_PO_IRP_MANAGER']], 'State' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'PreviousState' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]], 'StateHistory' : [ 0x50, ['array', -80, ['Enumeration', dict(target = 'long', choices = {768: 'DeviceNodeUnspecified', 769: 'DeviceNodeUninitialized', 770: 'DeviceNodeInitialized', 771: 'DeviceNodeDriversAdded', 772: 'DeviceNodeResourcesAssigned', 773: 'DeviceNodeStartPending', 774: 'DeviceNodeStartCompletion', 775: 'DeviceNodeStartPostWork', 776: 'DeviceNodeStarted', 777: 'DeviceNodeQueryStopped', 778: 'DeviceNodeStopped', 779: 'DeviceNodeRestartCompletion', 780: 'DeviceNodeEnumeratePending', 781: 'DeviceNodeEnumerateCompletion', 782: 'DeviceNodeAwaitingQueuedDeletion', 783: 'DeviceNodeAwaitingQueuedRemoval', 784: 'DeviceNodeQueryRemoved', 785: 'DeviceNodeRemovePendingCloses', 786: 'DeviceNodeRemoved', 787: 'DeviceNodeDeletePendingCloses', 788: 'DeviceNodeDeleted', 789: 'MaxDeviceNodeState'})]]], 'StateHistoryEntry' : [ 0xa0, ['unsigned long']], 'CompletionStatus' : [ 0xa4, ['long']], 'PendingIrp' : [ 0xa8, ['pointer', ['_IRP']]], 'Flags' : [ 0xac, ['unsigned long']], 'UserFlags' : [ 0xb0, ['unsigned long']], 'Problem' : [ 0xb4, ['unsigned long']], 'PhysicalDeviceObject' : [ 0xb8, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceList' : [ 0xbc, ['pointer', ['_CM_RESOURCE_LIST']]], 'ResourceListTranslated' : [ 0xc0, ['pointer', ['_CM_RESOURCE_LIST']]], 'InstancePath' : [ 0xc4, ['_UNICODE_STRING']], 'ServiceName' : [ 0xcc, ['_UNICODE_STRING']], 'DuplicatePDO' : [ 0xd4, ['pointer', ['_DEVICE_OBJECT']]], 'ResourceRequirements' : [ 0xd8, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'InterfaceType' : [ 0xdc, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0xe0, ['unsigned long']], 'ChildInterfaceType' : [ 0xe4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'ChildBusNumber' : [ 0xe8, ['unsigned long']], 'ChildBusTypeIndex' : [ 0xec, ['unsigned short']], 'RemovalPolicy' : [ 0xee, ['unsigned char']], 'HardwareRemovalPolicy' : [ 0xef, ['unsigned char']], 'TargetDeviceNotify' : [ 0xf0, ['_LIST_ENTRY']], 'DeviceArbiterList' : [ 0xf8, ['_LIST_ENTRY']], 'DeviceTranslatorList' : [ 0x100, ['_LIST_ENTRY']], 'NoTranslatorMask' : [ 0x108, ['unsigned short']], 'QueryTranslatorMask' : [ 0x10a, ['unsigned short']], 'NoArbiterMask' : [ 0x10c, ['unsigned short']], 'QueryArbiterMask' : [ 0x10e, ['unsigned short']], 'OverUsed1' : [ 0x110, ['__unnamed_15fa']], 'OverUsed2' : [ 0x114, ['__unnamed_15fc']], 'BootResources' : [ 0x118, ['pointer', ['_CM_RESOURCE_LIST']]], 'BootResourcesTranslated' : [ 0x11c, ['pointer', ['_CM_RESOURCE_LIST']]], 'CapabilityFlags' : [ 0x120, ['unsigned long']], 'DockInfo' : [ 0x124, ['__unnamed_1600']], 'DisableableDepends' : [ 0x134, ['unsigned long']], 'PendedSetInterfaceState' : [ 0x138, ['_LIST_ENTRY']], 'LegacyBusListEntry' : [ 0x140, ['_LIST_ENTRY']], 'DriverUnloadRetryCount' : [ 0x148, ['unsigned long']], 'PreviousParent' : [ 0x14c, ['pointer', ['_DEVICE_NODE']]], 'DeletedChildren' : [ 0x150, ['unsigned long']], 'NumaNodeIndex' : [ 0x154, ['unsigned long']], } ], '_PNP_ASSIGN_RESOURCES_CONTEXT' : [ 0xc, { 'IncludeFailedDevices' : [ 0x0, ['unsigned long']], 'DeviceCount' : [ 0x4, ['unsigned long']], 'DeviceList' : [ 0x8, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_PNP_RESOURCE_REQUEST' : [ 0x28, { 'PhysicalDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x4, ['unsigned long']], 'AllocationType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Priority' : [ 0xc, ['unsigned long']], 'Position' : [ 0x10, ['unsigned long']], 'ResourceRequirements' : [ 0x14, ['pointer', ['_IO_RESOURCE_REQUIREMENTS_LIST']]], 'ReqList' : [ 0x18, ['pointer', ['void']]], 'ResourceAssignment' : [ 0x1c, ['pointer', ['_CM_RESOURCE_LIST']]], 'TranslatedResourceAssignment' : [ 0x20, ['pointer', ['_CM_RESOURCE_LIST']]], 'Status' : [ 0x24, ['long']], } ], '_IO_RESOURCE_REQUIREMENTS_LIST' : [ 0x48, { 'ListSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x8, ['unsigned long']], 'SlotNumber' : [ 0xc, ['unsigned long']], 'Reserved' : [ 0x10, ['array', 3, ['unsigned long']]], 'AlternativeLists' : [ 0x1c, ['unsigned long']], 'List' : [ 0x20, ['array', 1, ['_IO_RESOURCE_LIST']]], } ], '_EXCEPTION_RECORD64' : [ 0x98, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long long']], 'ExceptionAddress' : [ 0x10, ['unsigned long long']], 'NumberParameters' : [ 0x18, ['unsigned long']], '__unusedAlignment' : [ 0x1c, ['unsigned long']], 'ExceptionInformation' : [ 0x20, ['array', 15, ['unsigned long long']]], } ], '_EXCEPTION_RECORD32' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['unsigned long']], 'ExceptionAddress' : [ 0xc, ['unsigned long']], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_DBGKM_EXCEPTION64' : [ 0xa0, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD64']], 'FirstChance' : [ 0x98, ['unsigned long']], } ], '_DBGKM_EXCEPTION32' : [ 0x54, { 'ExceptionRecord' : [ 0x0, ['_EXCEPTION_RECORD32']], 'FirstChance' : [ 0x50, ['unsigned long']], } ], '_DBGKD_LOAD_SYMBOLS64' : [ 0x28, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x8, ['unsigned long long']], 'ProcessId' : [ 0x10, ['unsigned long long']], 'CheckSum' : [ 0x18, ['unsigned long']], 'SizeOfImage' : [ 0x1c, ['unsigned long']], 'UnloadSymbols' : [ 0x20, ['unsigned char']], } ], '_DBGKD_LOAD_SYMBOLS32' : [ 0x18, { 'PathNameLength' : [ 0x0, ['unsigned long']], 'BaseOfDll' : [ 0x4, ['unsigned long']], 'ProcessId' : [ 0x8, ['unsigned long']], 'CheckSum' : [ 0xc, ['unsigned long']], 'SizeOfImage' : [ 0x10, ['unsigned long']], 'UnloadSymbols' : [ 0x14, ['unsigned char']], } ], '_DBGKD_READ_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesRead' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesRead' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY64' : [ 0x10, { 'TargetBaseAddress' : [ 0x0, ['unsigned long long']], 'TransferCount' : [ 0x8, ['unsigned long']], 'ActualBytesWritten' : [ 0xc, ['unsigned long']], } ], '_DBGKD_WRITE_MEMORY32' : [ 0xc, { 'TargetBaseAddress' : [ 0x0, ['unsigned long']], 'TransferCount' : [ 0x4, ['unsigned long']], 'ActualBytesWritten' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT64' : [ 0x10, { 'BreakPointAddress' : [ 0x0, ['unsigned long long']], 'BreakPointHandle' : [ 0x8, ['unsigned long']], } ], '_DBGKD_WRITE_BREAKPOINT32' : [ 0x8, { 'BreakPointAddress' : [ 0x0, ['unsigned long']], 'BreakPointHandle' : [ 0x4, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO64' : [ 0x10, { 'IoAddress' : [ 0x0, ['unsigned long long']], 'DataSize' : [ 0x8, ['unsigned long']], 'DataValue' : [ 0xc, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO32' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'IoAddress' : [ 0x4, ['unsigned long']], 'DataValue' : [ 0x8, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED64' : [ 0x20, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long long']], 'DataValue' : [ 0x18, ['unsigned long']], } ], '_DBGKD_READ_WRITE_IO_EXTENDED32' : [ 0x18, { 'DataSize' : [ 0x0, ['unsigned long']], 'InterfaceType' : [ 0x4, ['unsigned long']], 'BusNumber' : [ 0x8, ['unsigned long']], 'AddressSpace' : [ 0xc, ['unsigned long']], 'IoAddress' : [ 0x10, ['unsigned long']], 'DataValue' : [ 0x14, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL32' : [ 0x4, { 'SpecialCall' : [ 0x0, ['unsigned long']], } ], '_DBGKD_SET_SPECIAL_CALL64' : [ 0x8, { 'SpecialCall' : [ 0x0, ['unsigned long long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT32' : [ 0x8, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SET_INTERNAL_BREAKPOINT64' : [ 0x10, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT64' : [ 0x20, { 'BreakpointAddress' : [ 0x0, ['unsigned long long']], 'Flags' : [ 0x8, ['unsigned long']], 'Calls' : [ 0xc, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0x10, ['unsigned long']], 'MinInstructions' : [ 0x14, ['unsigned long']], 'MaxInstructions' : [ 0x18, ['unsigned long']], 'TotalInstructions' : [ 0x1c, ['unsigned long']], } ], '_DBGKD_GET_INTERNAL_BREAKPOINT32' : [ 0x1c, { 'BreakpointAddress' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x4, ['unsigned long']], 'Calls' : [ 0x8, ['unsigned long']], 'MaxCallsPerPeriod' : [ 0xc, ['unsigned long']], 'MinInstructions' : [ 0x10, ['unsigned long']], 'MaxInstructions' : [ 0x14, ['unsigned long']], 'TotalInstructions' : [ 0x18, ['unsigned long']], } ], '__unnamed_16a5' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT64']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO64']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED64']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL64']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT64']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT64']], 'GetVersion64' : [ 0x0, ['_DBGKD_GET_VERSION64']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], 'GetSetBusData' : [ 0x0, ['_DBGKD_GET_SET_BUS_DATA']], 'FillMemory' : [ 0x0, ['_DBGKD_FILL_MEMORY']], 'QueryMemory' : [ 0x0, ['_DBGKD_QUERY_MEMORY']], 'SwitchPartition' : [ 0x0, ['_DBGKD_SWITCH_PARTITION']], } ], '_DBGKD_MANIPULATE_STATE64' : [ 0x38, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0x10, ['__unnamed_16a5']], } ], '__unnamed_16ac' : [ 0x28, { 'ReadMemory' : [ 0x0, ['_DBGKD_READ_MEMORY32']], 'WriteMemory' : [ 0x0, ['_DBGKD_WRITE_MEMORY32']], 'ReadMemory64' : [ 0x0, ['_DBGKD_READ_MEMORY64']], 'WriteMemory64' : [ 0x0, ['_DBGKD_WRITE_MEMORY64']], 'GetContext' : [ 0x0, ['_DBGKD_GET_CONTEXT']], 'SetContext' : [ 0x0, ['_DBGKD_SET_CONTEXT']], 'WriteBreakPoint' : [ 0x0, ['_DBGKD_WRITE_BREAKPOINT32']], 'RestoreBreakPoint' : [ 0x0, ['_DBGKD_RESTORE_BREAKPOINT']], 'Continue' : [ 0x0, ['_DBGKD_CONTINUE']], 'Continue2' : [ 0x0, ['_DBGKD_CONTINUE2']], 'ReadWriteIo' : [ 0x0, ['_DBGKD_READ_WRITE_IO32']], 'ReadWriteIoExtended' : [ 0x0, ['_DBGKD_READ_WRITE_IO_EXTENDED32']], 'QuerySpecialCalls' : [ 0x0, ['_DBGKD_QUERY_SPECIAL_CALLS']], 'SetSpecialCall' : [ 0x0, ['_DBGKD_SET_SPECIAL_CALL32']], 'SetInternalBreakpoint' : [ 0x0, ['_DBGKD_SET_INTERNAL_BREAKPOINT32']], 'GetInternalBreakpoint' : [ 0x0, ['_DBGKD_GET_INTERNAL_BREAKPOINT32']], 'GetVersion32' : [ 0x0, ['_DBGKD_GET_VERSION32']], 'BreakPointEx' : [ 0x0, ['_DBGKD_BREAKPOINTEX']], 'ReadWriteMsr' : [ 0x0, ['_DBGKD_READ_WRITE_MSR']], 'SearchMemory' : [ 0x0, ['_DBGKD_SEARCH_MEMORY']], } ], '_DBGKD_MANIPULATE_STATE32' : [ 0x34, { 'ApiNumber' : [ 0x0, ['unsigned long']], 'ProcessorLevel' : [ 0x4, ['unsigned short']], 'Processor' : [ 0x6, ['unsigned short']], 'ReturnStatus' : [ 0x8, ['long']], 'u' : [ 0xc, ['__unnamed_16ac']], } ], '_POP_CPU_INFO' : [ 0x10, { 'Eax' : [ 0x0, ['unsigned long']], 'Ebx' : [ 0x4, ['unsigned long']], 'Ecx' : [ 0x8, ['unsigned long']], 'Edx' : [ 0xc, ['unsigned long']], } ], '_VOLUME_CACHE_MAP' : [ 0x18, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteCode' : [ 0x2, ['short']], 'UseCount' : [ 0x4, ['unsigned long']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'VolumeCacheMapLinks' : [ 0xc, ['_LIST_ENTRY']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_SHARED_CACHE_MAP' : [ 0x140, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeByteSize' : [ 0x2, ['short']], 'OpenCount' : [ 0x4, ['unsigned long']], 'FileSize' : [ 0x8, ['_LARGE_INTEGER']], 'BcbList' : [ 0x10, ['_LIST_ENTRY']], 'SectionSize' : [ 0x18, ['_LARGE_INTEGER']], 'ValidDataLength' : [ 0x20, ['_LARGE_INTEGER']], 'ValidDataGoal' : [ 0x28, ['_LARGE_INTEGER']], 'InitialVacbs' : [ 0x30, ['array', 4, ['pointer', ['_VACB']]]], 'Vacbs' : [ 0x40, ['pointer', ['pointer', ['_VACB']]]], 'FileObjectFastRef' : [ 0x44, ['_EX_FAST_REF']], 'ActiveVacb' : [ 0x48, ['pointer', ['_VACB']]], 'NeedToZero' : [ 0x4c, ['pointer', ['void']]], 'ActivePage' : [ 0x50, ['unsigned long']], 'NeedToZeroPage' : [ 0x54, ['unsigned long']], 'ActiveVacbSpinLock' : [ 0x58, ['unsigned long']], 'VacbActiveCount' : [ 0x5c, ['unsigned long']], 'DirtyPages' : [ 0x60, ['unsigned long']], 'SharedCacheMapLinks' : [ 0x64, ['_LIST_ENTRY']], 'Flags' : [ 0x6c, ['unsigned long']], 'Status' : [ 0x70, ['long']], 'Mbcb' : [ 0x74, ['pointer', ['_MBCB']]], 'Section' : [ 0x78, ['pointer', ['void']]], 'CreateEvent' : [ 0x7c, ['pointer', ['_KEVENT']]], 'WaitOnActiveCount' : [ 0x80, ['pointer', ['_KEVENT']]], 'PagesToWrite' : [ 0x84, ['unsigned long']], 'BeyondLastFlush' : [ 0x88, ['long long']], 'Callbacks' : [ 0x90, ['pointer', ['_CACHE_MANAGER_CALLBACKS']]], 'LazyWriteContext' : [ 0x94, ['pointer', ['void']]], 'PrivateList' : [ 0x98, ['_LIST_ENTRY']], 'LogHandle' : [ 0xa0, ['pointer', ['void']]], 'FlushToLsnRoutine' : [ 0xa4, ['pointer', ['void']]], 'DirtyPageThreshold' : [ 0xa8, ['unsigned long']], 'LazyWritePassCount' : [ 0xac, ['unsigned long']], 'UninitializeEvent' : [ 0xb0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'NeedToZeroVacb' : [ 0xb4, ['pointer', ['_VACB']]], 'BcbSpinLock' : [ 0xb8, ['unsigned long']], 'Reserved' : [ 0xbc, ['pointer', ['void']]], 'Event' : [ 0xc0, ['_KEVENT']], 'HighWaterMappingOffset' : [ 0xd0, ['_LARGE_INTEGER']], 'PrivateCacheMap' : [ 0xd8, ['_PRIVATE_CACHE_MAP']], 'WriteBehindWorkQueueEntry' : [ 0x130, ['pointer', ['void']]], 'VolumeCacheMap' : [ 0x134, ['pointer', ['_VOLUME_CACHE_MAP']]], 'ProcImagePathHash' : [ 0x138, ['unsigned long']], 'MappedWritesInProgress' : [ 0x13c, ['unsigned long']], } ], '__unnamed_16f4' : [ 0x8, { 'FileOffset' : [ 0x0, ['_LARGE_INTEGER']], 'ActiveCount' : [ 0x0, ['unsigned short']], } ], '_VACB' : [ 0x20, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['_SHARED_CACHE_MAP']]], 'Overlay' : [ 0x8, ['__unnamed_16f4']], 'LruList' : [ 0x10, ['_LIST_ENTRY']], 'ArrayHead' : [ 0x18, ['pointer', ['_VACB_ARRAY_HEADER']]], } ], '__unnamed_1702' : [ 0x4, { 'FileObject' : [ 0x0, ['pointer', ['_FILE_OBJECT']]], } ], '__unnamed_1704' : [ 0x4, { 'SharedCacheMap' : [ 0x0, ['pointer', ['_SHARED_CACHE_MAP']]], } ], '__unnamed_1706' : [ 0x4, { 'Event' : [ 0x0, ['pointer', ['_KEVENT']]], } ], '__unnamed_1708' : [ 0x4, { 'Reason' : [ 0x0, ['unsigned long']], } ], '__unnamed_170a' : [ 0x4, { 'Read' : [ 0x0, ['__unnamed_1702']], 'Write' : [ 0x0, ['__unnamed_1704']], 'Event' : [ 0x0, ['__unnamed_1706']], 'Notification' : [ 0x0, ['__unnamed_1708']], } ], '_WORK_QUEUE_ENTRY' : [ 0x18, { 'WorkQueueLinks' : [ 0x0, ['_LIST_ENTRY']], 'CoalescedWorkQueueLinks' : [ 0x8, ['_LIST_ENTRY']], 'Parameters' : [ 0x10, ['__unnamed_170a']], 'Function' : [ 0x14, ['unsigned char']], } ], '_VACB_LEVEL_REFERENCE' : [ 0x8, { 'Reference' : [ 0x0, ['long']], 'SpecialReference' : [ 0x4, ['long']], } ], '_HEAP_LIST_LOOKUP' : [ 0x24, { 'ExtendedLookup' : [ 0x0, ['pointer', ['_HEAP_LIST_LOOKUP']]], 'ArraySize' : [ 0x4, ['unsigned long']], 'ExtraItem' : [ 0x8, ['unsigned long']], 'ItemCount' : [ 0xc, ['unsigned long']], 'OutOfRangeItems' : [ 0x10, ['unsigned long']], 'BaseIndex' : [ 0x14, ['unsigned long']], 'ListHead' : [ 0x18, ['pointer', ['_LIST_ENTRY']]], 'ListsInUseUlong' : [ 0x1c, ['pointer', ['unsigned long']]], 'ListHints' : [ 0x20, ['pointer', ['pointer', ['_LIST_ENTRY']]]], } ], '_HEAP' : [ 0x130, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], 'Flags' : [ 0x40, ['unsigned long']], 'ForceFlags' : [ 0x44, ['unsigned long']], 'CompatibilityFlags' : [ 0x48, ['unsigned long']], 'EncodeFlagMask' : [ 0x4c, ['unsigned long']], 'Encoding' : [ 0x50, ['_HEAP_ENTRY']], 'PointerKey' : [ 0x58, ['unsigned long']], 'Interceptor' : [ 0x5c, ['unsigned long']], 'VirtualMemoryThreshold' : [ 0x60, ['unsigned long']], 'Signature' : [ 0x64, ['unsigned long']], 'SegmentReserve' : [ 0x68, ['unsigned long']], 'SegmentCommit' : [ 0x6c, ['unsigned long']], 'DeCommitFreeBlockThreshold' : [ 0x70, ['unsigned long']], 'DeCommitTotalFreeThreshold' : [ 0x74, ['unsigned long']], 'TotalFreeSize' : [ 0x78, ['unsigned long']], 'MaximumAllocationSize' : [ 0x7c, ['unsigned long']], 'ProcessHeapsListIndex' : [ 0x80, ['unsigned short']], 'HeaderValidateLength' : [ 0x82, ['unsigned short']], 'HeaderValidateCopy' : [ 0x84, ['pointer', ['void']]], 'NextAvailableTagIndex' : [ 0x88, ['unsigned short']], 'MaximumTagIndex' : [ 0x8a, ['unsigned short']], 'TagEntries' : [ 0x8c, ['pointer', ['_HEAP_TAG_ENTRY']]], 'UCRList' : [ 0x90, ['_LIST_ENTRY']], 'AlignRound' : [ 0x98, ['unsigned long']], 'AlignMask' : [ 0x9c, ['unsigned long']], 'VirtualAllocdBlocks' : [ 0xa0, ['_LIST_ENTRY']], 'SegmentList' : [ 0xa8, ['_LIST_ENTRY']], 'AllocatorBackTraceIndex' : [ 0xb0, ['unsigned short']], 'NonDedicatedListLength' : [ 0xb4, ['unsigned long']], 'BlocksIndex' : [ 0xb8, ['pointer', ['void']]], 'UCRIndex' : [ 0xbc, ['pointer', ['void']]], 'PseudoTagEntries' : [ 0xc0, ['pointer', ['_HEAP_PSEUDO_TAG_ENTRY']]], 'FreeLists' : [ 0xc4, ['_LIST_ENTRY']], 'LockVariable' : [ 0xcc, ['pointer', ['_HEAP_LOCK']]], 'CommitRoutine' : [ 0xd0, ['pointer', ['void']]], 'FrontEndHeap' : [ 0xd4, ['pointer', ['void']]], 'FrontHeapLockCount' : [ 0xd8, ['unsigned short']], 'FrontEndHeapType' : [ 0xda, ['unsigned char']], 'Counters' : [ 0xdc, ['_HEAP_COUNTERS']], 'TuningParameters' : [ 0x124, ['_HEAP_TUNING_PARAMETERS']], } ], '_HEAP_ENTRY' : [ 0x8, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], } ], '_HEAP_SEGMENT' : [ 0x40, { 'Entry' : [ 0x0, ['_HEAP_ENTRY']], 'SegmentSignature' : [ 0x8, ['unsigned long']], 'SegmentFlags' : [ 0xc, ['unsigned long']], 'SegmentListEntry' : [ 0x10, ['_LIST_ENTRY']], 'Heap' : [ 0x18, ['pointer', ['_HEAP']]], 'BaseAddress' : [ 0x1c, ['pointer', ['void']]], 'NumberOfPages' : [ 0x20, ['unsigned long']], 'FirstEntry' : [ 0x24, ['pointer', ['_HEAP_ENTRY']]], 'LastValidEntry' : [ 0x28, ['pointer', ['_HEAP_ENTRY']]], 'NumberOfUnCommittedPages' : [ 0x2c, ['unsigned long']], 'NumberOfUnCommittedRanges' : [ 0x30, ['unsigned long']], 'SegmentAllocatorBackTraceIndex' : [ 0x34, ['unsigned short']], 'Reserved' : [ 0x36, ['unsigned short']], 'UCRSegmentList' : [ 0x38, ['_LIST_ENTRY']], } ], '_HEAP_FREE_ENTRY' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned char']], 'SmallTagIndex' : [ 0x3, ['unsigned char']], 'SubSegmentCode' : [ 0x0, ['pointer', ['void']]], 'PreviousSize' : [ 0x4, ['unsigned short']], 'SegmentOffset' : [ 0x6, ['unsigned char']], 'LFHFlags' : [ 0x6, ['unsigned char']], 'UnusedBytes' : [ 0x7, ['unsigned char']], 'FunctionIndex' : [ 0x0, ['unsigned short']], 'ContextValue' : [ 0x2, ['unsigned short']], 'InterceptorValue' : [ 0x0, ['unsigned long']], 'UnusedBytesLength' : [ 0x4, ['unsigned short']], 'EntryOffset' : [ 0x6, ['unsigned char']], 'ExtendedBlockSignature' : [ 0x7, ['unsigned char']], 'Code1' : [ 0x0, ['unsigned long']], 'Code2' : [ 0x4, ['unsigned short']], 'Code3' : [ 0x6, ['unsigned char']], 'Code4' : [ 0x7, ['unsigned char']], 'AgregateCode' : [ 0x0, ['unsigned long long']], 'FreeList' : [ 0x8, ['_LIST_ENTRY']], } ], '_LDR_DATA_TABLE_ENTRY' : [ 0x68, { 'InLoadOrderLinks' : [ 0x0, ['_LIST_ENTRY']], 'InMemoryOrderLinks' : [ 0x8, ['_LIST_ENTRY']], 'InInitializationOrderLinks' : [ 0x10, ['_LIST_ENTRY']], 'DllBase' : [ 0x18, ['pointer', ['void']]], 'EntryPoint' : [ 0x1c, ['pointer', ['void']]], 'SizeOfImage' : [ 0x20, ['unsigned long']], 'FullDllName' : [ 0x24, ['_UNICODE_STRING']], 'BaseDllName' : [ 0x2c, ['_UNICODE_STRING']], 'Flags' : [ 0x34, ['unsigned long']], 'LoadCount' : [ 0x38, ['unsigned short']], 'TlsIndex' : [ 0x3a, ['unsigned short']], 'HashLinks' : [ 0x3c, ['_LIST_ENTRY']], 'SectionPointer' : [ 0x3c, ['pointer', ['void']]], 'CheckSum' : [ 0x40, ['unsigned long']], 'TimeDateStamp' : [ 0x44, ['unsigned long']], 'LoadedImports' : [ 0x44, ['pointer', ['void']]], 'EntryPointActivationContext' : [ 0x48, ['pointer', ['_ACTIVATION_CONTEXT']]], 'PatchInformation' : [ 0x4c, ['pointer', ['void']]], 'ForwarderLinks' : [ 0x50, ['_LIST_ENTRY']], 'ServiceTagLinks' : [ 0x58, ['_LIST_ENTRY']], 'StaticLinks' : [ 0x60, ['_LIST_ENTRY']], } ], '_HEAP_SUBSEGMENT' : [ 0x20, { 'LocalInfo' : [ 0x0, ['pointer', ['_HEAP_LOCAL_SEGMENT_INFO']]], 'UserBlocks' : [ 0x4, ['pointer', ['_HEAP_USERDATA_HEADER']]], 'AggregateExchg' : [ 0x8, ['_INTERLOCK_SEQ']], 'BlockSize' : [ 0x10, ['unsigned short']], 'Flags' : [ 0x12, ['unsigned short']], 'BlockCount' : [ 0x14, ['unsigned short']], 'SizeIndex' : [ 0x16, ['unsigned char']], 'AffinityIndex' : [ 0x17, ['unsigned char']], 'Alignment' : [ 0x10, ['array', 2, ['unsigned long']]], 'SFreeListEntry' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'Lock' : [ 0x1c, ['unsigned long']], } ], '_ETW_SYSTEMTIME' : [ 0x10, { 'Year' : [ 0x0, ['unsigned short']], 'Month' : [ 0x2, ['unsigned short']], 'DayOfWeek' : [ 0x4, ['unsigned short']], 'Day' : [ 0x6, ['unsigned short']], 'Hour' : [ 0x8, ['unsigned short']], 'Minute' : [ 0xa, ['unsigned short']], 'Second' : [ 0xc, ['unsigned short']], 'Milliseconds' : [ 0xe, ['unsigned short']], } ], '_TIME_FIELDS' : [ 0x10, { 'Year' : [ 0x0, ['short']], 'Month' : [ 0x2, ['short']], 'Day' : [ 0x4, ['short']], 'Hour' : [ 0x6, ['short']], 'Minute' : [ 0x8, ['short']], 'Second' : [ 0xa, ['short']], 'Milliseconds' : [ 0xc, ['short']], 'Weekday' : [ 0xe, ['short']], } ], '_WMI_LOGGER_CONTEXT' : [ 0x280, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'LogFileHandle' : [ 0x8, ['pointer', ['void']]], 'LoggerThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'LoggerStatus' : [ 0x10, ['long']], 'LoggerId' : [ 0x14, ['unsigned long']], 'NBQHead' : [ 0x18, ['pointer', ['void']]], 'OverflowNBQHead' : [ 0x1c, ['pointer', ['void']]], 'QueueBlockFreeList' : [ 0x20, ['_SLIST_HEADER']], 'GlobalList' : [ 0x28, ['_SLIST_HEADER']], 'BatchedBufferList' : [ 0x30, ['pointer', ['_WMI_BUFFER_HEADER']]], 'LoggerName' : [ 0x34, ['_UNICODE_STRING']], 'LogFileName' : [ 0x3c, ['_UNICODE_STRING']], 'LogFilePattern' : [ 0x44, ['_UNICODE_STRING']], 'NewLogFileName' : [ 0x4c, ['_UNICODE_STRING']], 'ClockType' : [ 0x54, ['unsigned long']], 'CollectionOn' : [ 0x58, ['long']], 'MaximumFileSize' : [ 0x5c, ['unsigned long']], 'LoggerMode' : [ 0x60, ['unsigned long']], 'LastFlushedBuffer' : [ 0x64, ['unsigned long']], 'FlushTimer' : [ 0x68, ['unsigned long']], 'FlushThreshold' : [ 0x6c, ['unsigned long']], 'ByteOffset' : [ 0x70, ['_LARGE_INTEGER']], 'FlushTimeStamp' : [ 0x78, ['_LARGE_INTEGER']], 'MinimumBuffers' : [ 0x80, ['unsigned long']], 'BuffersAvailable' : [ 0x84, ['long']], 'NumberOfBuffers' : [ 0x88, ['long']], 'MaximumBuffers' : [ 0x8c, ['unsigned long']], 'EventsLost' : [ 0x90, ['unsigned long']], 'BuffersWritten' : [ 0x94, ['unsigned long']], 'LogBuffersLost' : [ 0x98, ['unsigned long']], 'RealTimeBuffersDelivered' : [ 0x9c, ['unsigned long']], 'RealTimeBuffersLost' : [ 0xa0, ['unsigned long']], 'BufferSize' : [ 0xa4, ['unsigned long']], 'MaximumEventSize' : [ 0xa8, ['unsigned long']], 'SequencePtr' : [ 0xac, ['pointer', ['long']]], 'LocalSequence' : [ 0xb0, ['unsigned long']], 'InstanceGuid' : [ 0xb4, ['_GUID']], 'GetCpuClock' : [ 0xc4, ['pointer', ['void']]], 'FileCounter' : [ 0xc8, ['long']], 'BufferCallback' : [ 0xcc, ['pointer', ['void']]], 'PoolType' : [ 0xd0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'ReferenceTime' : [ 0xd8, ['_ETW_REF_CLOCK']], 'RealtimeLoggerContextFreed' : [ 0xe8, ['unsigned char']], 'Consumers' : [ 0xec, ['_LIST_ENTRY']], 'NumConsumers' : [ 0xf4, ['unsigned long']], 'Connecting' : [ 0xf8, ['_LIST_ENTRY']], 'NewConsumer' : [ 0x100, ['unsigned char']], 'RealtimeLogfileHandle' : [ 0x104, ['pointer', ['void']]], 'RealtimeLogfileName' : [ 0x108, ['_UNICODE_STRING']], 'RealtimeWriteOffset' : [ 0x110, ['_LARGE_INTEGER']], 'RealtimeReadOffset' : [ 0x118, ['_LARGE_INTEGER']], 'RealtimeLogfileSize' : [ 0x120, ['_LARGE_INTEGER']], 'RealtimeLogfileUsage' : [ 0x128, ['unsigned long long']], 'RealtimeMaximumFileSize' : [ 0x130, ['unsigned long long']], 'RealtimeBuffersSaved' : [ 0x138, ['unsigned long']], 'RealtimeReferenceTime' : [ 0x140, ['_ETW_REF_CLOCK']], 'RealtimeDisconnectProcessId' : [ 0x150, ['unsigned long']], 'RealtimeDisconnectConsumerId' : [ 0x154, ['unsigned long']], 'NewRTEventsLost' : [ 0x158, ['Enumeration', dict(target = 'long', choices = {0: 'EtwRtEventNoLoss', 1: 'EtwRtEventLost', 2: 'EtwRtBufferLost', 3: 'EtwRtBackupLost', 4: 'EtwRtEventLossMax'})]], 'LoggerEvent' : [ 0x15c, ['_KEVENT']], 'FlushEvent' : [ 0x16c, ['_KEVENT']], 'FlushDpc' : [ 0x17c, ['_KDPC']], 'LoggerMutex' : [ 0x19c, ['_KMUTANT']], 'LoggerLock' : [ 0x1bc, ['_EX_PUSH_LOCK']], 'ClientSecurityContext' : [ 0x1c0, ['_SECURITY_CLIENT_CONTEXT']], 'SecurityDescriptor' : [ 0x1fc, ['_EX_FAST_REF']], 'DummyBufferForMarker' : [ 0x200, ['_WMI_BUFFER_HEADER']], 'BufferSequenceNumber' : [ 0x248, ['long long']], 'AcceptNewEvents' : [ 0x250, ['long']], 'Flags' : [ 0x254, ['unsigned long']], 'Persistent' : [ 0x254, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoLogger' : [ 0x254, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'FsReady' : [ 0x254, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RealTime' : [ 0x254, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Wow' : [ 0x254, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'KernelTrace' : [ 0x254, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'NoMoreEnable' : [ 0x254, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'RequestFlag' : [ 0x258, ['unsigned long']], 'RequestNewFie' : [ 0x258, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'RequestUpdateFile' : [ 0x258, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'RequestFlush' : [ 0x258, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'RequestDisableRealtime' : [ 0x258, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'RequestDisconnectConsumer' : [ 0x258, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'StackTraceFilterHookCount' : [ 0x25c, ['unsigned short']], 'StackTraceFilter' : [ 0x25e, ['array', 16, ['unsigned short']]], } ], '_WMI_BUFFER_HEADER' : [ 0x48, { 'Wnode' : [ 0x0, ['_WNODE_HEADER']], 'BufferSize' : [ 0x0, ['unsigned long']], 'SavedOffset' : [ 0x4, ['unsigned long']], 'CurrentOffset' : [ 0x8, ['unsigned long']], 'ReferenceCount' : [ 0xc, ['long']], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x10, ['_LARGE_INTEGER']], 'SequenceNumber' : [ 0x18, ['long long']], 'Padding0' : [ 0x20, ['array', 2, ['unsigned long']]], 'SlistEntry' : [ 0x20, ['_SINGLE_LIST_ENTRY']], 'NextBuffer' : [ 0x20, ['pointer', ['_WMI_BUFFER_HEADER']]], 'ClientContext' : [ 0x28, ['_ETW_BUFFER_CONTEXT']], 'State' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'EtwBufferStateFree', 1: 'EtwBufferStateGeneralLogging', 2: 'EtwBufferStateCSwitch', 3: 'EtwBufferStateFlush', 4: 'EtwBufferStateMaximum'})]], 'Flags' : [ 0x2c, ['unsigned long']], 'Offset' : [ 0x30, ['unsigned long']], 'BufferFlag' : [ 0x34, ['unsigned short']], 'BufferType' : [ 0x36, ['unsigned short']], 'Padding1' : [ 0x38, ['array', 4, ['unsigned long']]], 'StartTime' : [ 0x38, ['_LARGE_INTEGER']], 'Entry' : [ 0x38, ['_LIST_ENTRY']], 'Padding2' : [ 0x38, ['pointer', ['void']]], 'GlobalEntry' : [ 0x3c, ['_SINGLE_LIST_ENTRY']], 'Pointer0' : [ 0x38, ['pointer', ['void']]], 'Pointer1' : [ 0x3c, ['pointer', ['void']]], } ], '_SYSTEM_TRACE_HEADER' : [ 0x20, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'ThreadId' : [ 0x8, ['unsigned long']], 'ProcessId' : [ 0xc, ['unsigned long']], 'SystemTime' : [ 0x10, ['_LARGE_INTEGER']], 'KernelTime' : [ 0x18, ['unsigned long']], 'UserTime' : [ 0x1c, ['unsigned long']], } ], '_PERFINFO_TRACE_HEADER' : [ 0x18, { 'Marker' : [ 0x0, ['unsigned long']], 'Version' : [ 0x0, ['unsigned short']], 'HeaderType' : [ 0x2, ['unsigned char']], 'Flags' : [ 0x3, ['unsigned char']], 'Header' : [ 0x4, ['unsigned long']], 'Packet' : [ 0x4, ['_WMI_TRACE_PACKET']], 'TS' : [ 0x8, ['unsigned long long']], 'SystemTime' : [ 0x8, ['_LARGE_INTEGER']], 'Data' : [ 0x10, ['array', 1, ['unsigned char']]], } ], '_ETW_LAST_ENABLE_INFO' : [ 0x10, { 'EnableFlags' : [ 0x0, ['_LARGE_INTEGER']], 'LoggerId' : [ 0x8, ['unsigned short']], 'Level' : [ 0xa, ['unsigned char']], 'Enabled' : [ 0xb, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'InternalFlag' : [ 0xb, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '_TRACE_ENABLE_CONTEXT' : [ 0x8, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], } ], '_TRACE_ENABLE_CONTEXT_EX' : [ 0x10, { 'LoggerId' : [ 0x0, ['unsigned short']], 'Level' : [ 0x2, ['unsigned char']], 'InternalFlag' : [ 0x3, ['unsigned char']], 'EnableFlags' : [ 0x4, ['unsigned long']], 'EnableFlagsHigh' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_ETW_GUID_ENTRY' : [ 0x158, { 'GuidList' : [ 0x0, ['_LIST_ENTRY']], 'RefCount' : [ 0x8, ['long']], 'Guid' : [ 0xc, ['_GUID']], 'RegListHead' : [ 0x1c, ['_LIST_ENTRY']], 'SecurityDescriptor' : [ 0x24, ['pointer', ['void']]], 'LastEnable' : [ 0x28, ['_ETW_LAST_ENABLE_INFO']], 'ProviderEnableInfo' : [ 0x38, ['_TRACE_ENABLE_INFO']], 'EnableInfo' : [ 0x58, ['array', 8, ['_TRACE_ENABLE_INFO']]], } ], '_TRACE_ENABLE_INFO' : [ 0x20, { 'IsEnabled' : [ 0x0, ['unsigned long']], 'Level' : [ 0x4, ['unsigned char']], 'Reserved1' : [ 0x5, ['unsigned char']], 'LoggerId' : [ 0x6, ['unsigned short']], 'EnableProperty' : [ 0x8, ['unsigned long']], 'Reserved2' : [ 0xc, ['unsigned long']], 'MatchAnyKeyword' : [ 0x10, ['unsigned long long']], 'MatchAllKeyword' : [ 0x18, ['unsigned long long']], } ], '__unnamed_17f5' : [ 0x4, { 'DataLength' : [ 0x0, ['short']], 'TotalLength' : [ 0x2, ['short']], } ], '__unnamed_17f7' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_17f5']], 'Length' : [ 0x0, ['unsigned long']], } ], '__unnamed_17f9' : [ 0x4, { 'Type' : [ 0x0, ['short']], 'DataInfoOffset' : [ 0x2, ['short']], } ], '__unnamed_17fb' : [ 0x4, { 's2' : [ 0x0, ['__unnamed_17f9']], 'ZeroInit' : [ 0x0, ['unsigned long']], } ], '_PORT_MESSAGE' : [ 0x18, { 'u1' : [ 0x0, ['__unnamed_17f7']], 'u2' : [ 0x4, ['__unnamed_17fb']], 'ClientId' : [ 0x8, ['_CLIENT_ID']], 'DoNotUseThisField' : [ 0x8, ['double']], 'MessageId' : [ 0x10, ['unsigned long']], 'ClientViewSize' : [ 0x14, ['unsigned long']], 'CallbackId' : [ 0x14, ['unsigned long']], } ], '_BLOB_TYPE' : [ 0x24, { 'ResourceId' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'BLOB_TYPE_UNKNOWN', 1: 'BLOB_TYPE_CONNECTION_INFO', 2: 'BLOB_TYPE_MESSAGE', 3: 'BLOB_TYPE_SECURITY_CONTEXT', 4: 'BLOB_TYPE_SECTION', 5: 'BLOB_TYPE_REGION', 6: 'BLOB_TYPE_VIEW', 7: 'BLOB_TYPE_RESERVE', 8: 'BLOB_TYPE_DIRECT_TRANSFER', 9: 'BLOB_TYPE_HANDLE_DATA', 10: 'BLOB_TYPE_MAX_ID'})]], 'PoolTag' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'CreatedObjects' : [ 0xc, ['unsigned long']], 'DeletedObjects' : [ 0x10, ['unsigned long']], 'DeleteProcedure' : [ 0x14, ['pointer', ['void']]], 'DestroyProcedure' : [ 0x18, ['pointer', ['void']]], 'UsualSize' : [ 0x1c, ['unsigned long']], 'LookasideIndex' : [ 0x20, ['unsigned long']], } ], '_ALPC_HANDLE_ENTRY' : [ 0x4, { 'Object' : [ 0x0, ['pointer', ['void']]], } ], '__unnamed_1812' : [ 0x1, { 'ReferenceCache' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Lookaside' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Initializing' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Deleted' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], } ], '__unnamed_1814' : [ 0x1, { 's1' : [ 0x0, ['__unnamed_1812']], 'Flags' : [ 0x0, ['unsigned char']], } ], '_BLOB' : [ 0x18, { 'ResourceList' : [ 0x0, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1814']], 'ResourceId' : [ 0x9, ['unsigned char']], 'CachedReferences' : [ 0xa, ['short']], 'ReferenceCount' : [ 0xc, ['long']], 'Lock' : [ 0x10, ['_EX_PUSH_LOCK']], 'Pad' : [ 0x14, ['unsigned long']], } ], '__unnamed_181c' : [ 0x4, { 'Internal' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Secure' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_181e' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_181c']], } ], '_KALPC_SECTION' : [ 0x28, { 'u1' : [ 0x0, ['__unnamed_181e']], 'SectionObject' : [ 0x4, ['pointer', ['void']]], 'Size' : [ 0x8, ['unsigned long']], 'HandleTable' : [ 0xc, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'SectionHandle' : [ 0x10, ['pointer', ['void']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0x18, ['pointer', ['_ALPC_PORT']]], 'NumberOfRegions' : [ 0x1c, ['unsigned long']], 'RegionListHead' : [ 0x20, ['_LIST_ENTRY']], } ], '__unnamed_182b' : [ 0x4, { 'Secure' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], } ], '__unnamed_182d' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_182b']], } ], '_KALPC_REGION' : [ 0x30, { 'u1' : [ 0x0, ['__unnamed_182d']], 'RegionListEntry' : [ 0x4, ['_LIST_ENTRY']], 'Section' : [ 0xc, ['pointer', ['_KALPC_SECTION']]], 'Offset' : [ 0x10, ['unsigned long']], 'Size' : [ 0x14, ['unsigned long']], 'ViewSize' : [ 0x18, ['unsigned long']], 'ReadOnlyView' : [ 0x1c, ['pointer', ['_KALPC_VIEW']]], 'ReadWriteView' : [ 0x20, ['pointer', ['_KALPC_VIEW']]], 'NumberOfViews' : [ 0x24, ['unsigned long']], 'ViewListHead' : [ 0x28, ['_LIST_ENTRY']], } ], '__unnamed_1833' : [ 0x4, { 'WriteAccess' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'AutoRelease' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ForceUnlink' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '__unnamed_1835' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1833']], } ], '_KALPC_VIEW' : [ 0x34, { 'ViewListEntry' : [ 0x0, ['_LIST_ENTRY']], 'u1' : [ 0x8, ['__unnamed_1835']], 'Region' : [ 0xc, ['pointer', ['_KALPC_REGION']]], 'OwnerPort' : [ 0x10, ['pointer', ['_ALPC_PORT']]], 'OwnerProcess' : [ 0x14, ['pointer', ['_EPROCESS']]], 'Address' : [ 0x18, ['pointer', ['void']]], 'Size' : [ 0x1c, ['unsigned long']], 'SecureViewHandle' : [ 0x20, ['pointer', ['void']]], 'WriteAccessHandle' : [ 0x24, ['pointer', ['void']]], 'NumberOfOwnerMessages' : [ 0x28, ['unsigned long']], 'ProcessViewListEntry' : [ 0x2c, ['_LIST_ENTRY']], } ], '_ALPC_COMMUNICATION_INFO' : [ 0x24, { 'ConnectionPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'ServerCommunicationPort' : [ 0x4, ['pointer', ['_ALPC_PORT']]], 'ClientCommunicationPort' : [ 0x8, ['pointer', ['_ALPC_PORT']]], 'CommunicationList' : [ 0xc, ['_LIST_ENTRY']], 'HandleTable' : [ 0x14, ['_ALPC_HANDLE_TABLE']], } ], '__unnamed_184d' : [ 0x4, { 'Initialized' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned long')]], 'ConnectionPending' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ConnectionRefused' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Disconnected' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Closed' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'NoFlushOnClose' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReturnExtendedInfo' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Waitable' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'DynamicSecurity' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Wow64CompletionList' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Lpc' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'LpcToLpc' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HasCompletionList' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'HadCompletionList' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], } ], '__unnamed_184f' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_184d']], 'State' : [ 0x0, ['unsigned long']], } ], '_ALPC_PORT' : [ 0xf4, { 'PortListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'OwnerProcess' : [ 0xc, ['pointer', ['_EPROCESS']]], 'SequenceNo' : [ 0x10, ['unsigned long']], 'CompletionPort' : [ 0x14, ['pointer', ['void']]], 'CompletionKey' : [ 0x18, ['pointer', ['void']]], 'CompletionPacketLookaside' : [ 0x1c, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], 'PortContext' : [ 0x20, ['pointer', ['void']]], 'StaticSecurity' : [ 0x24, ['_SECURITY_CLIENT_CONTEXT']], 'MainQueue' : [ 0x60, ['_LIST_ENTRY']], 'PendingQueue' : [ 0x68, ['_LIST_ENTRY']], 'LargeMessageQueue' : [ 0x70, ['_LIST_ENTRY']], 'WaitQueue' : [ 0x78, ['_LIST_ENTRY']], 'Semaphore' : [ 0x80, ['pointer', ['_KSEMAPHORE']]], 'DummyEvent' : [ 0x80, ['pointer', ['_KEVENT']]], 'Lock' : [ 0x84, ['_EX_PUSH_LOCK']], 'PortAttributes' : [ 0x88, ['_ALPC_PORT_ATTRIBUTES']], 'ResourceListLock' : [ 0xb4, ['_EX_PUSH_LOCK']], 'ResourceListHead' : [ 0xb8, ['_LIST_ENTRY']], 'CompletionList' : [ 0xc0, ['pointer', ['_ALPC_COMPLETION_LIST']]], 'MessageZone' : [ 0xc4, ['pointer', ['_ALPC_MESSAGE_ZONE']]], 'CanceledQueue' : [ 0xc8, ['_LIST_ENTRY']], 'u1' : [ 0xd0, ['__unnamed_184f']], 'TargetQueuePort' : [ 0xd4, ['pointer', ['_ALPC_PORT']]], 'TargetSequencePort' : [ 0xd8, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0xdc, ['pointer', ['_KALPC_MESSAGE']]], 'MainQueueLength' : [ 0xe0, ['unsigned long']], 'PendingQueueLength' : [ 0xe4, ['unsigned long']], 'LargeMessageQueueLength' : [ 0xe8, ['unsigned long']], 'CanceledQueueLength' : [ 0xec, ['unsigned long']], 'WaitQueueLength' : [ 0xf0, ['unsigned long']], } ], '__unnamed_1866' : [ 0x4, { 'QueueType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'QueuePortType' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 6, native_type='unsigned long')]], 'Canceled' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Ready' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'ReleaseMessage' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SharedQuota' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'ReplyWaitReply' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'OwnerPortReference' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'ReserveReference' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'ReceiverReference' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], } ], '__unnamed_1868' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_1866']], 'State' : [ 0x0, ['unsigned long']], } ], '_KALPC_MESSAGE' : [ 0x90, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtensionBuffer' : [ 0x8, ['pointer', ['void']]], 'ExtensionBufferSize' : [ 0xc, ['unsigned long']], 'QuotaProcess' : [ 0x10, ['pointer', ['_EPROCESS']]], 'QuotaBlock' : [ 0x10, ['pointer', ['void']]], 'SequenceNo' : [ 0x14, ['long']], 'u1' : [ 0x18, ['__unnamed_1868']], 'CancelSequencePort' : [ 0x1c, ['pointer', ['_ALPC_PORT']]], 'CancelQueuePort' : [ 0x20, ['pointer', ['_ALPC_PORT']]], 'CancelSequenceNo' : [ 0x24, ['long']], 'CancelListEntry' : [ 0x28, ['_LIST_ENTRY']], 'WaitingThread' : [ 0x30, ['pointer', ['_ETHREAD']]], 'Reserve' : [ 0x34, ['pointer', ['_KALPC_RESERVE']]], 'PortQueue' : [ 0x38, ['pointer', ['_ALPC_PORT']]], 'OwnerPort' : [ 0x3c, ['pointer', ['_ALPC_PORT']]], 'UniqueTableEntry' : [ 0x40, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'MessageAttributes' : [ 0x44, ['_KALPC_MESSAGE_ATTRIBUTES']], 'DataUserVa' : [ 0x60, ['pointer', ['void']]], 'DataSystemVa' : [ 0x64, ['pointer', ['void']]], 'CommunicationInfo' : [ 0x68, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'ConnectionPort' : [ 0x6c, ['pointer', ['_ALPC_PORT']]], 'ServerThread' : [ 0x70, ['pointer', ['_ETHREAD']]], 'PortMessage' : [ 0x78, ['_PORT_MESSAGE']], } ], '_REMOTE_PORT_VIEW' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ViewSize' : [ 0x4, ['unsigned long']], 'ViewBase' : [ 0x8, ['pointer', ['void']]], } ], '_KALPC_HANDLE_DATA' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'ObjectType' : [ 0x4, ['unsigned long']], 'DuplicateContext' : [ 0x8, ['pointer', ['_OB_DUPLICATE_OBJECT_STATE']]], } ], '_KALPC_MESSAGE_ATTRIBUTES' : [ 0x1c, { 'ClientContext' : [ 0x0, ['pointer', ['void']]], 'ServerContext' : [ 0x4, ['pointer', ['void']]], 'PortContext' : [ 0x8, ['pointer', ['void']]], 'CancelPortContext' : [ 0xc, ['pointer', ['void']]], 'SecurityData' : [ 0x10, ['pointer', ['_KALPC_SECURITY_DATA']]], 'View' : [ 0x14, ['pointer', ['_KALPC_VIEW']]], 'HandleData' : [ 0x18, ['pointer', ['_KALPC_HANDLE_DATA']]], } ], '__unnamed_18a6' : [ 0x4, { 'Revoked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Impersonated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], } ], '__unnamed_18a8' : [ 0x4, { 's1' : [ 0x0, ['__unnamed_18a6']], } ], '_KALPC_SECURITY_DATA' : [ 0x50, { 'HandleTable' : [ 0x0, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'ContextHandle' : [ 0x4, ['pointer', ['void']]], 'OwningProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'OwnerPort' : [ 0xc, ['pointer', ['_ALPC_PORT']]], 'DynamicSecurity' : [ 0x10, ['_SECURITY_CLIENT_CONTEXT']], 'u1' : [ 0x4c, ['__unnamed_18a8']], } ], '_ALPC_DISPATCH_CONTEXT' : [ 0x20, { 'PortObject' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'Message' : [ 0x4, ['pointer', ['_KALPC_MESSAGE']]], 'CommunicationInfo' : [ 0x8, ['pointer', ['_ALPC_COMMUNICATION_INFO']]], 'Flags' : [ 0xc, ['unsigned long']], 'TargetThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'TargetPort' : [ 0x14, ['pointer', ['_ALPC_PORT']]], 'TotalLength' : [ 0x18, ['unsigned short']], 'Type' : [ 0x1a, ['unsigned short']], 'DataInfoOffset' : [ 0x1c, ['unsigned short']], } ], '_ALPC_MESSAGE_ATTRIBUTES' : [ 0x8, { 'AllocatedAttributes' : [ 0x0, ['unsigned long']], 'ValidAttributes' : [ 0x4, ['unsigned long']], } ], '_ALPC_PORT_ATTRIBUTES' : [ 0x2c, { 'Flags' : [ 0x0, ['unsigned long']], 'SecurityQos' : [ 0x4, ['_SECURITY_QUALITY_OF_SERVICE']], 'MaxMessageLength' : [ 0x10, ['unsigned long']], 'MemoryBandwidth' : [ 0x14, ['unsigned long']], 'MaxPoolUsage' : [ 0x18, ['unsigned long']], 'MaxSectionSize' : [ 0x1c, ['unsigned long']], 'MaxViewSize' : [ 0x20, ['unsigned long']], 'MaxTotalSectionSize' : [ 0x24, ['unsigned long']], 'DupObjectTypes' : [ 0x28, ['unsigned long']], } ], '_LUID_AND_ATTRIBUTES' : [ 0xc, { 'Luid' : [ 0x0, ['_LUID']], 'Attributes' : [ 0x8, ['unsigned long']], } ], '_TOKEN' : [ 0x1e8, { 'TokenSource' : [ 0x0, ['_TOKEN_SOURCE']], 'TokenId' : [ 0x10, ['_LUID']], 'AuthenticationId' : [ 0x18, ['_LUID']], 'ParentTokenId' : [ 0x20, ['_LUID']], 'ExpirationTime' : [ 0x28, ['_LARGE_INTEGER']], 'TokenLock' : [ 0x30, ['pointer', ['_ERESOURCE']]], 'ModifiedId' : [ 0x34, ['_LUID']], 'Privileges' : [ 0x40, ['_SEP_TOKEN_PRIVILEGES']], 'AuditPolicy' : [ 0x58, ['_SEP_AUDIT_POLICY']], 'SessionId' : [ 0x74, ['unsigned long']], 'UserAndGroupCount' : [ 0x78, ['unsigned long']], 'RestrictedSidCount' : [ 0x7c, ['unsigned long']], 'VariableLength' : [ 0x80, ['unsigned long']], 'DynamicCharged' : [ 0x84, ['unsigned long']], 'DynamicAvailable' : [ 0x88, ['unsigned long']], 'DefaultOwnerIndex' : [ 0x8c, ['unsigned long']], 'UserAndGroups' : [ 0x90, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'RestrictedSids' : [ 0x94, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'PrimaryGroup' : [ 0x98, ['pointer', ['void']]], 'DynamicPart' : [ 0x9c, ['pointer', ['unsigned long']]], 'DefaultDacl' : [ 0xa0, ['pointer', ['_ACL']]], 'TokenType' : [ 0xa4, ['Enumeration', dict(target = 'long', choices = {1: 'TokenPrimary', 2: 'TokenImpersonation'})]], 'ImpersonationLevel' : [ 0xa8, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'TokenFlags' : [ 0xac, ['unsigned long']], 'TokenInUse' : [ 0xb0, ['unsigned char']], 'IntegrityLevelIndex' : [ 0xb4, ['unsigned long']], 'MandatoryPolicy' : [ 0xb8, ['unsigned long']], 'ProxyData' : [ 0xbc, ['pointer', ['_SECURITY_TOKEN_PROXY_DATA']]], 'AuditData' : [ 0xc0, ['pointer', ['_SECURITY_TOKEN_AUDIT_DATA']]], 'LogonSession' : [ 0xc4, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'OriginatingLogonSession' : [ 0xc8, ['_LUID']], 'SidHash' : [ 0xd0, ['_SID_AND_ATTRIBUTES_HASH']], 'RestrictedSidHash' : [ 0x158, ['_SID_AND_ATTRIBUTES_HASH']], 'VariablePart' : [ 0x1e0, ['unsigned long']], } ], '_SEP_LOGON_SESSION_REFERENCES' : [ 0x34, { 'Next' : [ 0x0, ['pointer', ['_SEP_LOGON_SESSION_REFERENCES']]], 'LogonId' : [ 0x4, ['_LUID']], 'BuddyLogonId' : [ 0xc, ['_LUID']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'Flags' : [ 0x18, ['unsigned long']], 'pDeviceMap' : [ 0x1c, ['pointer', ['_DEVICE_MAP']]], 'Token' : [ 0x20, ['pointer', ['void']]], 'AccountName' : [ 0x24, ['_UNICODE_STRING']], 'AuthorityName' : [ 0x2c, ['_UNICODE_STRING']], } ], '_OBP_LOOKUP_CONTEXT' : [ 0x14, { 'Directory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], 'HashIndex' : [ 0xc, ['unsigned short']], 'DirectoryLocked' : [ 0xe, ['unsigned char']], 'LockStateSignature' : [ 0x10, ['unsigned long']], } ], '_OBJECT_DIRECTORY' : [ 0xa8, { 'HashBuckets' : [ 0x0, ['array', 37, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]]], 'Lock' : [ 0x94, ['_EX_PUSH_LOCK']], 'DeviceMap' : [ 0x98, ['pointer', ['_DEVICE_MAP']]], 'SessionId' : [ 0x9c, ['unsigned long']], 'NamespaceEntry' : [ 0xa0, ['pointer', ['void']]], 'Flags' : [ 0xa4, ['unsigned long']], } ], '_OBJECT_TYPE' : [ 0x140, { 'TypeList' : [ 0x0, ['_LIST_ENTRY']], 'Name' : [ 0x8, ['_UNICODE_STRING']], 'DefaultObject' : [ 0x10, ['pointer', ['void']]], 'Index' : [ 0x14, ['unsigned long']], 'TotalNumberOfObjects' : [ 0x18, ['unsigned long']], 'TotalNumberOfHandles' : [ 0x1c, ['unsigned long']], 'HighWaterNumberOfObjects' : [ 0x20, ['unsigned long']], 'HighWaterNumberOfHandles' : [ 0x24, ['unsigned long']], 'TypeInfo' : [ 0x28, ['_OBJECT_TYPE_INITIALIZER']], 'Mutex' : [ 0x78, ['_ERESOURCE']], 'TypeLock' : [ 0xb0, ['_EX_PUSH_LOCK']], 'Key' : [ 0xb4, ['unsigned long']], 'ObjectLocks' : [ 0xb8, ['array', 32, ['_EX_PUSH_LOCK']]], 'CallbackList' : [ 0x138, ['_LIST_ENTRY']], } ], '_PS_CLIENT_SECURITY_CONTEXT' : [ 0x4, { 'ImpersonationData' : [ 0x0, ['unsigned long']], 'ImpersonationToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='unsigned long')]], 'EffectiveOnly' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], } ], '_MMVAD_FLAGS3' : [ 0x4, { 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 6, native_type='unsigned long')]], 'Teb' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'SequentialAccess' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'LastSequentialTrim' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 24, native_type='unsigned long')]], 'Spare2' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_MI_VERIFIER_POOL_HEADER' : [ 0x4, { 'VerifierPoolEntry' : [ 0x0, ['pointer', ['_VI_POOL_ENTRY']]], } ], '_HBASE_BLOCK' : [ 0x1000, { 'Signature' : [ 0x0, ['unsigned long']], 'Sequence1' : [ 0x4, ['unsigned long']], 'Sequence2' : [ 0x8, ['unsigned long']], 'TimeStamp' : [ 0xc, ['_LARGE_INTEGER']], 'Major' : [ 0x14, ['unsigned long']], 'Minor' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['unsigned long']], 'Format' : [ 0x20, ['unsigned long']], 'RootCell' : [ 0x24, ['unsigned long']], 'Length' : [ 0x28, ['unsigned long']], 'Cluster' : [ 0x2c, ['unsigned long']], 'FileName' : [ 0x30, ['array', 64, ['unsigned char']]], 'RmId' : [ 0x70, ['_GUID']], 'LogId' : [ 0x80, ['_GUID']], 'Flags' : [ 0x90, ['unsigned long']], 'TmId' : [ 0x94, ['_GUID']], 'GuidSignature' : [ 0xa4, ['unsigned long']], 'Reserved1' : [ 0xa8, ['array', 85, ['unsigned long']]], 'CheckSum' : [ 0x1fc, ['unsigned long']], 'Reserved2' : [ 0x200, ['array', 882, ['unsigned long']]], 'ThawTmId' : [ 0xfc8, ['_GUID']], 'ThawRmId' : [ 0xfd8, ['_GUID']], 'ThawLogId' : [ 0xfe8, ['_GUID']], 'BootType' : [ 0xff8, ['unsigned long']], 'BootRecover' : [ 0xffc, ['unsigned long']], } ], '_ERESOURCE' : [ 0x38, { 'SystemResourcesList' : [ 0x0, ['_LIST_ENTRY']], 'OwnerTable' : [ 0x8, ['pointer', ['_OWNER_ENTRY']]], 'ActiveCount' : [ 0xc, ['short']], 'Flag' : [ 0xe, ['unsigned short']], 'SharedWaiters' : [ 0x10, ['pointer', ['_KSEMAPHORE']]], 'ExclusiveWaiters' : [ 0x14, ['pointer', ['_KEVENT']]], 'OwnerEntry' : [ 0x18, ['_OWNER_ENTRY']], 'ActiveEntries' : [ 0x20, ['unsigned long']], 'ContentionCount' : [ 0x24, ['unsigned long']], 'NumberOfSharedWaiters' : [ 0x28, ['unsigned long']], 'NumberOfExclusiveWaiters' : [ 0x2c, ['unsigned long']], 'Address' : [ 0x30, ['pointer', ['void']]], 'CreatorBackTraceIndex' : [ 0x30, ['unsigned long']], 'SpinLock' : [ 0x34, ['unsigned long']], } ], '_LPCP_MESSAGE' : [ 0x30, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'FreeEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Reserved0' : [ 0x4, ['unsigned long']], 'SenderPort' : [ 0x8, ['pointer', ['void']]], 'RepliedToThread' : [ 0xc, ['pointer', ['_ETHREAD']]], 'PortContext' : [ 0x10, ['pointer', ['void']]], 'Request' : [ 0x18, ['_PORT_MESSAGE']], } ], '_HARDWARE_PTE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'reserved' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DUAL' : [ 0x13c, { 'Length' : [ 0x0, ['unsigned long']], 'Map' : [ 0x4, ['pointer', ['_HMAP_DIRECTORY']]], 'SmallDir' : [ 0x8, ['pointer', ['_HMAP_TABLE']]], 'Guard' : [ 0xc, ['unsigned long']], 'FreeDisplay' : [ 0x10, ['array', 24, ['_FREE_DISPLAY']]], 'FreeSummary' : [ 0x130, ['unsigned long']], 'FreeBins' : [ 0x134, ['_LIST_ENTRY']], } ], '_DISPATCHER_HEADER' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'Abandoned' : [ 0x1, ['unsigned char']], 'Absolute' : [ 0x1, ['unsigned char']], 'NpxIrql' : [ 0x1, ['unsigned char']], 'Signalling' : [ 0x1, ['unsigned char']], 'Size' : [ 0x2, ['unsigned char']], 'Hand' : [ 0x2, ['unsigned char']], 'Inserted' : [ 0x3, ['unsigned char']], 'DebugActive' : [ 0x3, ['unsigned char']], 'DpcActive' : [ 0x3, ['unsigned char']], 'Lock' : [ 0x0, ['long']], 'SignalState' : [ 0x4, ['long']], 'WaitListHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_VI_POOL_ENTRY' : [ 0x10, { 'PageHeader' : [ 0x0, ['_VI_POOL_PAGE_HEADER']], 'InUse' : [ 0x0, ['_VI_POOL_ENTRY_INUSE']], 'NextFree' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], } ], '_MM_PAGE_ACCESS_INFO' : [ 0x8, { 'Flags' : [ 0x0, ['_MM_PAGE_ACCESS_INFO_FLAGS']], 'FileOffset' : [ 0x0, ['unsigned long long']], 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'DontUse0' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'PointerProtoPte' : [ 0x4, ['pointer', ['void']]], } ], '_HEAP_COUNTERS' : [ 0x48, { 'TotalMemoryReserved' : [ 0x0, ['unsigned long']], 'TotalMemoryCommitted' : [ 0x4, ['unsigned long']], 'TotalMemoryLargeUCR' : [ 0x8, ['unsigned long']], 'TotalSizeInVirtualBlocks' : [ 0xc, ['unsigned long']], 'TotalSegments' : [ 0x10, ['unsigned long']], 'TotalUCRs' : [ 0x14, ['unsigned long']], 'CommittOps' : [ 0x18, ['unsigned long']], 'DeCommitOps' : [ 0x1c, ['unsigned long']], 'LockAcquires' : [ 0x20, ['unsigned long']], 'LockCollisions' : [ 0x24, ['unsigned long']], 'CommitRate' : [ 0x28, ['unsigned long']], 'DecommittRate' : [ 0x2c, ['unsigned long']], 'CommitFailures' : [ 0x30, ['unsigned long']], 'InBlockCommitFailures' : [ 0x34, ['unsigned long']], 'CompactHeapCalls' : [ 0x38, ['unsigned long']], 'CompactedUCRs' : [ 0x3c, ['unsigned long']], 'InBlockDeccommits' : [ 0x40, ['unsigned long']], 'InBlockDeccomitSize' : [ 0x44, ['unsigned long']], } ], '_SYSPTES_HEADER' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Count' : [ 0x8, ['unsigned long']], 'NumberOfEntries' : [ 0xc, ['unsigned long']], 'NumberOfEntriesPeak' : [ 0x10, ['unsigned long']], } ], '_EXCEPTION_RECORD' : [ 0x50, { 'ExceptionCode' : [ 0x0, ['long']], 'ExceptionFlags' : [ 0x4, ['unsigned long']], 'ExceptionRecord' : [ 0x8, ['pointer', ['_EXCEPTION_RECORD']]], 'ExceptionAddress' : [ 0xc, ['pointer', ['void']]], 'NumberParameters' : [ 0x10, ['unsigned long']], 'ExceptionInformation' : [ 0x14, ['array', 15, ['unsigned long']]], } ], '_PERFINFO_HARDPAGEFAULT_INFORMATION' : [ 0x18, { 'ReadOffset' : [ 0x0, ['_LARGE_INTEGER']], 'VirtualAddress' : [ 0x8, ['pointer', ['void']]], 'FileObject' : [ 0xc, ['pointer', ['void']]], 'ThreadId' : [ 0x10, ['unsigned long']], 'ByteCount' : [ 0x14, ['unsigned long']], } ], '_I386_LOADER_BLOCK' : [ 0xc, { 'CommonDataArea' : [ 0x0, ['pointer', ['void']]], 'MachineType' : [ 0x4, ['unsigned long']], 'VirtualBias' : [ 0x8, ['unsigned long']], } ], '_CELL_DATA' : [ 0x50, { 'u' : [ 0x0, ['_u']], } ], '_ARC_DISK_INFORMATION' : [ 0x8, { 'DiskSignatures' : [ 0x0, ['_LIST_ENTRY']], } ], '_INITIAL_PRIVILEGE_SET' : [ 0x2c, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 3, ['_LUID_AND_ATTRIBUTES']]], } ], '_HEAP_TUNING_PARAMETERS' : [ 0x8, { 'CommittThresholdShift' : [ 0x0, ['unsigned long']], 'MaxPreCommittThreshold' : [ 0x4, ['unsigned long']], } ], '_MMWSLE_NONDIRECT_HASH' : [ 0x8, { 'Key' : [ 0x0, ['pointer', ['void']]], 'Index' : [ 0x4, ['unsigned long']], } ], '_DBGKD_SEARCH_MEMORY' : [ 0x18, { 'SearchAddress' : [ 0x0, ['unsigned long long']], 'FoundAddress' : [ 0x0, ['unsigned long long']], 'SearchLength' : [ 0x8, ['unsigned long long']], 'PatternLength' : [ 0x10, ['unsigned long']], } ], '_HMAP_DIRECTORY' : [ 0x1000, { 'Directory' : [ 0x0, ['array', 1024, ['pointer', ['_HMAP_TABLE']]]], } ], '_DEVPROPKEY' : [ 0x14, { 'fmtid' : [ 0x0, ['_GUID']], 'pid' : [ 0x10, ['unsigned long']], } ], '_WHEA_NMI_ERROR' : [ 0xc, { 'Data' : [ 0x0, ['array', 8, ['unsigned char']]], 'Flags' : [ 0x8, ['_WHEA_NMI_ERROR_FLAGS']], } ], '_HANDLE_TABLE' : [ 0x38, { 'TableCode' : [ 0x0, ['unsigned long']], 'QuotaProcess' : [ 0x4, ['pointer', ['_EPROCESS']]], 'UniqueProcessId' : [ 0x8, ['pointer', ['void']]], 'HandleLock' : [ 0xc, ['_EX_PUSH_LOCK']], 'HandleTableList' : [ 0x10, ['_LIST_ENTRY']], 'HandleContentionEvent' : [ 0x18, ['_EX_PUSH_LOCK']], 'DebugInfo' : [ 0x1c, ['pointer', ['_HANDLE_TRACE_DEBUG_INFO']]], 'ExtraInfoPages' : [ 0x20, ['long']], 'Flags' : [ 0x24, ['unsigned long']], 'StrictFIFO' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FirstFreeHandle' : [ 0x28, ['long']], 'LastFreeHandleEntry' : [ 0x2c, ['pointer', ['_HANDLE_TABLE_ENTRY']]], 'HandleCount' : [ 0x30, ['long']], 'NextHandleNeedingPool' : [ 0x34, ['unsigned long']], } ], '_POOL_TRACKER_BIG_PAGES' : [ 0x10, { 'Va' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['unsigned long']], 'PoolType' : [ 0x8, ['unsigned long']], 'NumberOfBytes' : [ 0xc, ['unsigned long']], } ], '_MMVAD_FLAGS2' : [ 0x4, { 'FileOffset' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'SecNoChange' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'OneSecured' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'MultipleSecured' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 27, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 27, end_bit = 28, native_type='unsigned long')]], 'LongVad' : [ 0x0, ['BitField', dict(start_bit = 28, end_bit = 29, native_type='unsigned long')]], 'ExtendableFile' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 30, native_type='unsigned long')]], 'Inherit' : [ 0x0, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_VI_CANCEL_GLOBALS' : [ 0x6c, { 'CancelLock' : [ 0x0, ['unsigned long']], 'IssueLock' : [ 0x4, ['unsigned long']], 'Counters' : [ 0x8, ['array', 25, ['long']]], } ], '_KALPC_RESERVE' : [ 0x14, { 'OwnerPort' : [ 0x0, ['pointer', ['_ALPC_PORT']]], 'HandleTable' : [ 0x4, ['pointer', ['_ALPC_HANDLE_TABLE']]], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Message' : [ 0xc, ['pointer', ['_KALPC_MESSAGE']]], 'Active' : [ 0x10, ['long']], } ], '_TEB_ACTIVE_FRAME' : [ 0xc, { 'Flags' : [ 0x0, ['unsigned long']], 'Previous' : [ 0x4, ['pointer', ['_TEB_ACTIVE_FRAME']]], 'Context' : [ 0x8, ['pointer', ['_TEB_ACTIVE_FRAME_CONTEXT']]], } ], '_FILE_GET_QUOTA_INFORMATION' : [ 0x14, { 'NextEntryOffset' : [ 0x0, ['unsigned long']], 'SidLength' : [ 0x4, ['unsigned long']], 'Sid' : [ 0x8, ['_SID']], } ], '_CM_KEY_BODY' : [ 0x2c, { 'Type' : [ 0x0, ['unsigned long']], 'KeyControlBlock' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NotifyBlock' : [ 0x8, ['pointer', ['_CM_NOTIFY_BLOCK']]], 'ProcessID' : [ 0xc, ['pointer', ['void']]], 'KeyBodyList' : [ 0x10, ['_LIST_ENTRY']], 'Flags' : [ 0x18, ['unsigned long']], 'KtmTrans' : [ 0x1c, ['pointer', ['void']]], 'KtmUow' : [ 0x20, ['pointer', ['_GUID']]], 'ContextListHead' : [ 0x24, ['_LIST_ENTRY']], } ], '_MMPTE_PROTOTYPE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProtoAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 9, native_type='unsigned long')]], 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'ProtoAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_ERROR_PACKET_FLAGS' : [ 0x4, { 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'CpuValid' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_THERMAL_INFORMATION_EX' : [ 0x50, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], 'S4TransitionTripPoint' : [ 0x4c, ['unsigned long']], } ], '__unnamed_1995' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Spare0' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], } ], '__unnamed_1997' : [ 0x4, { 'FilePointerIndex' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'HardFault' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Spare1' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], } ], '_MM_PAGE_ACCESS_INFO_FLAGS' : [ 0x4, { 'File' : [ 0x0, ['__unnamed_1995']], 'Private' : [ 0x0, ['__unnamed_1997']], } ], '_VI_VERIFIER_ISSUE' : [ 0x10, { 'IssueType' : [ 0x0, ['unsigned long']], 'Address' : [ 0x4, ['pointer', ['void']]], 'Parameters' : [ 0x8, ['array', 2, ['unsigned long']]], } ], '_MMSUBSECTION_FLAGS' : [ 0x4, { 'SubsectionAccessed' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 6, native_type='unsigned short')]], 'StartingSector4132' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 16, native_type='unsigned short')]], 'SubsectionStatic' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'GlobalMemory' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'DirtyPages' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned short')]], 'Spare' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned short')]], 'SectorEndOffset' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 16, native_type='unsigned short')]], } ], '_EXCEPTION_POINTERS' : [ 0x8, { 'ExceptionRecord' : [ 0x0, ['pointer', ['_EXCEPTION_RECORD']]], 'ContextRecord' : [ 0x4, ['pointer', ['_CONTEXT']]], } ], '_KMUTANT' : [ 0x20, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'MutantListEntry' : [ 0x10, ['_LIST_ENTRY']], 'OwnerThread' : [ 0x18, ['pointer', ['_KTHREAD']]], 'Abandoned' : [ 0x1c, ['unsigned char']], 'ApcDisable' : [ 0x1d, ['unsigned char']], } ], '_OBJECT_REF_INFO' : [ 0x1c, { 'ObjectHeader' : [ 0x0, ['pointer', ['_OBJECT_HEADER']]], 'NextRef' : [ 0x4, ['pointer', ['void']]], 'ImageFileName' : [ 0x8, ['array', 16, ['unsigned char']]], 'NextPos' : [ 0x18, ['unsigned short']], 'MaxStacks' : [ 0x1a, ['unsigned short']], 'StackInfo' : [ 0x1c, ['array', 0, ['_OBJECT_REF_STACK_INFO']]], } ], '_CMHIVE' : [ 0x5e0, { 'Hive' : [ 0x0, ['_HHIVE']], 'FileHandles' : [ 0x2e8, ['array', 6, ['pointer', ['void']]]], 'NotifyList' : [ 0x300, ['_LIST_ENTRY']], 'HiveList' : [ 0x308, ['_LIST_ENTRY']], 'HiveLock' : [ 0x310, ['pointer', ['_FAST_MUTEX']]], 'ViewLock' : [ 0x314, ['_EX_PUSH_LOCK']], 'ViewLockOwner' : [ 0x318, ['pointer', ['_KTHREAD']]], 'ViewLockLast' : [ 0x31c, ['unsigned long']], 'ViewUnLockLast' : [ 0x320, ['unsigned long']], 'WriterLock' : [ 0x324, ['pointer', ['_FAST_MUTEX']]], 'FlusherLock' : [ 0x328, ['_EX_PUSH_LOCK']], 'SecurityLock' : [ 0x32c, ['_EX_PUSH_LOCK']], 'MappedViewList' : [ 0x330, ['_LIST_ENTRY']], 'PinnedViewList' : [ 0x338, ['_LIST_ENTRY']], 'FlushedViewList' : [ 0x340, ['_LIST_ENTRY']], 'MappedViewCount' : [ 0x348, ['unsigned short']], 'PinnedViewCount' : [ 0x34a, ['unsigned short']], 'UseCount' : [ 0x34c, ['unsigned long']], 'ViewsPerHive' : [ 0x350, ['unsigned long']], 'FileObject' : [ 0x354, ['pointer', ['_FILE_OBJECT']]], 'LastShrinkHiveSize' : [ 0x358, ['unsigned long']], 'ActualFileSize' : [ 0x360, ['_LARGE_INTEGER']], 'FileFullPath' : [ 0x368, ['_UNICODE_STRING']], 'FileUserName' : [ 0x370, ['_UNICODE_STRING']], 'HiveRootPath' : [ 0x378, ['_UNICODE_STRING']], 'SecurityCount' : [ 0x380, ['unsigned long']], 'SecurityCacheSize' : [ 0x384, ['unsigned long']], 'SecurityHitHint' : [ 0x388, ['long']], 'SecurityCache' : [ 0x38c, ['pointer', ['_CM_KEY_SECURITY_CACHE_ENTRY']]], 'SecurityHash' : [ 0x390, ['array', 64, ['_LIST_ENTRY']]], 'UnloadEventCount' : [ 0x590, ['unsigned long']], 'UnloadEventArray' : [ 0x594, ['pointer', ['pointer', ['_KEVENT']]]], 'RootKcb' : [ 0x598, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Frozen' : [ 0x59c, ['unsigned char']], 'UnloadWorkItem' : [ 0x5a0, ['pointer', ['_CM_WORKITEM']]], 'GrowOnlyMode' : [ 0x5a4, ['unsigned char']], 'GrowOffset' : [ 0x5a8, ['unsigned long']], 'KcbConvertListHead' : [ 0x5ac, ['_LIST_ENTRY']], 'KnodeConvertListHead' : [ 0x5b4, ['_LIST_ENTRY']], 'CellRemapArray' : [ 0x5bc, ['pointer', ['_CM_CELL_REMAP_BLOCK']]], 'Flags' : [ 0x5c0, ['unsigned long']], 'TrustClassEntry' : [ 0x5c4, ['_LIST_ENTRY']], 'FlushCount' : [ 0x5cc, ['unsigned long']], 'CmRm' : [ 0x5d0, ['pointer', ['_CM_RM']]], 'CmRmInitFailPoint' : [ 0x5d4, ['unsigned long']], 'CmRmInitFailStatus' : [ 0x5d8, ['long']], 'CreatorOwner' : [ 0x5dc, ['pointer', ['_KTHREAD']]], } ], '_MI_IMAGE_SECURITY_REFERENCE' : [ 0xc, { 'SecurityContext' : [ 0x0, ['_IMAGE_SECURITY_CONTEXT']], 'DynamicRelocations' : [ 0x4, ['pointer', ['void']]], 'ReferenceCount' : [ 0x8, ['long']], } ], '_HEAP_TAG_ENTRY' : [ 0x40, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], 'TagIndex' : [ 0xc, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0xe, ['unsigned short']], 'TagName' : [ 0x10, ['array', 24, ['wchar']]], } ], '_SECURITY_QUALITY_OF_SERVICE' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'ContextTrackingMode' : [ 0x8, ['unsigned char']], 'EffectiveOnly' : [ 0x9, ['unsigned char']], } ], '__unnamed_19c6' : [ 0x8, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'Secured' : [ 0x0, ['_MMADDRESS_LIST']], } ], '__unnamed_19cc' : [ 0x4, { 'Banked' : [ 0x0, ['pointer', ['_MMBANKED_SECTION']]], 'ExtendedInfo' : [ 0x0, ['pointer', ['_MMEXTEND_INFO']]], } ], '_MMVAD_LONG' : [ 0x3c, { 'u1' : [ 0x0, ['__unnamed_149d']], 'LeftChild' : [ 0x4, ['pointer', ['_MMVAD']]], 'RightChild' : [ 0x8, ['pointer', ['_MMVAD']]], 'StartingVpn' : [ 0xc, ['unsigned long']], 'EndingVpn' : [ 0x10, ['unsigned long']], 'u' : [ 0x14, ['__unnamed_14a0']], 'PushLock' : [ 0x18, ['_EX_PUSH_LOCK']], 'u5' : [ 0x1c, ['__unnamed_14a3']], 'u2' : [ 0x20, ['__unnamed_14ac']], 'Subsection' : [ 0x24, ['pointer', ['_SUBSECTION']]], 'FirstPrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'LastContiguousPte' : [ 0x2c, ['pointer', ['_MMPTE']]], 'u3' : [ 0x30, ['__unnamed_19c6']], 'u4' : [ 0x38, ['__unnamed_19cc']], } ], '_MMWSLE_FREE_ENTRY' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousFree' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 12, native_type='unsigned long')]], 'NextFree' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_NT_TIB' : [ 0x1c, { 'ExceptionList' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'StackBase' : [ 0x4, ['pointer', ['void']]], 'StackLimit' : [ 0x8, ['pointer', ['void']]], 'SubSystemTib' : [ 0xc, ['pointer', ['void']]], 'FiberData' : [ 0x10, ['pointer', ['void']]], 'Version' : [ 0x10, ['unsigned long']], 'ArbitraryUserPointer' : [ 0x14, ['pointer', ['void']]], 'Self' : [ 0x18, ['pointer', ['_NT_TIB']]], } ], '_EJOB' : [ 0x128, { 'Event' : [ 0x0, ['_KEVENT']], 'JobLinks' : [ 0x10, ['_LIST_ENTRY']], 'ProcessListHead' : [ 0x18, ['_LIST_ENTRY']], 'JobLock' : [ 0x20, ['_ERESOURCE']], 'TotalUserTime' : [ 0x58, ['_LARGE_INTEGER']], 'TotalKernelTime' : [ 0x60, ['_LARGE_INTEGER']], 'ThisPeriodTotalUserTime' : [ 0x68, ['_LARGE_INTEGER']], 'ThisPeriodTotalKernelTime' : [ 0x70, ['_LARGE_INTEGER']], 'TotalPageFaultCount' : [ 0x78, ['unsigned long']], 'TotalProcesses' : [ 0x7c, ['unsigned long']], 'ActiveProcesses' : [ 0x80, ['unsigned long']], 'TotalTerminatedProcesses' : [ 0x84, ['unsigned long']], 'PerProcessUserTimeLimit' : [ 0x88, ['_LARGE_INTEGER']], 'PerJobUserTimeLimit' : [ 0x90, ['_LARGE_INTEGER']], 'LimitFlags' : [ 0x98, ['unsigned long']], 'MinimumWorkingSetSize' : [ 0x9c, ['unsigned long']], 'MaximumWorkingSetSize' : [ 0xa0, ['unsigned long']], 'ActiveProcessLimit' : [ 0xa4, ['unsigned long']], 'Affinity' : [ 0xa8, ['unsigned long']], 'PriorityClass' : [ 0xac, ['unsigned char']], 'AccessState' : [ 0xb0, ['pointer', ['_JOB_ACCESS_STATE']]], 'UIRestrictionsClass' : [ 0xb4, ['unsigned long']], 'EndOfJobTimeAction' : [ 0xb8, ['unsigned long']], 'CompletionPort' : [ 0xbc, ['pointer', ['void']]], 'CompletionKey' : [ 0xc0, ['pointer', ['void']]], 'SessionId' : [ 0xc4, ['unsigned long']], 'SchedulingClass' : [ 0xc8, ['unsigned long']], 'ReadOperationCount' : [ 0xd0, ['unsigned long long']], 'WriteOperationCount' : [ 0xd8, ['unsigned long long']], 'OtherOperationCount' : [ 0xe0, ['unsigned long long']], 'ReadTransferCount' : [ 0xe8, ['unsigned long long']], 'WriteTransferCount' : [ 0xf0, ['unsigned long long']], 'OtherTransferCount' : [ 0xf8, ['unsigned long long']], 'ProcessMemoryLimit' : [ 0x100, ['unsigned long']], 'JobMemoryLimit' : [ 0x104, ['unsigned long']], 'PeakProcessMemoryUsed' : [ 0x108, ['unsigned long']], 'PeakJobMemoryUsed' : [ 0x10c, ['unsigned long']], 'CurrentJobMemoryUsed' : [ 0x110, ['unsigned long']], 'MemoryLimitsLock' : [ 0x114, ['_EX_PUSH_LOCK']], 'JobSetLinks' : [ 0x118, ['_LIST_ENTRY']], 'MemberLevel' : [ 0x120, ['unsigned long']], 'JobFlags' : [ 0x124, ['unsigned long']], } ], '__unnamed_19dc' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Hypervisor' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'HvMaxCState' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_IDLE_STATES' : [ 0x3c, { 'Type' : [ 0x0, ['unsigned long']], 'Count' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['__unnamed_19dc']], 'TargetState' : [ 0xc, ['unsigned long']], 'ActualState' : [ 0x10, ['unsigned long']], 'OldState' : [ 0x14, ['unsigned long']], 'TargetProcessors' : [ 0x18, ['unsigned long']], 'State' : [ 0x1c, ['array', 1, ['_PPM_IDLE_STATE']]], } ], '_PEB' : [ 0x238, { 'InheritedAddressSpace' : [ 0x0, ['unsigned char']], 'ReadImageFileExecOptions' : [ 0x1, ['unsigned char']], 'BeingDebugged' : [ 0x2, ['unsigned char']], 'BitField' : [ 0x3, ['unsigned char']], 'ImageUsesLargePages' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IsProtectedProcess' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'IsLegacyProcess' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'IsImageDynamicallyRelocated' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'SkipPatchingUser32Forwarders' : [ 0x3, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'SpareBits' : [ 0x3, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], 'Mutant' : [ 0x4, ['pointer', ['void']]], 'ImageBaseAddress' : [ 0x8, ['pointer', ['void']]], 'Ldr' : [ 0xc, ['pointer', ['_PEB_LDR_DATA']]], 'ProcessParameters' : [ 0x10, ['pointer', ['_RTL_USER_PROCESS_PARAMETERS']]], 'SubSystemData' : [ 0x14, ['pointer', ['void']]], 'ProcessHeap' : [ 0x18, ['pointer', ['void']]], 'FastPebLock' : [ 0x1c, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'AtlThunkSListPtr' : [ 0x20, ['pointer', ['void']]], 'IFEOKey' : [ 0x24, ['pointer', ['void']]], 'CrossProcessFlags' : [ 0x28, ['unsigned long']], 'ProcessInJob' : [ 0x28, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ProcessInitializing' : [ 0x28, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ProcessUsingVEH' : [ 0x28, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ProcessUsingVCH' : [ 0x28, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ReservedBits0' : [ 0x28, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'KernelCallbackTable' : [ 0x2c, ['pointer', ['void']]], 'UserSharedInfoPtr' : [ 0x2c, ['pointer', ['void']]], 'SystemReserved' : [ 0x30, ['array', 1, ['unsigned long']]], 'SpareUlong' : [ 0x34, ['unsigned long']], 'SparePebPtr0' : [ 0x38, ['unsigned long']], 'TlsExpansionCounter' : [ 0x3c, ['unsigned long']], 'TlsBitmap' : [ 0x40, ['pointer', ['void']]], 'TlsBitmapBits' : [ 0x44, ['array', 2, ['unsigned long']]], 'ReadOnlySharedMemoryBase' : [ 0x4c, ['pointer', ['void']]], 'HotpatchInformation' : [ 0x50, ['pointer', ['void']]], 'ReadOnlyStaticServerData' : [ 0x54, ['pointer', ['pointer', ['void']]]], 'AnsiCodePageData' : [ 0x58, ['pointer', ['void']]], 'OemCodePageData' : [ 0x5c, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x60, ['pointer', ['void']]], 'NumberOfProcessors' : [ 0x64, ['unsigned long']], 'NtGlobalFlag' : [ 0x68, ['unsigned long']], 'CriticalSectionTimeout' : [ 0x70, ['_LARGE_INTEGER']], 'HeapSegmentReserve' : [ 0x78, ['unsigned long']], 'HeapSegmentCommit' : [ 0x7c, ['unsigned long']], 'HeapDeCommitTotalFreeThreshold' : [ 0x80, ['unsigned long']], 'HeapDeCommitFreeBlockThreshold' : [ 0x84, ['unsigned long']], 'NumberOfHeaps' : [ 0x88, ['unsigned long']], 'MaximumNumberOfHeaps' : [ 0x8c, ['unsigned long']], 'ProcessHeaps' : [ 0x90, ['pointer', ['pointer', ['void']]]], 'GdiSharedHandleTable' : [ 0x94, ['pointer', ['void']]], 'ProcessStarterHelper' : [ 0x98, ['pointer', ['void']]], 'GdiDCAttributeList' : [ 0x9c, ['unsigned long']], 'LoaderLock' : [ 0xa0, ['pointer', ['_RTL_CRITICAL_SECTION']]], 'OSMajorVersion' : [ 0xa4, ['unsigned long']], 'OSMinorVersion' : [ 0xa8, ['unsigned long']], 'OSBuildNumber' : [ 0xac, ['unsigned short']], 'OSCSDVersion' : [ 0xae, ['unsigned short']], 'OSPlatformId' : [ 0xb0, ['unsigned long']], 'ImageSubsystem' : [ 0xb4, ['unsigned long']], 'ImageSubsystemMajorVersion' : [ 0xb8, ['unsigned long']], 'ImageSubsystemMinorVersion' : [ 0xbc, ['unsigned long']], 'ActiveProcessAffinityMask' : [ 0xc0, ['unsigned long']], 'GdiHandleBuffer' : [ 0xc4, ['array', 34, ['unsigned long']]], 'PostProcessInitRoutine' : [ 0x14c, ['pointer', ['void']]], 'TlsExpansionBitmap' : [ 0x150, ['pointer', ['void']]], 'TlsExpansionBitmapBits' : [ 0x154, ['array', 32, ['unsigned long']]], 'SessionId' : [ 0x1d4, ['unsigned long']], 'AppCompatFlags' : [ 0x1d8, ['_ULARGE_INTEGER']], 'AppCompatFlagsUser' : [ 0x1e0, ['_ULARGE_INTEGER']], 'pShimData' : [ 0x1e8, ['pointer', ['void']]], 'AppCompatInfo' : [ 0x1ec, ['pointer', ['void']]], 'CSDVersion' : [ 0x1f0, ['_UNICODE_STRING']], 'ActivationContextData' : [ 0x1f8, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'ProcessAssemblyStorageMap' : [ 0x1fc, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'SystemDefaultActivationContextData' : [ 0x200, ['pointer', ['_ACTIVATION_CONTEXT_DATA']]], 'SystemAssemblyStorageMap' : [ 0x204, ['pointer', ['_ASSEMBLY_STORAGE_MAP']]], 'MinimumStackCommit' : [ 0x208, ['unsigned long']], 'FlsCallback' : [ 0x20c, ['pointer', ['_FLS_CALLBACK_INFO']]], 'FlsListHead' : [ 0x210, ['_LIST_ENTRY']], 'FlsBitmap' : [ 0x218, ['pointer', ['void']]], 'FlsBitmapBits' : [ 0x21c, ['array', 4, ['unsigned long']]], 'FlsHighIndex' : [ 0x22c, ['unsigned long']], 'WerRegistrationData' : [ 0x230, ['pointer', ['void']]], 'WerShipAssertPtr' : [ 0x234, ['pointer', ['void']]], } ], '__unnamed_19f4' : [ 0x10, { 'EfiInformation' : [ 0x0, ['_EFI_FIRMWARE_INFORMATION']], 'PcatInformation' : [ 0x0, ['_PCAT_FIRMWARE_INFORMATION']], } ], '_FIRMWARE_INFORMATION_LOADER_BLOCK' : [ 0x14, { 'FirmwareTypeEfi' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'u' : [ 0x4, ['__unnamed_19f4']], } ], '_HEAP_UCR_DESCRIPTOR' : [ 0x18, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SegmentEntry' : [ 0x8, ['_LIST_ENTRY']], 'Address' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '__unnamed_19fb' : [ 0x4, { 'BaseMid' : [ 0x0, ['unsigned char']], 'Flags1' : [ 0x1, ['unsigned char']], 'Flags2' : [ 0x2, ['unsigned char']], 'BaseHi' : [ 0x3, ['unsigned char']], } ], '__unnamed_1a01' : [ 0x4, { 'BaseMid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Type' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 13, native_type='unsigned long')]], 'Dpl' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 15, native_type='unsigned long')]], 'Pres' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'LimitHi' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'Sys' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'Reserved_0' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Default_Big' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Granularity' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'BaseHi' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1a03' : [ 0x4, { 'Bytes' : [ 0x0, ['__unnamed_19fb']], 'Bits' : [ 0x0, ['__unnamed_1a01']], } ], '_KGDTENTRY' : [ 0x8, { 'LimitLow' : [ 0x0, ['unsigned short']], 'BaseLow' : [ 0x2, ['unsigned short']], 'HighWord' : [ 0x4, ['__unnamed_1a03']], } ], '_POOL_DESCRIPTOR' : [ 0x1034, { 'PoolType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'PoolIndex' : [ 0x4, ['unsigned long']], 'RunningAllocs' : [ 0x8, ['long']], 'RunningDeAllocs' : [ 0xc, ['long']], 'TotalPages' : [ 0x10, ['long']], 'TotalBigPages' : [ 0x14, ['long']], 'Threshold' : [ 0x18, ['unsigned long']], 'LockAddress' : [ 0x1c, ['pointer', ['void']]], 'PendingFrees' : [ 0x20, ['pointer', ['pointer', ['void']]]], 'ThreadsProcessingDeferrals' : [ 0x24, ['long']], 'PendingFreeDepth' : [ 0x28, ['long']], 'TotalBytes' : [ 0x2c, ['unsigned long']], 'Spare0' : [ 0x30, ['unsigned long']], 'ListHeads' : [ 0x34, ['array', 512, ['_LIST_ENTRY']]], } ], '_KGATE' : [ 0x10, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], } ], '_WHEA_ERROR_RECORD_HEADER' : [ 0x80, { 'Signature' : [ 0x0, ['unsigned long']], 'Revision' : [ 0x4, ['_WHEA_REVISION']], 'SignatureEnd' : [ 0x6, ['unsigned long']], 'SectionCount' : [ 0xa, ['unsigned short']], 'Severity' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'ValidBits' : [ 0x10, ['_WHEA_ERROR_RECORD_HEADER_VALIDBITS']], 'Length' : [ 0x14, ['unsigned long']], 'Timestamp' : [ 0x18, ['_WHEA_TIMESTAMP']], 'PlatformId' : [ 0x20, ['_GUID']], 'PartitionId' : [ 0x30, ['_GUID']], 'CreatorId' : [ 0x40, ['_GUID']], 'NotifyType' : [ 0x50, ['_GUID']], 'RecordId' : [ 0x60, ['unsigned long long']], 'Flags' : [ 0x68, ['_WHEA_ERROR_RECORD_HEADER_FLAGS']], 'PersistenceInfo' : [ 0x6c, ['_WHEA_PERSISTENCE_INFO']], 'Reserved' : [ 0x74, ['array', 12, ['unsigned char']]], } ], '_ALPC_PROCESS_CONTEXT' : [ 0x10, { 'Lock' : [ 0x0, ['_EX_PUSH_LOCK']], 'ViewListHead' : [ 0x4, ['_LIST_ENTRY']], 'PagedPoolQuotaCache' : [ 0xc, ['unsigned long']], } ], '_CM_NOTIFY_BLOCK' : [ 0x2c, { 'HiveList' : [ 0x0, ['_LIST_ENTRY']], 'PostList' : [ 0x8, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x10, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'KeyBody' : [ 0x14, ['pointer', ['_CM_KEY_BODY']]], 'Filter' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 30, native_type='unsigned long')]], 'WatchTree' : [ 0x18, ['BitField', dict(start_bit = 30, end_bit = 31, native_type='unsigned long')]], 'NotifyPending' : [ 0x18, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], 'SubjectContext' : [ 0x1c, ['_SECURITY_SUBJECT_CONTEXT']], } ], '_KINTERRUPT' : [ 0x270, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'InterruptListEntry' : [ 0x4, ['_LIST_ENTRY']], 'ServiceRoutine' : [ 0xc, ['pointer', ['void']]], 'MessageServiceRoutine' : [ 0x10, ['pointer', ['void']]], 'MessageIndex' : [ 0x14, ['unsigned long']], 'ServiceContext' : [ 0x18, ['pointer', ['void']]], 'SpinLock' : [ 0x1c, ['unsigned long']], 'TickCount' : [ 0x20, ['unsigned long']], 'ActualLock' : [ 0x24, ['pointer', ['unsigned long']]], 'DispatchAddress' : [ 0x28, ['pointer', ['void']]], 'Vector' : [ 0x2c, ['unsigned long']], 'Irql' : [ 0x30, ['unsigned char']], 'SynchronizeIrql' : [ 0x31, ['unsigned char']], 'FloatingSave' : [ 0x32, ['unsigned char']], 'Connected' : [ 0x33, ['unsigned char']], 'Number' : [ 0x34, ['unsigned char']], 'ShareVector' : [ 0x35, ['unsigned char']], 'Mode' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'LevelSensitive', 1: 'Latched'})]], 'Polarity' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'InterruptPolarityUnknown', 1: 'InterruptActiveHigh', 2: 'InterruptActiveLow'})]], 'ServiceCount' : [ 0x40, ['unsigned long']], 'DispatchCount' : [ 0x44, ['unsigned long']], 'Rsvd1' : [ 0x48, ['unsigned long long']], 'DispatchCode' : [ 0x50, ['array', 135, ['unsigned long']]], } ], '_HANDLE_TABLE_ENTRY' : [ 0x8, { 'Object' : [ 0x0, ['pointer', ['void']]], 'ObAttributes' : [ 0x0, ['unsigned long']], 'InfoTable' : [ 0x0, ['pointer', ['_HANDLE_TABLE_ENTRY_INFO']]], 'Value' : [ 0x0, ['unsigned long']], 'GrantedAccess' : [ 0x4, ['unsigned long']], 'GrantedAccessIndex' : [ 0x4, ['unsigned short']], 'CreatorBackTraceIndex' : [ 0x6, ['unsigned short']], 'NextFreeTableEntry' : [ 0x4, ['long']], } ], '_SID' : [ 0xc, { 'Revision' : [ 0x0, ['unsigned char']], 'SubAuthorityCount' : [ 0x1, ['unsigned char']], 'IdentifierAuthority' : [ 0x2, ['_SID_IDENTIFIER_AUTHORITY']], 'SubAuthority' : [ 0x8, ['array', 1, ['unsigned long']]], } ], '_IMAGE_FILE_HEADER' : [ 0x14, { 'Machine' : [ 0x0, ['unsigned short']], 'NumberOfSections' : [ 0x2, ['unsigned short']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'PointerToSymbolTable' : [ 0x8, ['unsigned long']], 'NumberOfSymbols' : [ 0xc, ['unsigned long']], 'SizeOfOptionalHeader' : [ 0x10, ['unsigned short']], 'Characteristics' : [ 0x12, ['unsigned short']], } ], '_MMEXTEND_INFO' : [ 0x10, { 'CommittedSize' : [ 0x0, ['unsigned long long']], 'ReferenceCount' : [ 0x8, ['unsigned long']], } ], '_HIVE_LIST_ENTRY' : [ 0x20, { 'FileName' : [ 0x0, ['pointer', ['unsigned short']]], 'BaseName' : [ 0x4, ['pointer', ['unsigned short']]], 'RegRootName' : [ 0x8, ['pointer', ['unsigned short']]], 'CmHive' : [ 0xc, ['pointer', ['_CMHIVE']]], 'HHiveFlags' : [ 0x10, ['unsigned long']], 'CmHiveFlags' : [ 0x14, ['unsigned long']], 'CmHive2' : [ 0x18, ['pointer', ['_CMHIVE']]], 'ThreadFinished' : [ 0x1c, ['unsigned char']], 'ThreadStarted' : [ 0x1d, ['unsigned char']], 'Allocate' : [ 0x1e, ['unsigned char']], 'WinPERequired' : [ 0x1f, ['unsigned char']], } ], '_CONTEXT' : [ 0x2cc, { 'ContextFlags' : [ 0x0, ['unsigned long']], 'Dr0' : [ 0x4, ['unsigned long']], 'Dr1' : [ 0x8, ['unsigned long']], 'Dr2' : [ 0xc, ['unsigned long']], 'Dr3' : [ 0x10, ['unsigned long']], 'Dr6' : [ 0x14, ['unsigned long']], 'Dr7' : [ 0x18, ['unsigned long']], 'FloatSave' : [ 0x1c, ['_FLOATING_SAVE_AREA']], 'SegGs' : [ 0x8c, ['unsigned long']], 'SegFs' : [ 0x90, ['unsigned long']], 'SegEs' : [ 0x94, ['unsigned long']], 'SegDs' : [ 0x98, ['unsigned long']], 'Edi' : [ 0x9c, ['unsigned long']], 'Esi' : [ 0xa0, ['unsigned long']], 'Ebx' : [ 0xa4, ['unsigned long']], 'Edx' : [ 0xa8, ['unsigned long']], 'Ecx' : [ 0xac, ['unsigned long']], 'Eax' : [ 0xb0, ['unsigned long']], 'Ebp' : [ 0xb4, ['unsigned long']], 'Eip' : [ 0xb8, ['unsigned long']], 'SegCs' : [ 0xbc, ['unsigned long']], 'EFlags' : [ 0xc0, ['unsigned long']], 'Esp' : [ 0xc4, ['unsigned long']], 'SegSs' : [ 0xc8, ['unsigned long']], 'ExtendedRegisters' : [ 0xcc, ['array', 512, ['unsigned char']]], } ], '_ALPC_HANDLE_TABLE' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned long']], 'Handles' : [ 0x4, ['pointer', ['_ALPC_HANDLE_ENTRY']]], 'TotalHandles' : [ 0x8, ['unsigned long']], 'Lock' : [ 0xc, ['_EX_PUSH_LOCK']], } ], '_MMPTE_HARDWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Dirty1' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Dirty' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'LargePage' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Global' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_IO_COMPLETION_CONTEXT' : [ 0x8, { 'Port' : [ 0x0, ['pointer', ['void']]], 'Key' : [ 0x4, ['pointer', ['void']]], } ], '_IOV_FORCED_PENDING_TRACE' : [ 0x100, { 'Irp' : [ 0x0, ['pointer', ['_IRP']]], 'StackTrace' : [ 0x4, ['array', 63, ['pointer', ['void']]]], } ], '_DBGKD_SET_CONTEXT' : [ 0x4, { 'ContextFlags' : [ 0x0, ['unsigned long']], } ], '_VI_POOL_ENTRY_INUSE' : [ 0x10, { 'VirtualAddress' : [ 0x0, ['pointer', ['void']]], 'CallingAddress' : [ 0x4, ['pointer', ['void']]], 'NumberOfBytes' : [ 0x8, ['unsigned long']], 'Tag' : [ 0xc, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST' : [ 0x54, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'OwnerProcess' : [ 0x8, ['pointer', ['_EPROCESS']]], 'Mdl' : [ 0xc, ['pointer', ['_MDL']]], 'UserVa' : [ 0x10, ['pointer', ['void']]], 'UserLimit' : [ 0x14, ['pointer', ['void']]], 'DataUserVa' : [ 0x18, ['pointer', ['void']]], 'SystemVa' : [ 0x1c, ['pointer', ['void']]], 'TotalSize' : [ 0x20, ['unsigned long']], 'Header' : [ 0x24, ['pointer', ['_ALPC_COMPLETION_LIST_HEADER']]], 'List' : [ 0x28, ['pointer', ['void']]], 'ListSize' : [ 0x2c, ['unsigned long']], 'Bitmap' : [ 0x30, ['pointer', ['void']]], 'BitmapSize' : [ 0x34, ['unsigned long']], 'Data' : [ 0x38, ['pointer', ['void']]], 'DataSize' : [ 0x3c, ['unsigned long']], 'BitmapLimit' : [ 0x40, ['unsigned long']], 'BitmapNextHint' : [ 0x44, ['unsigned long']], 'ConcurrencyCount' : [ 0x48, ['unsigned long']], 'AttributeFlags' : [ 0x4c, ['unsigned long']], 'AttributeSize' : [ 0x50, ['unsigned long']], } ], '_INTERFACE' : [ 0x10, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], } ], '_ACL' : [ 0x8, { 'AclRevision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'AclSize' : [ 0x2, ['unsigned short']], 'AceCount' : [ 0x4, ['unsigned short']], 'Sbz2' : [ 0x6, ['unsigned short']], } ], '_LAZY_WRITER' : [ 0x58, { 'WorkQueue' : [ 0x0, ['_LIST_ENTRY']], 'ScanDpc' : [ 0x8, ['_KDPC']], 'ScanTimer' : [ 0x28, ['_KTIMER']], 'ScanActive' : [ 0x50, ['unsigned char']], 'OtherWork' : [ 0x51, ['unsigned char']], 'PendingTeardown' : [ 0x52, ['unsigned char']], } ], '_PI_BUS_EXTENSION' : [ 0x44, { 'Flags' : [ 0x0, ['unsigned long']], 'NumberCSNs' : [ 0x4, ['unsigned char']], 'ReadDataPort' : [ 0x8, ['pointer', ['unsigned char']]], 'DataPortMapped' : [ 0xc, ['unsigned char']], 'AddressPort' : [ 0x10, ['pointer', ['unsigned char']]], 'AddrPortMapped' : [ 0x14, ['unsigned char']], 'CommandPort' : [ 0x18, ['pointer', ['unsigned char']]], 'CmdPortMapped' : [ 0x1c, ['unsigned char']], 'NextSlotNumber' : [ 0x20, ['unsigned long']], 'DeviceList' : [ 0x24, ['_SINGLE_LIST_ENTRY']], 'CardList' : [ 0x28, ['_SINGLE_LIST_ENTRY']], 'PhysicalBusDevice' : [ 0x2c, ['pointer', ['_DEVICE_OBJECT']]], 'FunctionalBusDevice' : [ 0x30, ['pointer', ['_DEVICE_OBJECT']]], 'AttachedDevice' : [ 0x34, ['pointer', ['_DEVICE_OBJECT']]], 'BusNumber' : [ 0x38, ['unsigned long']], 'SystemPowerState' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DevicePowerState' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_DRIVER_OBJECT' : [ 0xa8, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'Flags' : [ 0x8, ['unsigned long']], 'DriverStart' : [ 0xc, ['pointer', ['void']]], 'DriverSize' : [ 0x10, ['unsigned long']], 'DriverSection' : [ 0x14, ['pointer', ['void']]], 'DriverExtension' : [ 0x18, ['pointer', ['_DRIVER_EXTENSION']]], 'DriverName' : [ 0x1c, ['_UNICODE_STRING']], 'HardwareDatabase' : [ 0x24, ['pointer', ['_UNICODE_STRING']]], 'FastIoDispatch' : [ 0x28, ['pointer', ['_FAST_IO_DISPATCH']]], 'DriverInit' : [ 0x2c, ['pointer', ['void']]], 'DriverStartIo' : [ 0x30, ['pointer', ['void']]], 'DriverUnload' : [ 0x34, ['pointer', ['void']]], 'MajorFunction' : [ 0x38, ['array', 28, ['pointer', ['void']]]], } ], '_SID_AND_ATTRIBUTES' : [ 0x8, { 'Sid' : [ 0x0, ['pointer', ['void']]], 'Attributes' : [ 0x4, ['unsigned long']], } ], '_SID_IDENTIFIER_AUTHORITY' : [ 0x6, { 'Value' : [ 0x0, ['array', 6, ['unsigned char']]], } ], '_CM_RM' : [ 0x58, { 'RmListEntry' : [ 0x0, ['_LIST_ENTRY']], 'TransactionListHead' : [ 0x8, ['_LIST_ENTRY']], 'TmHandle' : [ 0x10, ['pointer', ['void']]], 'Tm' : [ 0x14, ['pointer', ['void']]], 'RmHandle' : [ 0x18, ['pointer', ['void']]], 'KtmRm' : [ 0x1c, ['pointer', ['void']]], 'RefCount' : [ 0x20, ['unsigned long']], 'ContainerNum' : [ 0x24, ['unsigned long']], 'ContainerSize' : [ 0x28, ['unsigned long long']], 'CmHive' : [ 0x30, ['pointer', ['_CMHIVE']]], 'LogFileObject' : [ 0x34, ['pointer', ['void']]], 'MarshallingContext' : [ 0x38, ['pointer', ['void']]], 'RmFlags' : [ 0x3c, ['unsigned long']], 'LogStartStatus1' : [ 0x40, ['long']], 'LogStartStatus2' : [ 0x44, ['long']], 'BaseLsn' : [ 0x48, ['unsigned long long']], 'RmLock' : [ 0x50, ['pointer', ['_ERESOURCE']]], } ], '_MMVAD_FLAGS' : [ 0x4, { 'CommitCharge' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 19, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'VadType' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 23, native_type='unsigned long')]], 'MemCommit' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 29, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 29, end_bit = 31, native_type='unsigned long')]], 'PrivateMemory' : [ 0x0, ['BitField', dict(start_bit = 31, end_bit = 32, native_type='unsigned long')]], } ], '_WHEA_PCIXDEVICE_ERROR' : [ 0x68, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXDEVICE_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'IdInfo' : [ 0x10, ['_WHEA_PCIXDEVICE_ID']], 'MemoryNumber' : [ 0x20, ['unsigned long']], 'IoNumber' : [ 0x24, ['unsigned long']], 'RegisterDataPairs' : [ 0x28, ['array', 4, ['WHEA_PCIXDEVICE_REGISTER_PAIR']]], } ], '_MMWSLE_HASH' : [ 0x4, { 'Index' : [ 0x0, ['unsigned long']], } ], '__unnamed_1a82' : [ 0x18, { 'CriticalSection' : [ 0x0, ['_RTL_CRITICAL_SECTION']], } ], '_HEAP_LOCK' : [ 0x18, { 'Lock' : [ 0x0, ['__unnamed_1a82']], } ], '_DBGKD_FILL_MEMORY' : [ 0x10, { 'Address' : [ 0x0, ['unsigned long long']], 'Length' : [ 0x8, ['unsigned long']], 'Flags' : [ 0xc, ['unsigned short']], 'PatternLength' : [ 0xe, ['unsigned short']], } ], '_DRIVER_EXTENSION' : [ 0x1c, { 'DriverObject' : [ 0x0, ['pointer', ['_DRIVER_OBJECT']]], 'AddDevice' : [ 0x4, ['pointer', ['void']]], 'Count' : [ 0x8, ['unsigned long']], 'ServiceKeyName' : [ 0xc, ['_UNICODE_STRING']], 'ClientDriverExtension' : [ 0x14, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'FsFilterCallbacks' : [ 0x18, ['pointer', ['_FS_FILTER_CALLBACKS']]], } ], '_HEAP_STOP_ON_VALUES' : [ 0x18, { 'AllocAddress' : [ 0x0, ['unsigned long']], 'AllocTag' : [ 0x4, ['_HEAP_STOP_ON_TAG']], 'ReAllocAddress' : [ 0x8, ['unsigned long']], 'ReAllocTag' : [ 0xc, ['_HEAP_STOP_ON_TAG']], 'FreeAddress' : [ 0x10, ['unsigned long']], 'FreeTag' : [ 0x14, ['_HEAP_STOP_ON_TAG']], } ], '_PP_LOOKASIDE_LIST' : [ 0x8, { 'P' : [ 0x0, ['pointer', ['_GENERAL_LOOKASIDE']]], 'L' : [ 0x4, ['pointer', ['_GENERAL_LOOKASIDE']]], } ], '_HEAP_PSEUDO_TAG_ENTRY' : [ 0xc, { 'Allocs' : [ 0x0, ['unsigned long']], 'Frees' : [ 0x4, ['unsigned long']], 'Size' : [ 0x8, ['unsigned long']], } ], '_CALL_HASH_ENTRY' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'CallersAddress' : [ 0x8, ['pointer', ['void']]], 'CallersCaller' : [ 0xc, ['pointer', ['void']]], 'CallCount' : [ 0x10, ['unsigned long']], } ], '_VF_TRACKER_STAMP' : [ 0x8, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'Flags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'OldIrql' : [ 0x5, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'NewIrql' : [ 0x6, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'Processor' : [ 0x7, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], } ], '_VI_TRACK_IRQL' : [ 0x20, { 'Thread' : [ 0x0, ['pointer', ['void']]], 'OldIrql' : [ 0x4, ['unsigned char']], 'NewIrql' : [ 0x5, ['unsigned char']], 'Processor' : [ 0x6, ['unsigned char']], 'TickCount' : [ 0x8, ['unsigned long']], 'StackTrace' : [ 0xc, ['array', 5, ['pointer', ['void']]]], } ], '_PEB_LDR_DATA' : [ 0x30, { 'Length' : [ 0x0, ['unsigned long']], 'Initialized' : [ 0x4, ['unsigned char']], 'SsHandle' : [ 0x8, ['pointer', ['void']]], 'InLoadOrderModuleList' : [ 0xc, ['_LIST_ENTRY']], 'InMemoryOrderModuleList' : [ 0x14, ['_LIST_ENTRY']], 'InInitializationOrderModuleList' : [ 0x1c, ['_LIST_ENTRY']], 'EntryInProgress' : [ 0x24, ['pointer', ['void']]], 'ShutdownInProgress' : [ 0x28, ['unsigned char']], 'ShutdownThreadId' : [ 0x2c, ['pointer', ['void']]], } ], '_HEAP_STOP_ON_TAG' : [ 0x4, { 'HeapAndTagIndex' : [ 0x0, ['unsigned long']], 'TagIndex' : [ 0x0, ['unsigned short']], 'HeapIndex' : [ 0x2, ['unsigned short']], } ], '_DBGKD_GET_CONTEXT' : [ 0x4, { 'Unused' : [ 0x0, ['unsigned long']], } ], '_TEB_ACTIVE_FRAME_CONTEXT' : [ 0x8, { 'Flags' : [ 0x0, ['unsigned long']], 'FrameName' : [ 0x4, ['pointer', ['unsigned char']]], } ], '_NLS_DATA_BLOCK' : [ 0xc, { 'AnsiCodePageData' : [ 0x0, ['pointer', ['void']]], 'OemCodePageData' : [ 0x4, ['pointer', ['void']]], 'UnicodeCaseTableData' : [ 0x8, ['pointer', ['void']]], } ], '_CM_KEY_CONTROL_BLOCK' : [ 0x90, { 'RefCount' : [ 0x0, ['unsigned long']], 'ExtFlags' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned long')]], 'PrivateAlloc' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Delete' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'DelayedCloseIndex' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 22, native_type='unsigned long')]], 'TotalLevels' : [ 0x4, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'KeyHash' : [ 0x8, ['_CM_KEY_HASH']], 'ConvKey' : [ 0x8, ['unsigned long']], 'NextHash' : [ 0xc, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x10, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0x14, ['unsigned long']], 'ParentKcb' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NameBlock' : [ 0x1c, ['pointer', ['_CM_NAME_CONTROL_BLOCK']]], 'CachedSecurity' : [ 0x20, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], 'ValueCache' : [ 0x24, ['_CACHED_CHILD_LIST']], 'IndexHint' : [ 0x2c, ['pointer', ['_CM_INDEX_HINT_BLOCK']]], 'HashKey' : [ 0x2c, ['unsigned long']], 'SubKeyCount' : [ 0x2c, ['unsigned long']], 'KeyBodyListHead' : [ 0x30, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x30, ['_LIST_ENTRY']], 'KeyBodyArray' : [ 0x38, ['array', 4, ['pointer', ['_CM_KEY_BODY']]]], 'DelayCloseEntry' : [ 0x48, ['pointer', ['void']]], 'KcbLastWriteTime' : [ 0x50, ['_LARGE_INTEGER']], 'KcbMaxNameLen' : [ 0x58, ['unsigned short']], 'KcbMaxValueNameLen' : [ 0x5a, ['unsigned short']], 'KcbMaxValueDataLen' : [ 0x5c, ['unsigned long']], 'KcbUserFlags' : [ 0x60, ['BitField', dict(start_bit = 0, end_bit = 4, native_type='unsigned long')]], 'KcbVirtControlFlags' : [ 0x60, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned long')]], 'KcbDebug' : [ 0x60, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'Flags' : [ 0x60, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'KCBUoWListHead' : [ 0x64, ['_LIST_ENTRY']], 'TransKCBOwner' : [ 0x6c, ['pointer', ['_CM_TRANS']]], 'KCBLock' : [ 0x70, ['_CM_INTENT_LOCK']], 'KeyLock' : [ 0x78, ['_CM_INTENT_LOCK']], 'TransValueCache' : [ 0x80, ['_CHILD_LIST']], 'TransValueListOwner' : [ 0x88, ['pointer', ['_CM_TRANS']]], 'FullKCBName' : [ 0x8c, ['pointer', ['_UNICODE_STRING']]], } ], '_MMPTE_SOFTWARE' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFileHigh' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_CACHE_UNINITIALIZE_EVENT' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_CACHE_UNINITIALIZE_EVENT']]], 'Event' : [ 0x4, ['_KEVENT']], } ], '_SECURITY_TOKEN_AUDIT_DATA' : [ 0xc, { 'Length' : [ 0x0, ['unsigned long']], 'GrantMask' : [ 0x4, ['unsigned long']], 'DenyMask' : [ 0x8, ['unsigned long']], } ], '_CM_RESOURCE_LIST' : [ 0x24, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['array', 1, ['_CM_FULL_RESOURCE_DESCRIPTOR']]], } ], '_POOL_TRACKER_TABLE' : [ 0x1c, { 'Key' : [ 0x0, ['long']], 'NonPagedAllocs' : [ 0x4, ['long']], 'NonPagedFrees' : [ 0x8, ['long']], 'NonPagedBytes' : [ 0xc, ['unsigned long']], 'PagedAllocs' : [ 0x10, ['unsigned long']], 'PagedFrees' : [ 0x14, ['unsigned long']], 'PagedBytes' : [ 0x18, ['unsigned long']], } ], '_MM_SUBSECTION_AVL_TABLE' : [ 0x20, { 'BalancedRoot' : [ 0x0, ['_MMSUBSECTION_NODE']], 'DepthOfTree' : [ 0x18, ['BitField', dict(start_bit = 0, end_bit = 5, native_type='unsigned long')]], 'Unused' : [ 0x18, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned long')]], 'NumberGenericTableElements' : [ 0x18, ['BitField', dict(start_bit = 8, end_bit = 32, native_type='unsigned long')]], 'NodeHint' : [ 0x1c, ['pointer', ['void']]], } ], '_HANDLE_TABLE_ENTRY_INFO' : [ 0x4, { 'AuditMask' : [ 0x0, ['unsigned long']], } ], '_CM_FULL_RESOURCE_DESCRIPTOR' : [ 0x20, { 'InterfaceType' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'BusNumber' : [ 0x4, ['unsigned long']], 'PartialResourceList' : [ 0x8, ['_CM_PARTIAL_RESOURCE_LIST']], } ], '_POWER_SEQUENCE' : [ 0xc, { 'SequenceD1' : [ 0x0, ['unsigned long']], 'SequenceD2' : [ 0x4, ['unsigned long']], 'SequenceD3' : [ 0x8, ['unsigned long']], } ], '_KSEMAPHORE' : [ 0x14, { 'Header' : [ 0x0, ['_DISPATCHER_HEADER']], 'Limit' : [ 0x10, ['long']], } ], '_OBJECT_REF_STACK_INFO' : [ 0x8, { 'Sequence' : [ 0x0, ['unsigned long']], 'Index' : [ 0x4, ['unsigned short']], 'NumTraces' : [ 0x6, ['unsigned short']], } ], '_DBGKD_READ_WRITE_MSR' : [ 0xc, { 'Msr' : [ 0x0, ['unsigned long']], 'DataValueLow' : [ 0x4, ['unsigned long']], 'DataValueHigh' : [ 0x8, ['unsigned long']], } ], '_MMPFNENTRY' : [ 0x2, { 'PageLocation' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'WriteInProgress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'Modified' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ReadInProgress' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'CacheAttribute' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 8, native_type='unsigned char')]], 'Priority' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned char')]], 'Rom' : [ 0x1, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'InPageError' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'KernelStack' : [ 0x1, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'RemovalRequested' : [ 0x1, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ParityError' : [ 0x1, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEGMENT_OBJECT' : [ 0x28, { 'BaseAddress' : [ 0x0, ['pointer', ['void']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SizeOfSegment' : [ 0x8, ['_LARGE_INTEGER']], 'NonExtendedPtes' : [ 0x10, ['unsigned long']], 'ImageCommitment' : [ 0x14, ['unsigned long']], 'ControlArea' : [ 0x18, ['pointer', ['_CONTROL_AREA']]], 'Subsection' : [ 0x1c, ['pointer', ['_SUBSECTION']]], 'MmSectionFlags' : [ 0x20, ['pointer', ['_MMSECTION_FLAGS']]], 'MmSubSectionFlags' : [ 0x24, ['pointer', ['_MMSUBSECTION_FLAGS']]], } ], '_IMAGE_DOS_HEADER' : [ 0x40, { 'e_magic' : [ 0x0, ['unsigned short']], 'e_cblp' : [ 0x2, ['unsigned short']], 'e_cp' : [ 0x4, ['unsigned short']], 'e_crlc' : [ 0x6, ['unsigned short']], 'e_cparhdr' : [ 0x8, ['unsigned short']], 'e_minalloc' : [ 0xa, ['unsigned short']], 'e_maxalloc' : [ 0xc, ['unsigned short']], 'e_ss' : [ 0xe, ['unsigned short']], 'e_sp' : [ 0x10, ['unsigned short']], 'e_csum' : [ 0x12, ['unsigned short']], 'e_ip' : [ 0x14, ['unsigned short']], 'e_cs' : [ 0x16, ['unsigned short']], 'e_lfarlc' : [ 0x18, ['unsigned short']], 'e_ovno' : [ 0x1a, ['unsigned short']], 'e_res' : [ 0x1c, ['array', 4, ['unsigned short']]], 'e_oemid' : [ 0x24, ['unsigned short']], 'e_oeminfo' : [ 0x26, ['unsigned short']], 'e_res2' : [ 0x28, ['array', 10, ['unsigned short']]], 'e_lfanew' : [ 0x3c, ['long']], } ], '_KTSS' : [ 0x20ac, { 'Backlink' : [ 0x0, ['unsigned short']], 'Reserved0' : [ 0x2, ['unsigned short']], 'Esp0' : [ 0x4, ['unsigned long']], 'Ss0' : [ 0x8, ['unsigned short']], 'Reserved1' : [ 0xa, ['unsigned short']], 'NotUsed1' : [ 0xc, ['array', 4, ['unsigned long']]], 'CR3' : [ 0x1c, ['unsigned long']], 'Eip' : [ 0x20, ['unsigned long']], 'EFlags' : [ 0x24, ['unsigned long']], 'Eax' : [ 0x28, ['unsigned long']], 'Ecx' : [ 0x2c, ['unsigned long']], 'Edx' : [ 0x30, ['unsigned long']], 'Ebx' : [ 0x34, ['unsigned long']], 'Esp' : [ 0x38, ['unsigned long']], 'Ebp' : [ 0x3c, ['unsigned long']], 'Esi' : [ 0x40, ['unsigned long']], 'Edi' : [ 0x44, ['unsigned long']], 'Es' : [ 0x48, ['unsigned short']], 'Reserved2' : [ 0x4a, ['unsigned short']], 'Cs' : [ 0x4c, ['unsigned short']], 'Reserved3' : [ 0x4e, ['unsigned short']], 'Ss' : [ 0x50, ['unsigned short']], 'Reserved4' : [ 0x52, ['unsigned short']], 'Ds' : [ 0x54, ['unsigned short']], 'Reserved5' : [ 0x56, ['unsigned short']], 'Fs' : [ 0x58, ['unsigned short']], 'Reserved6' : [ 0x5a, ['unsigned short']], 'Gs' : [ 0x5c, ['unsigned short']], 'Reserved7' : [ 0x5e, ['unsigned short']], 'LDT' : [ 0x60, ['unsigned short']], 'Reserved8' : [ 0x62, ['unsigned short']], 'Flags' : [ 0x64, ['unsigned short']], 'IoMapBase' : [ 0x66, ['unsigned short']], 'IoMaps' : [ 0x68, ['array', 1, ['_KiIoAccessMap']]], 'IntDirectionMap' : [ 0x208c, ['array', 32, ['unsigned char']]], } ], '_TOKEN_SOURCE' : [ 0x10, { 'SourceName' : [ 0x0, ['array', 8, ['unsigned char']]], 'SourceIdentifier' : [ 0x8, ['_LUID']], } ], '_DBGKD_QUERY_MEMORY' : [ 0x18, { 'Address' : [ 0x0, ['unsigned long long']], 'Reserved' : [ 0x8, ['unsigned long long']], 'AddressSpace' : [ 0x10, ['unsigned long']], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KIDTENTRY' : [ 0x8, { 'Offset' : [ 0x0, ['unsigned short']], 'Selector' : [ 0x2, ['unsigned short']], 'Access' : [ 0x4, ['unsigned short']], 'ExtendedOffset' : [ 0x6, ['unsigned short']], } ], 'CMP_OFFSET_ARRAY' : [ 0xc, { 'FileOffset' : [ 0x0, ['unsigned long']], 'DataBuffer' : [ 0x4, ['pointer', ['void']]], 'DataLength' : [ 0x8, ['unsigned long']], } ], '_MMSUPPORT_FLAGS' : [ 0x4, { 'SessionSpace' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ModwriterAttached' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'TrimHard' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'MaximumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ForceTrim' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MinimumWorkingSetHard' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SessionMaster' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'TrimmerAttached' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], 'TrimmerDetaching' : [ 0x1, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Reserved' : [ 0x1, ['BitField', dict(start_bit = 1, end_bit = 4, native_type='unsigned char')]], 'PageStealers' : [ 0x1, ['BitField', dict(start_bit = 4, end_bit = 8, native_type='unsigned char')]], 'MemoryPriority' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned char')]], 'WsleDeleted' : [ 0x3, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'VmExiting' : [ 0x3, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'ExpansionFailed' : [ 0x3, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Available' : [ 0x3, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned char')]], } ], 'PPM_IDLE_ACCOUNTING' : [ 0x48, { 'StateCount' : [ 0x0, ['unsigned long']], 'TotalTransitions' : [ 0x4, ['unsigned long']], 'ResetCount' : [ 0x8, ['unsigned long']], 'StartTime' : [ 0x10, ['unsigned long long']], 'State' : [ 0x18, ['array', 1, ['PPM_IDLE_STATE_ACCOUNTING']]], } ], 'PPM_IDLE_STATE_ACCOUNTING' : [ 0x30, { 'IdleTransitions' : [ 0x0, ['unsigned long']], 'FailedTransitions' : [ 0x4, ['unsigned long']], 'InvalidBucketIndex' : [ 0x8, ['unsigned long']], 'TotalTime' : [ 0x10, ['unsigned long long']], 'IdleTimeBuckets' : [ 0x18, ['array', 6, ['unsigned long']]], } ], '_IMAGE_OPTIONAL_HEADER' : [ 0xe0, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'ImageBase' : [ 0x1c, ['unsigned long']], 'SectionAlignment' : [ 0x20, ['unsigned long']], 'FileAlignment' : [ 0x24, ['unsigned long']], 'MajorOperatingSystemVersion' : [ 0x28, ['unsigned short']], 'MinorOperatingSystemVersion' : [ 0x2a, ['unsigned short']], 'MajorImageVersion' : [ 0x2c, ['unsigned short']], 'MinorImageVersion' : [ 0x2e, ['unsigned short']], 'MajorSubsystemVersion' : [ 0x30, ['unsigned short']], 'MinorSubsystemVersion' : [ 0x32, ['unsigned short']], 'Win32VersionValue' : [ 0x34, ['unsigned long']], 'SizeOfImage' : [ 0x38, ['unsigned long']], 'SizeOfHeaders' : [ 0x3c, ['unsigned long']], 'CheckSum' : [ 0x40, ['unsigned long']], 'Subsystem' : [ 0x44, ['unsigned short']], 'DllCharacteristics' : [ 0x46, ['unsigned short']], 'SizeOfStackReserve' : [ 0x48, ['unsigned long']], 'SizeOfStackCommit' : [ 0x4c, ['unsigned long']], 'SizeOfHeapReserve' : [ 0x50, ['unsigned long']], 'SizeOfHeapCommit' : [ 0x54, ['unsigned long']], 'LoaderFlags' : [ 0x58, ['unsigned long']], 'NumberOfRvaAndSizes' : [ 0x5c, ['unsigned long']], 'DataDirectory' : [ 0x60, ['array', 16, ['_IMAGE_DATA_DIRECTORY']]], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE' : [ 0x24, { 'Lock' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], 'ActiveCount' : [ 0x8, ['unsigned long']], 'PendingNullCount' : [ 0xc, ['unsigned long']], 'PendingCheckCompletionListCount' : [ 0x10, ['unsigned long']], 'PendingDelete' : [ 0x14, ['unsigned long']], 'FreeListHead' : [ 0x18, ['_SINGLE_LIST_ENTRY']], 'CompletionPort' : [ 0x1c, ['pointer', ['void']]], 'CompletionKey' : [ 0x20, ['pointer', ['void']]], 'Entry' : [ 0x24, ['array', 0, ['_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY']]], } ], '_KSYSTEM_TIME' : [ 0xc, { 'LowPart' : [ 0x0, ['unsigned long']], 'High1Time' : [ 0x4, ['long']], 'High2Time' : [ 0x8, ['long']], } ], '_TERMINATION_PORT' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_TERMINATION_PORT']]], 'Port' : [ 0x4, ['pointer', ['void']]], } ], '_MEMORY_ALLOCATION_DESCRIPTOR' : [ 0x14, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'MemoryType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'LoaderExceptionBlock', 1: 'LoaderSystemBlock', 2: 'LoaderFree', 3: 'LoaderBad', 4: 'LoaderLoadedProgram', 5: 'LoaderFirmwareTemporary', 6: 'LoaderFirmwarePermanent', 7: 'LoaderOsloaderHeap', 8: 'LoaderOsloaderStack', 9: 'LoaderSystemCode', 10: 'LoaderHalCode', 11: 'LoaderBootDriver', 12: 'LoaderConsoleInDriver', 13: 'LoaderConsoleOutDriver', 14: 'LoaderStartupDpcStack', 15: 'LoaderStartupKernelStack', 16: 'LoaderStartupPanicStack', 17: 'LoaderStartupPcrPage', 18: 'LoaderStartupPdrPage', 19: 'LoaderRegistryData', 20: 'LoaderMemoryData', 21: 'LoaderNlsData', 22: 'LoaderSpecialMemory', 23: 'LoaderBBTMemory', 24: 'LoaderReserve', 25: 'LoaderXIPRom', 26: 'LoaderHALCachedMemory', 27: 'LoaderLargePageFiller', 28: 'LoaderErrorLogMemory', 29: 'LoaderMaximum'})]], 'BasePage' : [ 0xc, ['unsigned long']], 'PageCount' : [ 0x10, ['unsigned long']], } ], '_CM_INTENT_LOCK' : [ 0x8, { 'OwnerCount' : [ 0x0, ['unsigned long']], 'OwnerTable' : [ 0x4, ['pointer', ['pointer', ['_CM_KCB_UOW']]]], } ], '_THERMAL_INFORMATION' : [ 0x4c, { 'ThermalStamp' : [ 0x0, ['unsigned long']], 'ThermalConstant1' : [ 0x4, ['unsigned long']], 'ThermalConstant2' : [ 0x8, ['unsigned long']], 'Processors' : [ 0xc, ['unsigned long']], 'SamplingPeriod' : [ 0x10, ['unsigned long']], 'CurrentTemperature' : [ 0x14, ['unsigned long']], 'PassiveTripPoint' : [ 0x18, ['unsigned long']], 'CriticalTripPoint' : [ 0x1c, ['unsigned long']], 'ActiveTripPointCount' : [ 0x20, ['unsigned char']], 'ActiveTripPoint' : [ 0x24, ['array', 10, ['unsigned long']]], } ], '_MAPPED_FILE_SEGMENT' : [ 0x28, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'LastSubsectionHint' : [ 0x20, ['pointer', ['_MSUBSECTION']]], } ], '_GDI_TEB_BATCH' : [ 0x4e0, { 'Offset' : [ 0x0, ['unsigned long']], 'HDC' : [ 0x4, ['unsigned long']], 'Buffer' : [ 0x8, ['array', 310, ['unsigned long']]], } ], '_VI_FAULT_TRACE' : [ 0x24, { 'Thread' : [ 0x0, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0x4, ['array', 8, ['pointer', ['void']]]], } ], '_WHEA_PCIXBUS_ERROR' : [ 0x48, { 'ValidBits' : [ 0x0, ['_WHEA_PCIXBUS_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'ErrorType' : [ 0x10, ['unsigned short']], 'BusId' : [ 0x12, ['_WHEA_PCIXBUS_ID']], 'Reserved' : [ 0x14, ['unsigned long']], 'BusAddress' : [ 0x18, ['unsigned long long']], 'BusData' : [ 0x20, ['unsigned long long']], 'BusCommand' : [ 0x28, ['_WHEA_PCIXBUS_COMMAND']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'CompleterId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], } ], '_DBGKD_CONTINUE2' : [ 0x20, { 'ContinueStatus' : [ 0x0, ['long']], 'ControlSet' : [ 0x4, ['_X86_DBGKD_CONTROL_SET']], 'AnyControlSet' : [ 0x4, ['_DBGKD_ANY_CONTROL_SET']], } ], '_SECURITY_TOKEN_PROXY_DATA' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'ProxyClass' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ProxyFull', 1: 'ProxyService', 2: 'ProxyTree', 3: 'ProxyDirectory'})]], 'PathInfo' : [ 0x8, ['_UNICODE_STRING']], 'ContainerMask' : [ 0x10, ['unsigned long']], 'ObjectMask' : [ 0x14, ['unsigned long']], } ], '_OBJECT_HANDLE_COUNT_DATABASE' : [ 0xc, { 'CountEntries' : [ 0x0, ['unsigned long']], 'HandleCountEntries' : [ 0x4, ['array', 1, ['_OBJECT_HANDLE_COUNT_ENTRY']]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR' : [ 0x48, { 'SectionOffset' : [ 0x0, ['unsigned long']], 'SectionLength' : [ 0x4, ['unsigned long']], 'Revision' : [ 0x8, ['_WHEA_REVISION']], 'ValidBits' : [ 0xa, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS']], 'Reserved' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS']], 'SectionType' : [ 0x10, ['_GUID']], 'FRUId' : [ 0x20, ['_GUID']], 'SectionSeverity' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'WheaErrSevRecoverable', 1: 'WheaErrSevFatal', 2: 'WheaErrSevCorrected', 3: 'WheaErrSevNone'})]], 'FRUText' : [ 0x34, ['array', 20, ['unsigned char']]], } ], '_OWNER_ENTRY' : [ 0x8, { 'OwnerThread' : [ 0x0, ['unsigned long']], 'OwnerCount' : [ 0x4, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], } ], '_MI_SECTION_CREATION_GATE' : [ 0x14, { 'Next' : [ 0x0, ['pointer', ['_MI_SECTION_CREATION_GATE']]], 'Gate' : [ 0x4, ['_KGATE']], } ], '_ETIMER' : [ 0x98, { 'KeTimer' : [ 0x0, ['_KTIMER']], 'TimerApc' : [ 0x28, ['_KAPC']], 'TimerDpc' : [ 0x58, ['_KDPC']], 'ActiveTimerListEntry' : [ 0x78, ['_LIST_ENTRY']], 'Lock' : [ 0x80, ['unsigned long']], 'Period' : [ 0x84, ['long']], 'ApcAssociated' : [ 0x88, ['unsigned char']], 'WakeTimer' : [ 0x89, ['unsigned char']], 'WakeTimerListEntry' : [ 0x8c, ['_LIST_ENTRY']], } ], '_FREE_DISPLAY' : [ 0xc, { 'RealVectorSize' : [ 0x0, ['unsigned long']], 'Display' : [ 0x4, ['_RTL_BITMAP']], } ], '_POOL_BLOCK_HEAD' : [ 0x10, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'List' : [ 0x8, ['_LIST_ENTRY']], } ], '_WHEA_PCIXBUS_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'BusId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'BusAddress' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'BusData' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BusCommand' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'CompleterId' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '__unnamed_1b68' : [ 0x4, { 'Flags' : [ 0x0, ['_MMSECURE_FLAGS']], 'StartVa' : [ 0x0, ['pointer', ['void']]], } ], '_MMADDRESS_LIST' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1b68']], 'EndVa' : [ 0x4, ['pointer', ['void']]], } ], '_FNSAVE_FORMAT' : [ 0x6c, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], } ], '_ARBITER_INSTANCE' : [ 0x5ec, { 'Signature' : [ 0x0, ['unsigned long']], 'MutexEvent' : [ 0x4, ['pointer', ['_KEVENT']]], 'Name' : [ 0x8, ['pointer', ['unsigned short']]], 'OrderingName' : [ 0xc, ['pointer', ['unsigned short']]], 'ResourceType' : [ 0x10, ['long']], 'Allocation' : [ 0x14, ['pointer', ['_RTL_RANGE_LIST']]], 'PossibleAllocation' : [ 0x18, ['pointer', ['_RTL_RANGE_LIST']]], 'OrderingList' : [ 0x1c, ['_ARBITER_ORDERING_LIST']], 'ReservedList' : [ 0x24, ['_ARBITER_ORDERING_LIST']], 'ReferenceCount' : [ 0x2c, ['long']], 'Interface' : [ 0x30, ['pointer', ['_ARBITER_INTERFACE']]], 'AllocationStackMaxSize' : [ 0x34, ['unsigned long']], 'AllocationStack' : [ 0x38, ['pointer', ['_ARBITER_ALLOCATION_STATE']]], 'UnpackRequirement' : [ 0x3c, ['pointer', ['void']]], 'PackResource' : [ 0x40, ['pointer', ['void']]], 'UnpackResource' : [ 0x44, ['pointer', ['void']]], 'ScoreRequirement' : [ 0x48, ['pointer', ['void']]], 'TestAllocation' : [ 0x4c, ['pointer', ['void']]], 'RetestAllocation' : [ 0x50, ['pointer', ['void']]], 'CommitAllocation' : [ 0x54, ['pointer', ['void']]], 'RollbackAllocation' : [ 0x58, ['pointer', ['void']]], 'BootAllocation' : [ 0x5c, ['pointer', ['void']]], 'QueryArbitrate' : [ 0x60, ['pointer', ['void']]], 'QueryConflict' : [ 0x64, ['pointer', ['void']]], 'AddReserved' : [ 0x68, ['pointer', ['void']]], 'StartArbiter' : [ 0x6c, ['pointer', ['void']]], 'PreprocessEntry' : [ 0x70, ['pointer', ['void']]], 'AllocateEntry' : [ 0x74, ['pointer', ['void']]], 'GetNextAllocationRange' : [ 0x78, ['pointer', ['void']]], 'FindSuitableRange' : [ 0x7c, ['pointer', ['void']]], 'AddAllocation' : [ 0x80, ['pointer', ['void']]], 'BacktrackAllocation' : [ 0x84, ['pointer', ['void']]], 'OverrideConflict' : [ 0x88, ['pointer', ['void']]], 'InitializeRangeList' : [ 0x8c, ['pointer', ['void']]], 'TransactionInProgress' : [ 0x90, ['unsigned char']], 'TransactionEvent' : [ 0x94, ['pointer', ['_KEVENT']]], 'Extension' : [ 0x98, ['pointer', ['void']]], 'BusDeviceObject' : [ 0x9c, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictCallbackContext' : [ 0xa0, ['pointer', ['void']]], 'ConflictCallback' : [ 0xa4, ['pointer', ['void']]], 'PdoDescriptionString' : [ 0xa8, ['array', 336, ['wchar']]], 'PdoSymbolicNameString' : [ 0x348, ['array', 672, ['unsigned char']]], 'PdoAddressString' : [ 0x5e8, ['array', 1, ['wchar']]], } ], '_KDEVICE_QUEUE_ENTRY' : [ 0x10, { 'DeviceListEntry' : [ 0x0, ['_LIST_ENTRY']], 'SortKey' : [ 0x8, ['unsigned long']], 'Inserted' : [ 0xc, ['unsigned char']], } ], '_HMAP_TABLE' : [ 0x2000, { 'Table' : [ 0x0, ['array', 512, ['_HMAP_ENTRY']]], } ], '_WHEA_MEMORY_ERROR' : [ 0x49, { 'ValidBits' : [ 0x0, ['_WHEA_MEMORY_ERROR_VALIDBITS']], 'ErrorStatus' : [ 0x8, ['_WHEA_ERROR_STATUS']], 'PhysicalAddress' : [ 0x10, ['unsigned long long']], 'PhysicalAddressMask' : [ 0x18, ['unsigned long long']], 'Node' : [ 0x20, ['unsigned short']], 'Card' : [ 0x22, ['unsigned short']], 'Module' : [ 0x24, ['unsigned short']], 'Bank' : [ 0x26, ['unsigned short']], 'Device' : [ 0x28, ['unsigned short']], 'Row' : [ 0x2a, ['unsigned short']], 'Column' : [ 0x2c, ['unsigned short']], 'BitPosition' : [ 0x2e, ['unsigned short']], 'RequesterId' : [ 0x30, ['unsigned long long']], 'ResponderId' : [ 0x38, ['unsigned long long']], 'TargetId' : [ 0x40, ['unsigned long long']], 'ErrorType' : [ 0x48, ['unsigned char']], } ], '_IMAGE_DATA_DIRECTORY' : [ 0x8, { 'VirtualAddress' : [ 0x0, ['unsigned long']], 'Size' : [ 0x4, ['unsigned long']], } ], '_DEVICE_CAPABILITIES' : [ 0x40, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'DeviceD1' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DeviceD2' : [ 0x4, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockSupported' : [ 0x4, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'EjectSupported' : [ 0x4, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Removable' : [ 0x4, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DockDevice' : [ 0x4, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'UniqueID' : [ 0x4, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SilentInstall' : [ 0x4, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'RawDeviceOK' : [ 0x4, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'SurpriseRemovalOK' : [ 0x4, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'WakeFromD0' : [ 0x4, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'WakeFromD1' : [ 0x4, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WakeFromD2' : [ 0x4, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'WakeFromD3' : [ 0x4, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'HardwareDisabled' : [ 0x4, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NonDynamic' : [ 0x4, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'WarmEjectSupported' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'NoDisplayInUI' : [ 0x4, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'Reserved' : [ 0x4, ['BitField', dict(start_bit = 18, end_bit = 32, native_type='unsigned long')]], 'Address' : [ 0x8, ['unsigned long']], 'UINumber' : [ 0xc, ['unsigned long']], 'DeviceState' : [ 0x10, ['array', -28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]]], 'SystemWake' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceWake' : [ 0x30, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'D1Latency' : [ 0x34, ['unsigned long']], 'D2Latency' : [ 0x38, ['unsigned long']], 'D3Latency' : [ 0x3c, ['unsigned long']], } ], '_KGUARDED_MUTEX' : [ 0x20, { 'Count' : [ 0x0, ['long']], 'Owner' : [ 0x4, ['pointer', ['_KTHREAD']]], 'Contention' : [ 0x8, ['unsigned long']], 'Gate' : [ 0xc, ['_KGATE']], 'KernelApcDisable' : [ 0x1c, ['short']], 'SpecialApcDisable' : [ 0x1e, ['short']], 'CombinedApcDisable' : [ 0x1c, ['unsigned long']], } ], '_ALPHA_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '__unnamed_1bd4' : [ 0x18, { 'Length' : [ 0x0, ['unsigned long']], 'Alignment' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bda' : [ 0x14, { 'MinimumVector' : [ 0x0, ['unsigned long']], 'MaximumVector' : [ 0x4, ['unsigned long']], 'AffinityPolicy' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPolicyMachineDefault', 1: 'IrqPolicyAllCloseProcessors', 2: 'IrqPolicyOneCloseProcessor', 3: 'IrqPolicyAllProcessorsInMachine', 4: 'IrqPolicySpecifiedProcessors', 5: 'IrqPolicySpreadMessagesAcrossAllProcessors'})]], 'PriorityPolicy' : [ 0xc, ['Enumeration', dict(target = 'long', choices = {0: 'IrqPriorityUndefined', 1: 'IrqPriorityLow', 2: 'IrqPriorityNormal', 3: 'IrqPriorityHigh'})]], 'TargetedProcessors' : [ 0x10, ['unsigned long']], } ], '__unnamed_1bdc' : [ 0x8, { 'MinimumChannel' : [ 0x0, ['unsigned long']], 'MaximumChannel' : [ 0x4, ['unsigned long']], } ], '__unnamed_1bde' : [ 0xc, { 'Data' : [ 0x0, ['array', 3, ['unsigned long']]], } ], '__unnamed_1be0' : [ 0x10, { 'Length' : [ 0x0, ['unsigned long']], 'MinBusNumber' : [ 0x4, ['unsigned long']], 'MaxBusNumber' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '__unnamed_1be2' : [ 0xc, { 'Priority' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1be4' : [ 0x18, { 'Length40' : [ 0x0, ['unsigned long']], 'Alignment40' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be6' : [ 0x18, { 'Length48' : [ 0x0, ['unsigned long']], 'Alignment48' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1be8' : [ 0x18, { 'Length64' : [ 0x0, ['unsigned long']], 'Alignment64' : [ 0x4, ['unsigned long']], 'MinimumAddress' : [ 0x8, ['_LARGE_INTEGER']], 'MaximumAddress' : [ 0x10, ['_LARGE_INTEGER']], } ], '__unnamed_1bea' : [ 0x18, { 'Port' : [ 0x0, ['__unnamed_1bd4']], 'Memory' : [ 0x0, ['__unnamed_1bd4']], 'Interrupt' : [ 0x0, ['__unnamed_1bda']], 'Dma' : [ 0x0, ['__unnamed_1bdc']], 'Generic' : [ 0x0, ['__unnamed_1bd4']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bde']], 'BusNumber' : [ 0x0, ['__unnamed_1be0']], 'ConfigData' : [ 0x0, ['__unnamed_1be2']], 'Memory40' : [ 0x0, ['__unnamed_1be4']], 'Memory48' : [ 0x0, ['__unnamed_1be6']], 'Memory64' : [ 0x0, ['__unnamed_1be8']], } ], '_IO_RESOURCE_DESCRIPTOR' : [ 0x20, { 'Option' : [ 0x0, ['unsigned char']], 'Type' : [ 0x1, ['unsigned char']], 'ShareDisposition' : [ 0x2, ['unsigned char']], 'Spare1' : [ 0x3, ['unsigned char']], 'Flags' : [ 0x4, ['unsigned short']], 'Spare2' : [ 0x6, ['unsigned short']], 'u' : [ 0x8, ['__unnamed_1bea']], } ], '_POP_THERMAL_ZONE' : [ 0xd8, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'State' : [ 0x8, ['unsigned char']], 'Flags' : [ 0x9, ['unsigned char']], 'Mode' : [ 0xa, ['unsigned char']], 'PendingMode' : [ 0xb, ['unsigned char']], 'ActivePoint' : [ 0xc, ['unsigned char']], 'PendingActivePoint' : [ 0xd, ['unsigned char']], 'Throttle' : [ 0x10, ['long']], 'LastTime' : [ 0x18, ['unsigned long long']], 'SampleRate' : [ 0x20, ['unsigned long']], 'LastTemp' : [ 0x24, ['unsigned long']], 'PassiveTimer' : [ 0x28, ['_KTIMER']], 'PassiveDpc' : [ 0x50, ['_KDPC']], 'OverThrottled' : [ 0x70, ['_POP_ACTION_TRIGGER']], 'Irp' : [ 0x80, ['pointer', ['_IRP']]], 'Info' : [ 0x84, ['_THERMAL_INFORMATION_EX']], } ], '_MMPTE_LIST' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OneEntry' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'filler0' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'filler1' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'NextEntry' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_VI_POOL_PAGE_HEADER' : [ 0xc, { 'NextPage' : [ 0x0, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'VerifierEntry' : [ 0x4, ['pointer', ['void']]], 'Signature' : [ 0x8, ['unsigned long']], } ], '_HANDLE_TRACE_DEBUG_INFO' : [ 0x80, { 'RefCount' : [ 0x0, ['long']], 'TableSize' : [ 0x4, ['unsigned long']], 'BitMaskFlags' : [ 0x8, ['unsigned long']], 'CloseCompactionLock' : [ 0xc, ['_FAST_MUTEX']], 'CurrentStackIndex' : [ 0x2c, ['unsigned long']], 'TraceDb' : [ 0x30, ['array', 1, ['_HANDLE_TRACE_DB_ENTRY']]], } ], '_MDL' : [ 0x1c, { 'Next' : [ 0x0, ['pointer', ['_MDL']]], 'Size' : [ 0x4, ['short']], 'MdlFlags' : [ 0x6, ['short']], 'Process' : [ 0x8, ['pointer', ['_EPROCESS']]], 'MappedSystemVa' : [ 0xc, ['pointer', ['void']]], 'StartVa' : [ 0x10, ['pointer', ['void']]], 'ByteCount' : [ 0x14, ['unsigned long']], 'ByteOffset' : [ 0x18, ['unsigned long']], } ], '_WHEA_PCIXBUS_COMMAND' : [ 0x8, { 'Command' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 56, native_type='unsigned long long')]], 'PCIXCommand' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 57, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 57, end_bit = 64, native_type='unsigned long long')]], 'AsULONGLONG' : [ 0x0, ['unsigned long long']], } ], '_CM_TRANS' : [ 0x68, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBUoWListHead' : [ 0x8, ['_LIST_ENTRY']], 'LazyCommitListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KtmTrans' : [ 0x18, ['pointer', ['void']]], 'CmRm' : [ 0x1c, ['pointer', ['_CM_RM']]], 'KtmEnlistmentObject' : [ 0x20, ['pointer', ['_KENLISTMENT']]], 'KtmEnlistmentHandle' : [ 0x24, ['pointer', ['void']]], 'KtmUow' : [ 0x28, ['_GUID']], 'StartLsn' : [ 0x38, ['unsigned long long']], 'TransState' : [ 0x40, ['unsigned long']], 'HiveCount' : [ 0x44, ['unsigned long']], 'HiveArray' : [ 0x48, ['array', 8, ['pointer', ['_CMHIVE']]]], } ], '_WHEA_ERROR_RECORD_HEADER_VALIDBITS' : [ 0x4, { 'Timestamp' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PlatformId' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'PartitionId' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_CM_PARTIAL_RESOURCE_LIST' : [ 0x18, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'PartialDescriptors' : [ 0x8, ['array', 1, ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_RTL_RANGE_LIST' : [ 0x14, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], 'Count' : [ 0xc, ['unsigned long']], 'Stamp' : [ 0x10, ['unsigned long']], } ], '_OBJECT_CREATE_INFORMATION' : [ 0x30, { 'Attributes' : [ 0x0, ['unsigned long']], 'RootDirectory' : [ 0x4, ['pointer', ['void']]], 'ParseContext' : [ 0x8, ['pointer', ['void']]], 'ProbeMode' : [ 0xc, ['unsigned char']], 'PagedPoolCharge' : [ 0x10, ['unsigned long']], 'NonPagedPoolCharge' : [ 0x14, ['unsigned long']], 'SecurityDescriptorCharge' : [ 0x18, ['unsigned long']], 'SecurityDescriptor' : [ 0x1c, ['pointer', ['void']]], 'SecurityQos' : [ 0x20, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'SecurityQualityOfService' : [ 0x24, ['_SECURITY_QUALITY_OF_SERVICE']], } ], '_POOL_HACKER' : [ 0x28, { 'Header' : [ 0x0, ['_POOL_HEADER']], 'Contents' : [ 0x8, ['array', 8, ['unsigned long']]], } ], '_SECTION_OBJECT_POINTERS' : [ 0xc, { 'DataSectionObject' : [ 0x0, ['pointer', ['void']]], 'SharedCacheMap' : [ 0x4, ['pointer', ['void']]], 'ImageSectionObject' : [ 0x8, ['pointer', ['void']]], } ], '_VF_BTS_DATA_MANAGEMENT_AREA' : [ 0x34, { 'BTSBufferBase' : [ 0x0, ['pointer', ['void']]], 'BTSIndex' : [ 0x4, ['pointer', ['void']]], 'BTSMax' : [ 0x8, ['pointer', ['void']]], 'BTSInterruptThreshold' : [ 0xc, ['pointer', ['void']]], 'PEBSBufferBase' : [ 0x10, ['pointer', ['void']]], 'PEBSIndex' : [ 0x14, ['pointer', ['void']]], 'PEBSMax' : [ 0x18, ['pointer', ['void']]], 'PEBSInterruptThreshold' : [ 0x1c, ['pointer', ['void']]], 'PEBSCounterReset' : [ 0x20, ['array', 2, ['pointer', ['void']]]], 'Reserved' : [ 0x28, ['array', 12, ['unsigned char']]], } ], '_FLOATING_SAVE_AREA' : [ 0x70, { 'ControlWord' : [ 0x0, ['unsigned long']], 'StatusWord' : [ 0x4, ['unsigned long']], 'TagWord' : [ 0x8, ['unsigned long']], 'ErrorOffset' : [ 0xc, ['unsigned long']], 'ErrorSelector' : [ 0x10, ['unsigned long']], 'DataOffset' : [ 0x14, ['unsigned long']], 'DataSelector' : [ 0x18, ['unsigned long']], 'RegisterArea' : [ 0x1c, ['array', 80, ['unsigned char']]], 'Cr0NpxState' : [ 0x6c, ['unsigned long']], } ], '_SEP_AUDIT_POLICY' : [ 0x1c, { 'AdtTokenPolicy' : [ 0x0, ['_TOKEN_AUDIT_POLICY']], 'PolicySetStatus' : [ 0x1b, ['unsigned char']], } ], '_MMPTE_TIMESTAMP' : [ 0x4, { 'MustBeZero' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PageFileLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'GlobalTimeStamp' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_SID_AND_ATTRIBUTES_HASH' : [ 0x88, { 'SidCount' : [ 0x0, ['unsigned long']], 'SidAttr' : [ 0x4, ['pointer', ['_SID_AND_ATTRIBUTES']]], 'Hash' : [ 0x8, ['array', 32, ['unsigned long']]], } ], '_MBCB' : [ 0x80, { 'NodeTypeCode' : [ 0x0, ['short']], 'NodeIsInZone' : [ 0x2, ['short']], 'PagesToWrite' : [ 0x4, ['unsigned long']], 'DirtyPages' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], 'BitmapRanges' : [ 0x10, ['_LIST_ENTRY']], 'ResumeWritePage' : [ 0x18, ['long long']], 'BitmapRange1' : [ 0x20, ['_BITMAP_RANGE']], 'BitmapRange2' : [ 0x40, ['_BITMAP_RANGE']], 'BitmapRange3' : [ 0x60, ['_BITMAP_RANGE']], } ], '__unnamed_1c2f' : [ 0x1, { 'AsUCHAR' : [ 0x0, ['unsigned char']], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 3, native_type='unsigned char')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 5, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 8, native_type='unsigned char')]], } ], 'PROCESSOR_PERFSTATE_POLICY' : [ 0x1c, { 'Revision' : [ 0x0, ['unsigned long']], 'MaxThrottle' : [ 0x4, ['unsigned char']], 'MinThrottle' : [ 0x5, ['unsigned char']], 'BusyAdjThreshold' : [ 0x6, ['unsigned char']], 'Spare' : [ 0x7, ['unsigned char']], 'Flags' : [ 0x7, ['__unnamed_1c2f']], 'TimeCheck' : [ 0x8, ['unsigned long']], 'IncreaseTime' : [ 0xc, ['unsigned long']], 'DecreaseTime' : [ 0x10, ['unsigned long']], 'IncreasePercent' : [ 0x14, ['unsigned long']], 'DecreasePercent' : [ 0x18, ['unsigned long']], } ], '_BUS_EXTENSION_LIST' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['void']]], 'BusExtension' : [ 0x4, ['pointer', ['_PI_BUS_EXTENSION']]], } ], '_CACHED_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'ValueList' : [ 0x4, ['unsigned long']], 'RealKcb' : [ 0x4, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], } ], '_KDEVICE_QUEUE' : [ 0x14, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'DeviceListHead' : [ 0x4, ['_LIST_ENTRY']], 'Lock' : [ 0xc, ['unsigned long']], 'Busy' : [ 0x10, ['unsigned char']], } ], '_SYSTEM_POWER_STATE_CONTEXT' : [ 0x4, { 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'TargetSystemState' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 12, native_type='unsigned long')]], 'EffectiveSystemState' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 16, native_type='unsigned long')]], 'CurrentSystemState' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'IgnoreHibernationPath' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'PseudoTransition' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 32, native_type='unsigned long')]], 'ContextAsUlong' : [ 0x0, ['unsigned long']], } ], '_OBJECT_TYPE_INITIALIZER' : [ 0x50, { 'Length' : [ 0x0, ['unsigned short']], 'ObjectTypeFlags' : [ 0x2, ['unsigned char']], 'CaseInsensitive' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'UnnamedObjectsOnly' : [ 0x2, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'UseDefaultObject' : [ 0x2, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'SecurityRequired' : [ 0x2, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'MaintainHandleCount' : [ 0x2, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'MaintainTypeList' : [ 0x2, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'SupportsObjectCallbacks' : [ 0x2, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'ObjectTypeCode' : [ 0x4, ['unsigned long']], 'InvalidAttributes' : [ 0x8, ['unsigned long']], 'GenericMapping' : [ 0xc, ['_GENERIC_MAPPING']], 'ValidAccessMask' : [ 0x1c, ['unsigned long']], 'RetainAccess' : [ 0x20, ['unsigned long']], 'PoolType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'DefaultPagedPoolCharge' : [ 0x28, ['unsigned long']], 'DefaultNonPagedPoolCharge' : [ 0x2c, ['unsigned long']], 'DumpProcedure' : [ 0x30, ['pointer', ['void']]], 'OpenProcedure' : [ 0x34, ['pointer', ['void']]], 'CloseProcedure' : [ 0x38, ['pointer', ['void']]], 'DeleteProcedure' : [ 0x3c, ['pointer', ['void']]], 'ParseProcedure' : [ 0x40, ['pointer', ['void']]], 'SecurityProcedure' : [ 0x44, ['pointer', ['void']]], 'QueryNameProcedure' : [ 0x48, ['pointer', ['void']]], 'OkayToCloseProcedure' : [ 0x4c, ['pointer', ['void']]], } ], '_IO_CLIENT_EXTENSION' : [ 0x8, { 'NextExtension' : [ 0x0, ['pointer', ['_IO_CLIENT_EXTENSION']]], 'ClientIdentificationAddress' : [ 0x4, ['pointer', ['void']]], } ], '_ETW_BUFFER_CONTEXT' : [ 0x4, { 'ProcessorNumber' : [ 0x0, ['unsigned char']], 'Alignment' : [ 0x1, ['unsigned char']], 'LoggerId' : [ 0x2, ['unsigned short']], } ], '_KDPC' : [ 0x20, { 'Type' : [ 0x0, ['unsigned char']], 'Importance' : [ 0x1, ['unsigned char']], 'Number' : [ 0x2, ['unsigned short']], 'DpcListEntry' : [ 0x4, ['_LIST_ENTRY']], 'DeferredRoutine' : [ 0xc, ['pointer', ['void']]], 'DeferredContext' : [ 0x10, ['pointer', ['void']]], 'SystemArgument1' : [ 0x14, ['pointer', ['void']]], 'SystemArgument2' : [ 0x18, ['pointer', ['void']]], 'DpcData' : [ 0x1c, ['pointer', ['void']]], } ], '_KERNEL_STACK_SEGMENT' : [ 0x14, { 'StackBase' : [ 0x0, ['unsigned long']], 'StackLimit' : [ 0x4, ['unsigned long']], 'KernelStack' : [ 0x8, ['unsigned long']], 'InitialStack' : [ 0xc, ['unsigned long']], 'ActualLimit' : [ 0x10, ['unsigned long']], } ], '_KEXECUTE_OPTIONS' : [ 0x1, { 'ExecuteDisable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'ExecuteEnable' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'DisableThunkEmulation' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned char')]], 'Permanent' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned char')]], 'ExecuteDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned char')]], 'ImageDispatchEnable' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned char')]], 'DisableExceptionChainValidation' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned char')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned char')]], } ], '_SEP_TOKEN_PRIVILEGES' : [ 0x18, { 'Present' : [ 0x0, ['unsigned long long']], 'Enabled' : [ 0x8, ['unsigned long long']], 'EnabledByDefault' : [ 0x10, ['unsigned long long']], } ], '_WHEA_PCIXDEVICE_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'IdInfo' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'MemoryNumber' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'IoNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'RegisterDataPairs' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], 'WHEA_PCIXDEVICE_REGISTER_PAIR' : [ 0x10, { 'Register' : [ 0x0, ['unsigned long long']], 'Data' : [ 0x8, ['unsigned long long']], } ], '_ARBITER_ALLOCATION_STATE' : [ 0x38, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'CurrentMinimum' : [ 0x10, ['unsigned long long']], 'CurrentMaximum' : [ 0x18, ['unsigned long long']], 'Entry' : [ 0x20, ['pointer', ['_ARBITER_LIST_ENTRY']]], 'CurrentAlternative' : [ 0x24, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'AlternativeCount' : [ 0x28, ['unsigned long']], 'Alternatives' : [ 0x2c, ['pointer', ['_ARBITER_ALTERNATIVE']]], 'Flags' : [ 0x30, ['unsigned short']], 'RangeAttributes' : [ 0x32, ['unsigned char']], 'RangeAvailableAttributes' : [ 0x33, ['unsigned char']], 'WorkSpace' : [ 0x34, ['unsigned long']], } ], '_VACB_ARRAY_HEADER' : [ 0x10, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'MappingCount' : [ 0x8, ['unsigned long']], 'Reserved' : [ 0xc, ['unsigned long']], } ], '_MMWSLENTRY' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'LockedInWs' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'LockedInMemory' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 8, native_type='unsigned long')]], 'Hashed' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Direct' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'Age' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 12, native_type='unsigned long')]], 'VirtualPageNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_DBGKD_SWITCH_PARTITION' : [ 0x4, { 'Partition' : [ 0x0, ['unsigned long']], } ], '_DBGKD_GET_VERSION32' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned short']], 'Flags' : [ 0x6, ['unsigned short']], 'KernBase' : [ 0x8, ['unsigned long']], 'PsLoadedModuleList' : [ 0xc, ['unsigned long']], 'MachineType' : [ 0x10, ['unsigned short']], 'ThCallbackStack' : [ 0x12, ['unsigned short']], 'NextCallback' : [ 0x14, ['unsigned short']], 'FramePointer' : [ 0x16, ['unsigned short']], 'KiCallUserMode' : [ 0x18, ['unsigned long']], 'KeUserCallbackDispatcher' : [ 0x1c, ['unsigned long']], 'BreakpointWithStatus' : [ 0x20, ['unsigned long']], 'DebuggerDataList' : [ 0x24, ['unsigned long']], } ], '_INTERLOCK_SEQ' : [ 0x8, { 'Depth' : [ 0x0, ['unsigned short']], 'FreeEntryOffset' : [ 0x2, ['unsigned short']], 'OffsetAndDepth' : [ 0x0, ['unsigned long']], 'Sequence' : [ 0x4, ['unsigned long']], 'Exchg' : [ 0x0, ['long long']], } ], '_WHEA_TIMESTAMP' : [ 0x8, { 'Seconds' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'Minutes' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Hours' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long long')]], 'Day' : [ 0x0, ['BitField', dict(start_bit = 32, end_bit = 40, native_type='unsigned long long')]], 'Month' : [ 0x0, ['BitField', dict(start_bit = 40, end_bit = 48, native_type='unsigned long long')]], 'Year' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 56, native_type='unsigned long long')]], 'Century' : [ 0x0, ['BitField', dict(start_bit = 56, end_bit = 64, native_type='unsigned long long')]], 'AsLARGE_INTEGER' : [ 0x0, ['_LARGE_INTEGER']], } ], '_VPB' : [ 0x58, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['short']], 'Flags' : [ 0x4, ['unsigned short']], 'VolumeLabelLength' : [ 0x6, ['unsigned short']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'RealDevice' : [ 0xc, ['pointer', ['_DEVICE_OBJECT']]], 'SerialNumber' : [ 0x10, ['unsigned long']], 'ReferenceCount' : [ 0x14, ['unsigned long']], 'VolumeLabel' : [ 0x18, ['array', 32, ['wchar']]], } ], '_CACHE_DESCRIPTOR' : [ 0xc, { 'Level' : [ 0x0, ['unsigned char']], 'Associativity' : [ 0x1, ['unsigned char']], 'LineSize' : [ 0x2, ['unsigned short']], 'Size' : [ 0x4, ['unsigned long']], 'Type' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'CacheUnified', 1: 'CacheInstruction', 2: 'CacheData', 3: 'CacheTrace'})]], } ], '_SECURITY_SUBJECT_CONTEXT' : [ 0x10, { 'ClientToken' : [ 0x0, ['pointer', ['void']]], 'ImpersonationLevel' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'SecurityAnonymous', 1: 'SecurityIdentification', 2: 'SecurityImpersonation', 3: 'SecurityDelegation'})]], 'PrimaryToken' : [ 0x8, ['pointer', ['void']]], 'ProcessAuditId' : [ 0xc, ['pointer', ['void']]], } ], '_GENERIC_MAPPING' : [ 0x10, { 'GenericRead' : [ 0x0, ['unsigned long']], 'GenericWrite' : [ 0x4, ['unsigned long']], 'GenericExecute' : [ 0x8, ['unsigned long']], 'GenericAll' : [ 0xc, ['unsigned long']], } ], '_KiIoAccessMap' : [ 0x2024, { 'DirectionMap' : [ 0x0, ['array', 32, ['unsigned char']]], 'IoMap' : [ 0x20, ['array', 8196, ['unsigned char']]], } ], '_PF_KERNEL_GLOBALS' : [ 0x40, { 'AccessBufferAgeThreshold' : [ 0x0, ['unsigned long long']], 'AccessBufferRef' : [ 0x8, ['_EX_RUNDOWN_REF']], 'AccessBufferExistsEvent' : [ 0xc, ['_KEVENT']], 'AccessBufferMax' : [ 0x1c, ['unsigned long']], 'AccessBufferList' : [ 0x20, ['_SLIST_HEADER']], 'StreamSequenceNumber' : [ 0x28, ['long']], 'Flags' : [ 0x2c, ['unsigned long']], 'ScenarioPrefetchCount' : [ 0x30, ['long']], } ], '_ARBITER_QUERY_ARBITRATE_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_DBGKD_RESTORE_BREAKPOINT' : [ 0x4, { 'BreakPointHandle' : [ 0x0, ['unsigned long']], } ], '_ARBITER_BOOT_ALLOCATION_PARAMETERS' : [ 0x4, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], } ], '_EXCEPTION_REGISTRATION_RECORD' : [ 0x8, { 'Next' : [ 0x0, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'Handler' : [ 0x4, ['pointer', ['void']]], } ], '_WHEA_PCIXBUS_ID' : [ 0x2, { 'BusNumber' : [ 0x0, ['unsigned char']], 'BusSegment' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '_ETW_REF_CLOCK' : [ 0x10, { 'StartTime' : [ 0x0, ['_LARGE_INTEGER']], 'StartPerfClock' : [ 0x8, ['_LARGE_INTEGER']], } ], '_OB_DUPLICATE_OBJECT_STATE' : [ 0x1c, { 'SourceProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], 'SourceHandle' : [ 0x4, ['pointer', ['void']]], 'Object' : [ 0x8, ['pointer', ['void']]], 'ObjectType' : [ 0xc, ['pointer', ['_OBJECT_TYPE']]], 'TargetAccess' : [ 0x10, ['unsigned long']], 'ObjectInfo' : [ 0x14, ['_HANDLE_TABLE_ENTRY_INFO']], 'HandleAttributes' : [ 0x18, ['unsigned long']], } ], '_MMPTE_SUBSECTION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SubsectionAddressLow' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'SubsectionAddressHigh' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 32, native_type='unsigned long')]], } ], '_POWER_STATE' : [ 0x4, { 'SystemState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DeviceState' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], } ], '_EFI_FIRMWARE_INFORMATION' : [ 0x10, { 'FirmwareVersion' : [ 0x0, ['unsigned long']], 'VirtualEfiRuntimeServices' : [ 0x4, ['pointer', ['_VIRTUAL_EFI_RUNTIME_SERVICES']]], 'SetVirtualAddressMapStatus' : [ 0x8, ['long']], 'MissedMappingsCount' : [ 0xc, ['unsigned long']], } ], '__unnamed_1cc2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc4' : [ 0xc, { 'Level' : [ 0x0, ['unsigned long']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc6' : [ 0xc, { 'Reserved' : [ 0x0, ['unsigned short']], 'MessageCount' : [ 0x2, ['unsigned short']], 'Vector' : [ 0x4, ['unsigned long']], 'Affinity' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cc8' : [ 0xc, { 'Raw' : [ 0x0, ['__unnamed_1cc6']], 'Translated' : [ 0x0, ['__unnamed_1cc4']], } ], '__unnamed_1cca' : [ 0xc, { 'Channel' : [ 0x0, ['unsigned long']], 'Port' : [ 0x4, ['unsigned long']], 'Reserved1' : [ 0x8, ['unsigned long']], } ], '__unnamed_1ccc' : [ 0xc, { 'Start' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cce' : [ 0xc, { 'DataSize' : [ 0x0, ['unsigned long']], 'Reserved1' : [ 0x4, ['unsigned long']], 'Reserved2' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd0' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length40' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd2' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length48' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd4' : [ 0xc, { 'Start' : [ 0x0, ['_LARGE_INTEGER']], 'Length64' : [ 0x8, ['unsigned long']], } ], '__unnamed_1cd6' : [ 0xc, { 'Generic' : [ 0x0, ['__unnamed_1cc2']], 'Port' : [ 0x0, ['__unnamed_1cc2']], 'Interrupt' : [ 0x0, ['__unnamed_1cc4']], 'MessageInterrupt' : [ 0x0, ['__unnamed_1cc8']], 'Memory' : [ 0x0, ['__unnamed_1cc2']], 'Dma' : [ 0x0, ['__unnamed_1cca']], 'DevicePrivate' : [ 0x0, ['__unnamed_1bde']], 'BusNumber' : [ 0x0, ['__unnamed_1ccc']], 'DeviceSpecificData' : [ 0x0, ['__unnamed_1cce']], 'Memory40' : [ 0x0, ['__unnamed_1cd0']], 'Memory48' : [ 0x0, ['__unnamed_1cd2']], 'Memory64' : [ 0x0, ['__unnamed_1cd4']], } ], '_CM_PARTIAL_RESOURCE_DESCRIPTOR' : [ 0x10, { 'Type' : [ 0x0, ['unsigned char']], 'ShareDisposition' : [ 0x1, ['unsigned char']], 'Flags' : [ 0x2, ['unsigned short']], 'u' : [ 0x4, ['__unnamed_1cd6']], } ], '_WHEA_REVISION' : [ 0x2, { 'MinorRevision' : [ 0x0, ['unsigned char']], 'MajorRevision' : [ 0x1, ['unsigned char']], 'AsUSHORT' : [ 0x0, ['unsigned short']], } ], '__unnamed_1cdd' : [ 0x4, { 'PhysicalAddress' : [ 0x0, ['unsigned long']], 'VirtualSize' : [ 0x0, ['unsigned long']], } ], '_IMAGE_SECTION_HEADER' : [ 0x28, { 'Name' : [ 0x0, ['array', 8, ['unsigned char']]], 'Misc' : [ 0x8, ['__unnamed_1cdd']], 'VirtualAddress' : [ 0xc, ['unsigned long']], 'SizeOfRawData' : [ 0x10, ['unsigned long']], 'PointerToRawData' : [ 0x14, ['unsigned long']], 'PointerToRelocations' : [ 0x18, ['unsigned long']], 'PointerToLinenumbers' : [ 0x1c, ['unsigned long']], 'NumberOfRelocations' : [ 0x20, ['unsigned short']], 'NumberOfLinenumbers' : [ 0x22, ['unsigned short']], 'Characteristics' : [ 0x24, ['unsigned long']], } ], '_ARBITER_ADD_RESERVED_PARAMETERS' : [ 0x4, { 'ReserveDevice' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], } ], '_KUSER_SHARED_DATA' : [ 0x3b8, { 'TickCountLowDeprecated' : [ 0x0, ['unsigned long']], 'TickCountMultiplier' : [ 0x4, ['unsigned long']], 'InterruptTime' : [ 0x8, ['_KSYSTEM_TIME']], 'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], 'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], 'ImageNumberLow' : [ 0x2c, ['unsigned short']], 'ImageNumberHigh' : [ 0x2e, ['unsigned short']], 'NtSystemRoot' : [ 0x30, ['array', 260, ['wchar']]], 'MaxStackTraceDepth' : [ 0x238, ['unsigned long']], 'CryptoExponent' : [ 0x23c, ['unsigned long']], 'TimeZoneId' : [ 0x240, ['unsigned long']], 'LargePageMinimum' : [ 0x244, ['unsigned long']], 'Reserved2' : [ 0x248, ['array', 7, ['unsigned long']]], 'NtProductType' : [ 0x264, ['Enumeration', dict(target = 'long', choices = {1: 'NtProductWinNt', 2: 'NtProductLanManNt', 3: 'NtProductServer'})]], 'ProductTypeIsValid' : [ 0x268, ['unsigned char']], 'NtMajorVersion' : [ 0x26c, ['unsigned long']], 'NtMinorVersion' : [ 0x270, ['unsigned long']], 'ProcessorFeatures' : [ 0x274, ['array', 64, ['unsigned char']]], 'Reserved1' : [ 0x2b4, ['unsigned long']], 'Reserved3' : [ 0x2b8, ['unsigned long']], 'TimeSlip' : [ 0x2bc, ['unsigned long']], 'AlternativeArchitecture' : [ 0x2c0, ['Enumeration', dict(target = 'long', choices = {0: 'StandardDesign', 1: 'NEC98x86', 2: 'EndAlternatives'})]], 'SystemExpirationDate' : [ 0x2c8, ['_LARGE_INTEGER']], 'SuiteMask' : [ 0x2d0, ['unsigned long']], 'KdDebuggerEnabled' : [ 0x2d4, ['unsigned char']], 'NXSupportPolicy' : [ 0x2d5, ['unsigned char']], 'ActiveConsoleId' : [ 0x2d8, ['unsigned long']], 'DismountCount' : [ 0x2dc, ['unsigned long']], 'ComPlusPackage' : [ 0x2e0, ['unsigned long']], 'LastSystemRITEventTickCount' : [ 0x2e4, ['unsigned long']], 'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], 'SafeBootMode' : [ 0x2ec, ['unsigned char']], 'SharedDataFlags' : [ 0x2f0, ['unsigned long']], 'DbgErrorPortPresent' : [ 0x2f0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'DbgElevationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'DbgVirtEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'DbgInstallerDetectEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'DbgSystemDllRelocated' : [ 0x2f0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'DbgDynProcessorEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'DbgSEHValidationEnabled' : [ 0x2f0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'SpareBits' : [ 0x2f0, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], 'TestRetInstruction' : [ 0x2f8, ['unsigned long long']], 'SystemCall' : [ 0x300, ['unsigned long']], 'SystemCallReturn' : [ 0x304, ['unsigned long']], 'SystemCallPad' : [ 0x308, ['array', 3, ['unsigned long long']]], 'TickCount' : [ 0x320, ['_KSYSTEM_TIME']], 'TickCountQuad' : [ 0x320, ['unsigned long long']], 'Cookie' : [ 0x330, ['unsigned long']], 'ConsoleSessionForegroundProcessId' : [ 0x338, ['long long']], 'Wow64SharedInformation' : [ 0x340, ['array', 16, ['unsigned long']]], 'UserModeGlobalLogger' : [ 0x380, ['array', 8, ['unsigned short']]], 'HeapTracingPid' : [ 0x390, ['array', 2, ['unsigned long']]], 'CritSecTracingPid' : [ 0x398, ['array', 2, ['unsigned long']]], 'ImageFileExecutionOptions' : [ 0x3a0, ['unsigned long']], 'LangGenerationCount' : [ 0x3a4, ['unsigned long']], 'AffinityPad' : [ 0x3a8, ['unsigned long long']], 'ActiveProcessorAffinity' : [ 0x3a8, ['unsigned long']], 'InterruptTimeBias' : [ 0x3b0, ['unsigned long long']], } ], '__unnamed_1cf1' : [ 0x50, { 'CellData' : [ 0x0, ['_CELL_DATA']], 'List' : [ 0x0, ['array', 1, ['unsigned long']]], } ], '_CM_CACHED_VALUE_INDEX' : [ 0x54, { 'CellIndex' : [ 0x0, ['unsigned long']], 'Data' : [ 0x4, ['__unnamed_1cf1']], } ], '_CONFIGURATION_COMPONENT_DATA' : [ 0x34, { 'Parent' : [ 0x0, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Child' : [ 0x4, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'Sibling' : [ 0x8, ['pointer', ['_CONFIGURATION_COMPONENT_DATA']]], 'ComponentEntry' : [ 0xc, ['_CONFIGURATION_COMPONENT']], 'ConfigurationData' : [ 0x30, ['pointer', ['void']]], } ], '_DBGKD_QUERY_SPECIAL_CALLS' : [ 0x4, { 'NumberOfSpecialCalls' : [ 0x0, ['unsigned long']], } ], '__unnamed_1cfb' : [ 0x4, { 'Balance' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 2, native_type='long')]], 'Parent' : [ 0x0, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '_MMSUBSECTION_NODE' : [ 0x18, { 'u' : [ 0x0, ['__unnamed_14c1']], 'StartingSector' : [ 0x4, ['unsigned long']], 'NumberOfFullSectors' : [ 0x8, ['unsigned long']], 'u1' : [ 0xc, ['__unnamed_1cfb']], 'LeftChild' : [ 0x10, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x14, ['pointer', ['_MMSUBSECTION_NODE']]], } ], '__unnamed_1d01' : [ 0x8, { 'IdleTime' : [ 0x0, ['unsigned long']], 'NonIdleTime' : [ 0x4, ['unsigned long']], } ], '__unnamed_1d03' : [ 0x8, { 'Disk' : [ 0x0, ['__unnamed_1d01']], } ], '_DEVICE_OBJECT_POWER_EXTENSION' : [ 0x60, { 'IdleCount' : [ 0x0, ['unsigned long']], 'BusyCount' : [ 0x4, ['unsigned long']], 'TotalBusyCount' : [ 0x8, ['unsigned long']], 'ConservationIdleTime' : [ 0xc, ['unsigned long']], 'PerformanceIdleTime' : [ 0x10, ['unsigned long']], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], 'IdleList' : [ 0x18, ['_LIST_ENTRY']], 'DeviceType' : [ 0x20, ['unsigned char']], 'IdleState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'CurrentState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerDeviceUnspecified', 1: 'PowerDeviceD0', 2: 'PowerDeviceD1', 3: 'PowerDeviceD2', 4: 'PowerDeviceD3', 5: 'PowerDeviceMaximum'})]], 'NotifySourceList' : [ 0x2c, ['_LIST_ENTRY']], 'NotifyTargetList' : [ 0x34, ['_LIST_ENTRY']], 'PowerChannelSummary' : [ 0x3c, ['_POWER_CHANNEL_SUMMARY']], 'Volume' : [ 0x50, ['_LIST_ENTRY']], 'Specific' : [ 0x58, ['__unnamed_1d03']], } ], '_ARBITER_RETEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_WHEA_ERROR_STATUS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['unsigned long long']], 'Reserved1' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long long')]], 'Address' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long long')]], 'Control' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long long')]], 'Data' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long long')]], 'Responder' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long long')]], 'Requester' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long long')]], 'FirstError' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long long')]], 'Overflow' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long long')]], 'Reserved2' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 64, native_type='unsigned long long')]], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_VALIDBITS' : [ 0x1, { 'FRUId' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'FRUText' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned char')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 8, native_type='unsigned char')]], 'AsUCHAR' : [ 0x0, ['unsigned char']], } ], '_FS_FILTER_CALLBACKS' : [ 0x38, { 'SizeOfFsFilterCallbacks' : [ 0x0, ['unsigned long']], 'Reserved' : [ 0x4, ['unsigned long']], 'PreAcquireForSectionSynchronization' : [ 0x8, ['pointer', ['void']]], 'PostAcquireForSectionSynchronization' : [ 0xc, ['pointer', ['void']]], 'PreReleaseForSectionSynchronization' : [ 0x10, ['pointer', ['void']]], 'PostReleaseForSectionSynchronization' : [ 0x14, ['pointer', ['void']]], 'PreAcquireForCcFlush' : [ 0x18, ['pointer', ['void']]], 'PostAcquireForCcFlush' : [ 0x1c, ['pointer', ['void']]], 'PreReleaseForCcFlush' : [ 0x20, ['pointer', ['void']]], 'PostReleaseForCcFlush' : [ 0x24, ['pointer', ['void']]], 'PreAcquireForModifiedPageWriter' : [ 0x28, ['pointer', ['void']]], 'PostAcquireForModifiedPageWriter' : [ 0x2c, ['pointer', ['void']]], 'PreReleaseForModifiedPageWriter' : [ 0x30, ['pointer', ['void']]], 'PostReleaseForModifiedPageWriter' : [ 0x34, ['pointer', ['void']]], } ], '_KENLISTMENT' : [ 0x168, { 'cookie' : [ 0x0, ['unsigned long']], 'NamespaceLink' : [ 0x4, ['_KTMOBJECT_NAMESPACE_LINK']], 'EnlistmentId' : [ 0x18, ['_GUID']], 'Mutex' : [ 0x28, ['_KMUTANT']], 'NextSameTx' : [ 0x48, ['_LIST_ENTRY']], 'NextSameRm' : [ 0x50, ['_LIST_ENTRY']], 'ResourceManager' : [ 0x58, ['pointer', ['_KRESOURCEMANAGER']]], 'Transaction' : [ 0x5c, ['pointer', ['_KTRANSACTION']]], 'State' : [ 0x60, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], 'Flags' : [ 0x64, ['unsigned long']], 'NotificationMask' : [ 0x68, ['unsigned long']], 'Key' : [ 0x6c, ['pointer', ['void']]], 'KeyRefCount' : [ 0x70, ['unsigned long']], 'RecoveryInformation' : [ 0x74, ['pointer', ['void']]], 'RecoveryInformationLength' : [ 0x78, ['unsigned long']], 'DynamicNameInformation' : [ 0x7c, ['pointer', ['void']]], 'DynamicNameInformationLength' : [ 0x80, ['unsigned long']], 'FinalNotification' : [ 0x84, ['pointer', ['_KTMNOTIFICATION_PACKET']]], 'SupSubEnlistment' : [ 0x88, ['pointer', ['_KENLISTMENT']]], 'SupSubEnlHandle' : [ 0x8c, ['pointer', ['void']]], 'SubordinateTxHandle' : [ 0x90, ['pointer', ['void']]], 'CrmEnlistmentEnId' : [ 0x94, ['_GUID']], 'CrmEnlistmentTmId' : [ 0xa4, ['_GUID']], 'CrmEnlistmentRmId' : [ 0xb4, ['_GUID']], 'NextHistory' : [ 0xc4, ['unsigned long']], 'History' : [ 0xc8, ['array', 20, ['_KENLISTMENT_HISTORY']]], } ], '_ARBITER_INTERFACE' : [ 0x18, { 'Size' : [ 0x0, ['unsigned short']], 'Version' : [ 0x2, ['unsigned short']], 'Context' : [ 0x4, ['pointer', ['void']]], 'InterfaceReference' : [ 0x8, ['pointer', ['void']]], 'InterfaceDereference' : [ 0xc, ['pointer', ['void']]], 'ArbiterHandler' : [ 0x10, ['pointer', ['void']]], 'Flags' : [ 0x14, ['unsigned long']], } ], '_KAPC_STATE' : [ 0x18, { 'ApcListHead' : [ 0x0, ['array', 2, ['_LIST_ENTRY']]], 'Process' : [ 0x10, ['pointer', ['_KPROCESS']]], 'KernelApcInProgress' : [ 0x14, ['unsigned char']], 'KernelApcPending' : [ 0x15, ['unsigned char']], 'UserApcPending' : [ 0x16, ['unsigned char']], } ], '_IA64_LOADER_BLOCK' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_DEVICE_RELATIONS' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'Objects' : [ 0x4, ['array', 1, ['pointer', ['_DEVICE_OBJECT']]]], } ], '_IMAGE_ROM_OPTIONAL_HEADER' : [ 0x38, { 'Magic' : [ 0x0, ['unsigned short']], 'MajorLinkerVersion' : [ 0x2, ['unsigned char']], 'MinorLinkerVersion' : [ 0x3, ['unsigned char']], 'SizeOfCode' : [ 0x4, ['unsigned long']], 'SizeOfInitializedData' : [ 0x8, ['unsigned long']], 'SizeOfUninitializedData' : [ 0xc, ['unsigned long']], 'AddressOfEntryPoint' : [ 0x10, ['unsigned long']], 'BaseOfCode' : [ 0x14, ['unsigned long']], 'BaseOfData' : [ 0x18, ['unsigned long']], 'BaseOfBss' : [ 0x1c, ['unsigned long']], 'GprMask' : [ 0x20, ['unsigned long']], 'CprMask' : [ 0x24, ['array', 4, ['unsigned long']]], 'GpValue' : [ 0x34, ['unsigned long']], } ], '_ALPC_COMPLETION_LIST_HEADER' : [ 0x300, { 'StartMagic' : [ 0x0, ['unsigned long long']], 'TotalSize' : [ 0x8, ['unsigned long']], 'ListOffset' : [ 0xc, ['unsigned long']], 'ListSize' : [ 0x10, ['unsigned long']], 'BitmapOffset' : [ 0x14, ['unsigned long']], 'BitmapSize' : [ 0x18, ['unsigned long']], 'DataOffset' : [ 0x1c, ['unsigned long']], 'DataSize' : [ 0x20, ['unsigned long']], 'AttributeFlags' : [ 0x24, ['unsigned long']], 'AttributeSize' : [ 0x28, ['unsigned long']], 'State' : [ 0x80, ['_ALPC_COMPLETION_LIST_STATE']], 'LastMessageId' : [ 0x88, ['unsigned long']], 'LastCallbackId' : [ 0x8c, ['unsigned long']], 'PostCount' : [ 0x100, ['unsigned long']], 'ReturnCount' : [ 0x180, ['unsigned long']], 'LogSequenceNumber' : [ 0x200, ['unsigned long']], 'UserLock' : [ 0x280, ['_RTL_SRWLOCK']], 'EndMagic' : [ 0x288, ['unsigned long long']], } ], '_IMAGE_DEBUG_DIRECTORY' : [ 0x1c, { 'Characteristics' : [ 0x0, ['unsigned long']], 'TimeDateStamp' : [ 0x4, ['unsigned long']], 'MajorVersion' : [ 0x8, ['unsigned short']], 'MinorVersion' : [ 0xa, ['unsigned short']], 'Type' : [ 0xc, ['unsigned long']], 'SizeOfData' : [ 0x10, ['unsigned long']], 'AddressOfRawData' : [ 0x14, ['unsigned long']], 'PointerToRawData' : [ 0x18, ['unsigned long']], } ], '_DEVICE_MAP' : [ 0x30, { 'DosDevicesDirectory' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY']]], 'GlobalDosDevicesDirectory' : [ 0x4, ['pointer', ['_OBJECT_DIRECTORY']]], 'ReferenceCount' : [ 0x8, ['unsigned long']], 'DriveMap' : [ 0xc, ['unsigned long']], 'DriveType' : [ 0x10, ['array', 32, ['unsigned char']]], } ], '_CHILD_LIST' : [ 0x8, { 'Count' : [ 0x0, ['unsigned long']], 'List' : [ 0x4, ['unsigned long']], } ], '_ETW_KERNEL_TRACE_TIMESTAMP' : [ 0x10, { 'KernelTraceTimeStamp' : [ 0x0, ['array', 2, ['_LARGE_INTEGER']]], } ], '_HEAP_DEBUGGING_INFORMATION' : [ 0x1c, { 'InterceptorFunction' : [ 0x0, ['pointer', ['void']]], 'InterceptorValue' : [ 0x4, ['unsigned short']], 'ExtendedOptions' : [ 0x8, ['unsigned long']], 'StackTraceDepth' : [ 0xc, ['unsigned long']], 'MinTotalBlockSize' : [ 0x10, ['unsigned long']], 'MaxTotalBlockSize' : [ 0x14, ['unsigned long']], 'HeapLeakEnumerationRoutine' : [ 0x18, ['pointer', ['void']]], } ], '_IO_RESOURCE_LIST' : [ 0x28, { 'Version' : [ 0x0, ['unsigned short']], 'Revision' : [ 0x2, ['unsigned short']], 'Count' : [ 0x4, ['unsigned long']], 'Descriptors' : [ 0x8, ['array', 1, ['_IO_RESOURCE_DESCRIPTOR']]], } ], '_MMBANKED_SECTION' : [ 0x20, { 'BasePhysicalPage' : [ 0x0, ['unsigned long']], 'BasedPte' : [ 0x4, ['pointer', ['_MMPTE']]], 'BankSize' : [ 0x8, ['unsigned long']], 'BankShift' : [ 0xc, ['unsigned long']], 'BankedRoutine' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'CurrentMappedPte' : [ 0x18, ['pointer', ['_MMPTE']]], 'BankTemplate' : [ 0x1c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_ERROR_RECORD_HEADER_FLAGS' : [ 0x4, { 'Recovered' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'PreviousError' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Simulated' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR' : [ 0xd0, { 'ValidBits' : [ 0x0, ['_WHEA_PCIEXPRESS_ERROR_VALIDBITS']], 'PortType' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'WheaPciExpressEndpoint', 1: 'WheaPciExpressLegacyEndpoint', 4: 'WheaPciExpressRootPort', 5: 'WheaPciExpressUpstreamSwitchPort', 6: 'WheaPciExpressDownstreamSwitchPort', 7: 'WheaPciExpressToPciXBridge', 8: 'WheaPciXToExpressBridge', 9: 'WheaPciExpressRootComplexIntegratedEndpoint', 10: 'WheaPciExpressRootComplexEventCollector'})]], 'Version' : [ 0xc, ['_WHEA_PCIEXPRESS_VERSION']], 'CommandStatus' : [ 0x10, ['_WHEA_PCIEXPRESS_COMMAND_STATUS']], 'Reserved' : [ 0x14, ['unsigned long']], 'DeviceId' : [ 0x18, ['_WHEA_PCIEXPRESS_DEVICE_ID']], 'DeviceSerialNumber' : [ 0x28, ['unsigned long long']], 'BridgeControlStatus' : [ 0x30, ['_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS']], 'ExpressCapability' : [ 0x34, ['array', 60, ['unsigned char']]], 'AerInfo' : [ 0x70, ['array', 96, ['unsigned char']]], } ], '_HEAP_VIRTUAL_ALLOC_ENTRY' : [ 0x20, { 'Entry' : [ 0x0, ['_LIST_ENTRY']], 'ExtraStuff' : [ 0x8, ['_HEAP_ENTRY_EXTRA']], 'CommitSize' : [ 0x10, ['unsigned long']], 'ReserveSize' : [ 0x14, ['unsigned long']], 'BusyBlock' : [ 0x18, ['_HEAP_ENTRY']], } ], '_RTL_CRITICAL_SECTION' : [ 0x18, { 'DebugInfo' : [ 0x0, ['pointer', ['_RTL_CRITICAL_SECTION_DEBUG']]], 'LockCount' : [ 0x4, ['long']], 'RecursionCount' : [ 0x8, ['long']], 'OwningThread' : [ 0xc, ['pointer', ['void']]], 'LockSemaphore' : [ 0x10, ['pointer', ['void']]], 'SpinCount' : [ 0x14, ['unsigned long']], } ], '_KTRAP_FRAME' : [ 0x8c, { 'DbgEbp' : [ 0x0, ['unsigned long']], 'DbgEip' : [ 0x4, ['unsigned long']], 'DbgArgMark' : [ 0x8, ['unsigned long']], 'DbgArgPointer' : [ 0xc, ['unsigned long']], 'TempSegCs' : [ 0x10, ['unsigned short']], 'Logging' : [ 0x12, ['unsigned char']], 'Reserved' : [ 0x13, ['unsigned char']], 'TempEsp' : [ 0x14, ['unsigned long']], 'Dr0' : [ 0x18, ['unsigned long']], 'Dr1' : [ 0x1c, ['unsigned long']], 'Dr2' : [ 0x20, ['unsigned long']], 'Dr3' : [ 0x24, ['unsigned long']], 'Dr6' : [ 0x28, ['unsigned long']], 'Dr7' : [ 0x2c, ['unsigned long']], 'SegGs' : [ 0x30, ['unsigned long']], 'SegEs' : [ 0x34, ['unsigned long']], 'SegDs' : [ 0x38, ['unsigned long']], 'Edx' : [ 0x3c, ['unsigned long']], 'Ecx' : [ 0x40, ['unsigned long']], 'Eax' : [ 0x44, ['unsigned long']], 'PreviousPreviousMode' : [ 0x48, ['unsigned long']], 'ExceptionList' : [ 0x4c, ['pointer', ['_EXCEPTION_REGISTRATION_RECORD']]], 'SegFs' : [ 0x50, ['unsigned long']], 'Edi' : [ 0x54, ['unsigned long']], 'Esi' : [ 0x58, ['unsigned long']], 'Ebx' : [ 0x5c, ['unsigned long']], 'Ebp' : [ 0x60, ['unsigned long']], 'ErrCode' : [ 0x64, ['unsigned long']], 'Eip' : [ 0x68, ['unsigned long']], 'SegCs' : [ 0x6c, ['unsigned long']], 'EFlags' : [ 0x70, ['unsigned long']], 'HardwareEsp' : [ 0x74, ['unsigned long']], 'HardwareSegSs' : [ 0x78, ['unsigned long']], 'V86Es' : [ 0x7c, ['unsigned long']], 'V86Ds' : [ 0x80, ['unsigned long']], 'V86Fs' : [ 0x84, ['unsigned long']], 'V86Gs' : [ 0x88, ['unsigned long']], } ], '__unnamed_1d78' : [ 0x4, { 'AsULONG' : [ 0x0, ['unsigned long']], 'UsingHypervisor' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoDomainAccounting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'IncreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'DecreasePolicy' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], } ], '_PPM_PERF_STATES' : [ 0x78, { 'Count' : [ 0x0, ['unsigned long']], 'MaxFrequency' : [ 0x4, ['unsigned long']], 'PStateCap' : [ 0x8, ['unsigned long']], 'TStateCap' : [ 0xc, ['unsigned long']], 'MaxPerfState' : [ 0x10, ['unsigned long']], 'MinPerfState' : [ 0x14, ['unsigned long']], 'LowestPState' : [ 0x18, ['unsigned long']], 'IncreaseTime' : [ 0x1c, ['unsigned long']], 'DecreaseTime' : [ 0x20, ['unsigned long']], 'BusyAdjThreshold' : [ 0x24, ['unsigned char']], 'Reserved' : [ 0x25, ['unsigned char']], 'ThrottleStatesOnly' : [ 0x26, ['unsigned char']], 'PolicyType' : [ 0x27, ['unsigned char']], 'TimerInterval' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['__unnamed_1d78']], 'TargetProcessors' : [ 0x30, ['unsigned long']], 'PStateHandler' : [ 0x34, ['pointer', ['void']]], 'PStateContext' : [ 0x38, ['unsigned long']], 'TStateHandler' : [ 0x3c, ['pointer', ['void']]], 'TStateContext' : [ 0x40, ['unsigned long']], 'FeedbackHandler' : [ 0x44, ['pointer', ['void']]], 'DiaStats' : [ 0x48, ['pointer', ['_PPM_DIA_STATS']]], 'DiaStatsCount' : [ 0x4c, ['unsigned long']], 'State' : [ 0x50, ['array', 1, ['_PPM_PERF_STATE']]], } ], '_WAIT_CONTEXT_BLOCK' : [ 0x28, { 'WaitQueueEntry' : [ 0x0, ['_KDEVICE_QUEUE_ENTRY']], 'DeviceRoutine' : [ 0x10, ['pointer', ['void']]], 'DeviceContext' : [ 0x14, ['pointer', ['void']]], 'NumberOfMapRegisters' : [ 0x18, ['unsigned long']], 'DeviceObject' : [ 0x1c, ['pointer', ['void']]], 'CurrentIrp' : [ 0x20, ['pointer', ['void']]], 'BufferChainingDpc' : [ 0x24, ['pointer', ['_KDPC']]], } ], '_SECTION_OBJECT' : [ 0x18, { 'StartingVa' : [ 0x0, ['pointer', ['void']]], 'EndingVa' : [ 0x4, ['pointer', ['void']]], 'Parent' : [ 0x8, ['pointer', ['void']]], 'LeftChild' : [ 0xc, ['pointer', ['void']]], 'RightChild' : [ 0x10, ['pointer', ['void']]], 'Segment' : [ 0x14, ['pointer', ['_SEGMENT_OBJECT']]], } ], '_CM_NAME_CONTROL_BLOCK' : [ 0x10, { 'Compressed' : [ 0x0, ['unsigned char']], 'RefCount' : [ 0x2, ['unsigned short']], 'NameHash' : [ 0x4, ['_CM_NAME_HASH']], 'ConvKey' : [ 0x4, ['unsigned long']], 'NextHash' : [ 0x8, ['pointer', ['_CM_KEY_HASH']]], 'NameLength' : [ 0xc, ['unsigned short']], 'Name' : [ 0xe, ['array', 1, ['wchar']]], } ], '_PPM_PERF_STATE' : [ 0x28, { 'Frequency' : [ 0x0, ['unsigned long']], 'Power' : [ 0x4, ['unsigned long']], 'PercentFrequency' : [ 0x8, ['unsigned char']], 'IncreaseLevel' : [ 0x9, ['unsigned char']], 'DecreaseLevel' : [ 0xa, ['unsigned char']], 'Type' : [ 0xb, ['unsigned char']], 'Control' : [ 0x10, ['unsigned long long']], 'Status' : [ 0x18, ['unsigned long long']], 'TotalHitCount' : [ 0x20, ['unsigned long']], 'DesiredCount' : [ 0x24, ['unsigned long']], } ], '_u' : [ 0x50, { 'KeyNode' : [ 0x0, ['_CM_KEY_NODE']], 'KeyValue' : [ 0x0, ['_CM_KEY_VALUE']], 'KeySecurity' : [ 0x0, ['_CM_KEY_SECURITY']], 'KeyIndex' : [ 0x0, ['_CM_KEY_INDEX']], 'ValueData' : [ 0x0, ['_CM_BIG_DATA']], 'KeyList' : [ 0x0, ['array', 1, ['unsigned long']]], 'KeyString' : [ 0x0, ['array', 1, ['wchar']]], } ], '_GENERAL_LOOKASIDE_POOL' : [ 0x48, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'SingleListHead' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'AllocateHits' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'FreeHits' : [ 0x18, ['unsigned long']], 'Type' : [ 0x1c, ['Enumeration', dict(target = 'long', choices = {0: 'NonPagedPool', 1: 'PagedPool', 2: 'NonPagedPoolMustSucceed', 3: 'DontUseThisType', 4: 'NonPagedPoolCacheAligned', 5: 'PagedPoolCacheAligned', 6: 'NonPagedPoolCacheAlignedMustS', 7: 'MaxPoolType', 34: 'NonPagedPoolMustSucceedSession', 35: 'DontUseThisTypeSession', 32: 'NonPagedPoolSession', 36: 'NonPagedPoolCacheAlignedSession', 33: 'PagedPoolSession', 38: 'NonPagedPoolCacheAlignedMustSSession', 37: 'PagedPoolCacheAlignedSession'})]], 'Tag' : [ 0x20, ['unsigned long']], 'Size' : [ 0x24, ['unsigned long']], 'AllocateEx' : [ 0x28, ['pointer', ['void']]], 'Allocate' : [ 0x28, ['pointer', ['void']]], 'FreeEx' : [ 0x2c, ['pointer', ['void']]], 'Free' : [ 0x2c, ['pointer', ['void']]], 'ListEntry' : [ 0x30, ['_LIST_ENTRY']], 'LastTotalAllocates' : [ 0x38, ['unsigned long']], 'LastAllocateMisses' : [ 0x3c, ['unsigned long']], 'LastAllocateHits' : [ 0x3c, ['unsigned long']], 'Future' : [ 0x40, ['array', 2, ['unsigned long']]], } ], '_WHEA_NMI_ERROR_FLAGS' : [ 0x4, { 'HypervisorError' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HEAP_LOOKASIDE' : [ 0x30, { 'ListHead' : [ 0x0, ['_SLIST_HEADER']], 'Depth' : [ 0x8, ['unsigned short']], 'MaximumDepth' : [ 0xa, ['unsigned short']], 'TotalAllocates' : [ 0xc, ['unsigned long']], 'AllocateMisses' : [ 0x10, ['unsigned long']], 'TotalFrees' : [ 0x14, ['unsigned long']], 'FreeMisses' : [ 0x18, ['unsigned long']], 'LastTotalAllocates' : [ 0x1c, ['unsigned long']], 'LastAllocateMisses' : [ 0x20, ['unsigned long']], 'Counters' : [ 0x24, ['array', 2, ['unsigned long']]], } ], '_WMI_TRACE_PACKET' : [ 0x4, { 'Size' : [ 0x0, ['unsigned short']], 'HookId' : [ 0x2, ['unsigned short']], 'Type' : [ 0x2, ['unsigned char']], 'Group' : [ 0x3, ['unsigned char']], } ], '_RTL_ATOM_TABLE' : [ 0x44, { 'Signature' : [ 0x0, ['unsigned long']], 'CriticalSection' : [ 0x4, ['_RTL_CRITICAL_SECTION']], 'RtlHandleTable' : [ 0x1c, ['_RTL_HANDLE_TABLE']], 'NumberOfBuckets' : [ 0x3c, ['unsigned long']], 'Buckets' : [ 0x40, ['array', 1, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]]], } ], '_POP_POWER_ACTION' : [ 0xa0, { 'Updates' : [ 0x0, ['unsigned char']], 'State' : [ 0x1, ['unsigned char']], 'Shutdown' : [ 0x2, ['unsigned char']], 'Action' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerActionNone', 1: 'PowerActionReserved', 2: 'PowerActionSleep', 3: 'PowerActionHibernate', 4: 'PowerActionShutdown', 5: 'PowerActionShutdownReset', 6: 'PowerActionShutdownOff', 7: 'PowerActionWarmEject'})]], 'LightestState' : [ 0x8, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Flags' : [ 0xc, ['unsigned long']], 'Status' : [ 0x10, ['long']], 'DeviceType' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'DeviceTypeFlags' : [ 0x18, ['unsigned long']], 'IrpMinor' : [ 0x1c, ['unsigned char']], 'Waking' : [ 0x1d, ['unsigned char']], 'SystemState' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'NextSystemState' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'EffectiveSystemState' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'CurrentSystemState' : [ 0x2c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ShutdownBugCode' : [ 0x30, ['pointer', ['_POP_SHUTDOWN_BUG_CHECK']]], 'DevState' : [ 0x34, ['pointer', ['_POP_DEVICE_SYS_STATE']]], 'DisplayResumeContext' : [ 0x38, ['pointer', ['_POP_DISPLAY_RESUME_CONTEXT']]], 'HiberContext' : [ 0x3c, ['pointer', ['_POP_HIBER_CONTEXT']]], 'WakeTime' : [ 0x40, ['unsigned long long']], 'SleepTime' : [ 0x48, ['unsigned long long']], 'FilteredCapabilities' : [ 0x50, ['SYSTEM_POWER_CAPABILITIES']], } ], '_CM_KEY_VALUE' : [ 0x18, { 'Signature' : [ 0x0, ['unsigned short']], 'NameLength' : [ 0x2, ['unsigned short']], 'DataLength' : [ 0x4, ['unsigned long']], 'Data' : [ 0x8, ['unsigned long']], 'Type' : [ 0xc, ['unsigned long']], 'Flags' : [ 0x10, ['unsigned short']], 'Spare' : [ 0x12, ['unsigned short']], 'Name' : [ 0x14, ['array', 1, ['wchar']]], } ], '_CM_KEY_HASH' : [ 0x10, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_KEY_HASH']]], 'KeyHive' : [ 0x8, ['pointer', ['_HHIVE']]], 'KeyCell' : [ 0xc, ['unsigned long']], } ], '_PO_DEVICE_NOTIFY' : [ 0x24, { 'Link' : [ 0x0, ['_LIST_ENTRY']], 'TargetDevice' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'OrderLevel' : [ 0xc, ['unsigned char']], 'DeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'DeviceName' : [ 0x14, ['pointer', ['unsigned short']]], 'DriverName' : [ 0x18, ['pointer', ['unsigned short']]], 'ChildCount' : [ 0x1c, ['unsigned long']], 'ActiveChild' : [ 0x20, ['unsigned long']], } ], '_CM_KEY_SECURITY_CACHE_ENTRY' : [ 0x8, { 'Cell' : [ 0x0, ['unsigned long']], 'CachedSecurity' : [ 0x4, ['pointer', ['_CM_KEY_SECURITY_CACHE']]], } ], '_FS_FILTER_CALLBACK_DATA' : [ 0x24, { 'SizeOfFsFilterCallbackData' : [ 0x0, ['unsigned long']], 'Operation' : [ 0x4, ['unsigned char']], 'Reserved' : [ 0x5, ['unsigned char']], 'DeviceObject' : [ 0x8, ['pointer', ['_DEVICE_OBJECT']]], 'FileObject' : [ 0xc, ['pointer', ['_FILE_OBJECT']]], 'Parameters' : [ 0x10, ['_FS_FILTER_PARAMETERS']], } ], '_IMAGE_SECURITY_CONTEXT' : [ 0x4, { 'PageHashes' : [ 0x0, ['pointer', ['void']]], 'Value' : [ 0x0, ['unsigned long']], 'SecurityBeingCreated' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'SecurityMandatory' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Unused' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'PageHashPointer' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], } ], '__unnamed_1dcb' : [ 0x4, { 'Level' : [ 0x0, ['unsigned long']], } ], '__unnamed_1dcd' : [ 0x4, { 'Type' : [ 0x0, ['unsigned long']], } ], '_POP_ACTION_TRIGGER' : [ 0x10, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'PolicyDeviceSystemButton', 1: 'PolicyDeviceThermalZone', 2: 'PolicyDeviceBattery', 3: 'PolicyDeviceMemory', 4: 'PolicyInitiatePowerActionAPI', 5: 'PolicySetPowerStateAPI', 6: 'PolicyImmediateDozeS4', 7: 'PolicySystemIdle', 8: 'PolicyDeviceMax'})]], 'Flags' : [ 0x4, ['unsigned long']], 'Wait' : [ 0x8, ['pointer', ['_POP_TRIGGER_WAIT']]], 'Battery' : [ 0xc, ['__unnamed_1dcb']], 'Button' : [ 0xc, ['__unnamed_1dcd']], } ], '_KENLISTMENT_HISTORY' : [ 0x8, { 'Notification' : [ 0x0, ['unsigned long']], 'NewState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'KEnlistmentUninitialized', 256: 'KEnlistmentActive', 258: 'KEnlistmentPrepared', 259: 'KEnlistmentInDoubt', 260: 'KEnlistmentCommitted', 261: 'KEnlistmentCommittedNotify', 262: 'KEnlistmentCommitRequested', 257: 'KEnlistmentPreparing', 264: 'KEnlistmentDelegated', 265: 'KEnlistmentDelegatedDisconnected', 266: 'KEnlistmentPrePreparing', 263: 'KEnlistmentAborted', 268: 'KEnlistmentRecovering', 269: 'KEnlistmentAborting', 270: 'KEnlistmentReadOnly', 271: 'KEnlistmentOutcomeUnavailable', 272: 'KEnlistmentOffline', 273: 'KEnlistmentPrePrepared', 274: 'KEnlistmentInitialized', 267: 'KEnlistmentForgotten'})]], } ], '_FAST_IO_DISPATCH' : [ 0x70, { 'SizeOfFastIoDispatch' : [ 0x0, ['unsigned long']], 'FastIoCheckIfPossible' : [ 0x4, ['pointer', ['void']]], 'FastIoRead' : [ 0x8, ['pointer', ['void']]], 'FastIoWrite' : [ 0xc, ['pointer', ['void']]], 'FastIoQueryBasicInfo' : [ 0x10, ['pointer', ['void']]], 'FastIoQueryStandardInfo' : [ 0x14, ['pointer', ['void']]], 'FastIoLock' : [ 0x18, ['pointer', ['void']]], 'FastIoUnlockSingle' : [ 0x1c, ['pointer', ['void']]], 'FastIoUnlockAll' : [ 0x20, ['pointer', ['void']]], 'FastIoUnlockAllByKey' : [ 0x24, ['pointer', ['void']]], 'FastIoDeviceControl' : [ 0x28, ['pointer', ['void']]], 'AcquireFileForNtCreateSection' : [ 0x2c, ['pointer', ['void']]], 'ReleaseFileForNtCreateSection' : [ 0x30, ['pointer', ['void']]], 'FastIoDetachDevice' : [ 0x34, ['pointer', ['void']]], 'FastIoQueryNetworkOpenInfo' : [ 0x38, ['pointer', ['void']]], 'AcquireForModWrite' : [ 0x3c, ['pointer', ['void']]], 'MdlRead' : [ 0x40, ['pointer', ['void']]], 'MdlReadComplete' : [ 0x44, ['pointer', ['void']]], 'PrepareMdlWrite' : [ 0x48, ['pointer', ['void']]], 'MdlWriteComplete' : [ 0x4c, ['pointer', ['void']]], 'FastIoReadCompressed' : [ 0x50, ['pointer', ['void']]], 'FastIoWriteCompressed' : [ 0x54, ['pointer', ['void']]], 'MdlReadCompleteCompressed' : [ 0x58, ['pointer', ['void']]], 'MdlWriteCompleteCompressed' : [ 0x5c, ['pointer', ['void']]], 'FastIoQueryOpen' : [ 0x60, ['pointer', ['void']]], 'ReleaseForModWrite' : [ 0x64, ['pointer', ['void']]], 'AcquireForCcFlush' : [ 0x68, ['pointer', ['void']]], 'ReleaseForCcFlush' : [ 0x6c, ['pointer', ['void']]], } ], '_DBGKD_BREAKPOINTEX' : [ 0x8, { 'BreakPointCount' : [ 0x0, ['unsigned long']], 'ContinueStatus' : [ 0x4, ['long']], } ], '_CM_CELL_REMAP_BLOCK' : [ 0x8, { 'OldCell' : [ 0x0, ['unsigned long']], 'NewCell' : [ 0x4, ['unsigned long']], } ], '_OBJECT_DIRECTORY_ENTRY' : [ 0xc, { 'ChainLink' : [ 0x0, ['pointer', ['_OBJECT_DIRECTORY_ENTRY']]], 'Object' : [ 0x4, ['pointer', ['void']]], 'HashValue' : [ 0x8, ['unsigned long']], } ], '_LOADER_PARAMETER_EXTENSION' : [ 0x84, { 'Size' : [ 0x0, ['unsigned long']], 'Profile' : [ 0x4, ['_PROFILE_PARAMETER_BLOCK']], 'MajorVersion' : [ 0x14, ['unsigned long']], 'MinorVersion' : [ 0x18, ['unsigned long']], 'EmInfFileImage' : [ 0x1c, ['pointer', ['void']]], 'EmInfFileSize' : [ 0x20, ['unsigned long']], 'TriageDumpBlock' : [ 0x24, ['pointer', ['void']]], 'LoaderPagesSpanned' : [ 0x28, ['unsigned long']], 'HeadlessLoaderBlock' : [ 0x2c, ['pointer', ['_HEADLESS_LOADER_BLOCK']]], 'SMBiosEPSHeader' : [ 0x30, ['pointer', ['_SMBIOS_TABLE_HEADER']]], 'DrvDBImage' : [ 0x34, ['pointer', ['void']]], 'DrvDBSize' : [ 0x38, ['unsigned long']], 'NetworkLoaderBlock' : [ 0x3c, ['pointer', ['_NETWORK_LOADER_BLOCK']]], 'HalpIRQLToTPR' : [ 0x40, ['pointer', ['unsigned char']]], 'HalpVectorToIRQL' : [ 0x44, ['pointer', ['unsigned char']]], 'FirmwareDescriptorListHead' : [ 0x48, ['_LIST_ENTRY']], 'AcpiTable' : [ 0x50, ['pointer', ['void']]], 'AcpiTableSize' : [ 0x54, ['unsigned long']], 'BootViaWinload' : [ 0x58, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Reserved' : [ 0x58, ['BitField', dict(start_bit = 1, end_bit = 32, native_type='unsigned long')]], 'LoaderPerformanceData' : [ 0x5c, ['pointer', ['_LOADER_PERFORMANCE_DATA']]], 'BootApplicationPersistentData' : [ 0x60, ['_LIST_ENTRY']], 'WmdTestResult' : [ 0x68, ['pointer', ['void']]], 'BootIdentifier' : [ 0x6c, ['_GUID']], 'ResumePages' : [ 0x7c, ['unsigned long']], 'DumpHeader' : [ 0x80, ['pointer', ['void']]], } ], '_PI_RESOURCE_ARBITER_ENTRY' : [ 0x38, { 'DeviceArbiterList' : [ 0x0, ['_LIST_ENTRY']], 'ResourceType' : [ 0x8, ['unsigned char']], 'ArbiterInterface' : [ 0xc, ['pointer', ['_ARBITER_INTERFACE']]], 'DeviceNode' : [ 0x10, ['pointer', ['_DEVICE_NODE']]], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'BestResourceList' : [ 0x1c, ['_LIST_ENTRY']], 'BestConfig' : [ 0x24, ['_LIST_ENTRY']], 'ActiveArbiterList' : [ 0x2c, ['_LIST_ENTRY']], 'State' : [ 0x34, ['unsigned char']], 'ResourcesChanged' : [ 0x35, ['unsigned char']], } ], '_DBGKD_CONTINUE' : [ 0x4, { 'ContinueStatus' : [ 0x0, ['long']], } ], '_WHEA_PCIEXPRESS_VERSION' : [ 0x4, { 'MinorVersion' : [ 0x0, ['unsigned char']], 'MajorVersion' : [ 0x1, ['unsigned char']], 'Reserved' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_SECURITY_DESCRIPTOR' : [ 0x14, { 'Revision' : [ 0x0, ['unsigned char']], 'Sbz1' : [ 0x1, ['unsigned char']], 'Control' : [ 0x2, ['unsigned short']], 'Owner' : [ 0x4, ['pointer', ['void']]], 'Group' : [ 0x8, ['pointer', ['void']]], 'Sacl' : [ 0xc, ['pointer', ['_ACL']]], 'Dacl' : [ 0x10, ['pointer', ['_ACL']]], } ], '_RTL_USER_PROCESS_PARAMETERS' : [ 0x294, { 'MaximumLength' : [ 0x0, ['unsigned long']], 'Length' : [ 0x4, ['unsigned long']], 'Flags' : [ 0x8, ['unsigned long']], 'DebugFlags' : [ 0xc, ['unsigned long']], 'ConsoleHandle' : [ 0x10, ['pointer', ['void']]], 'ConsoleFlags' : [ 0x14, ['unsigned long']], 'StandardInput' : [ 0x18, ['pointer', ['void']]], 'StandardOutput' : [ 0x1c, ['pointer', ['void']]], 'StandardError' : [ 0x20, ['pointer', ['void']]], 'CurrentDirectory' : [ 0x24, ['_CURDIR']], 'DllPath' : [ 0x30, ['_UNICODE_STRING']], 'ImagePathName' : [ 0x38, ['_UNICODE_STRING']], 'CommandLine' : [ 0x40, ['_UNICODE_STRING']], 'Environment' : [ 0x48, ['pointer', ['void']]], 'StartingX' : [ 0x4c, ['unsigned long']], 'StartingY' : [ 0x50, ['unsigned long']], 'CountX' : [ 0x54, ['unsigned long']], 'CountY' : [ 0x58, ['unsigned long']], 'CountCharsX' : [ 0x5c, ['unsigned long']], 'CountCharsY' : [ 0x60, ['unsigned long']], 'FillAttribute' : [ 0x64, ['unsigned long']], 'WindowFlags' : [ 0x68, ['unsigned long']], 'ShowWindowFlags' : [ 0x6c, ['unsigned long']], 'WindowTitle' : [ 0x70, ['_UNICODE_STRING']], 'DesktopInfo' : [ 0x78, ['_UNICODE_STRING']], 'ShellInfo' : [ 0x80, ['_UNICODE_STRING']], 'RuntimeData' : [ 0x88, ['_UNICODE_STRING']], 'CurrentDirectores' : [ 0x90, ['array', 32, ['_RTL_DRIVE_LETTER_CURDIR']]], 'EnvironmentSize' : [ 0x290, ['unsigned long']], } ], '_PHYSICAL_MEMORY_RUN' : [ 0x8, { 'BasePage' : [ 0x0, ['unsigned long']], 'PageCount' : [ 0x4, ['unsigned long']], } ], '_MI_VERIFIER_DRIVER_ENTRY' : [ 0x58, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'Loads' : [ 0x8, ['unsigned long']], 'Unloads' : [ 0xc, ['unsigned long']], 'BaseName' : [ 0x10, ['_UNICODE_STRING']], 'StartAddress' : [ 0x18, ['pointer', ['void']]], 'EndAddress' : [ 0x1c, ['pointer', ['void']]], 'Flags' : [ 0x20, ['unsigned long']], 'Signature' : [ 0x24, ['unsigned long']], 'PoolPageHeaders' : [ 0x28, ['_SLIST_HEADER']], 'PoolTrackers' : [ 0x30, ['_SLIST_HEADER']], 'CurrentPagedPoolAllocations' : [ 0x38, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x3c, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PagedBytes' : [ 0x48, ['unsigned long']], 'NonPagedBytes' : [ 0x4c, ['unsigned long']], 'PeakPagedBytes' : [ 0x50, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x54, ['unsigned long']], } ], '_RTL_SRWLOCK' : [ 0x4, { 'Locked' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Waiting' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Waking' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'MultipleShared' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'Shared' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'Value' : [ 0x0, ['unsigned long']], 'Ptr' : [ 0x0, ['pointer', ['void']]], } ], '_ALPC_MESSAGE_ZONE' : [ 0x18, { 'Mdl' : [ 0x0, ['pointer', ['_MDL']]], 'UserVa' : [ 0x4, ['pointer', ['void']]], 'UserLimit' : [ 0x8, ['pointer', ['void']]], 'SystemVa' : [ 0xc, ['pointer', ['void']]], 'SystemLimit' : [ 0x10, ['pointer', ['void']]], 'Size' : [ 0x14, ['unsigned long']], } ], '_KTMOBJECT_NAMESPACE_LINK' : [ 0x14, { 'Links' : [ 0x0, ['_RTL_BALANCED_LINKS']], 'Expired' : [ 0x10, ['unsigned char']], } ], '_CACHE_MANAGER_CALLBACKS' : [ 0x10, { 'AcquireForLazyWrite' : [ 0x0, ['pointer', ['void']]], 'ReleaseFromLazyWrite' : [ 0x4, ['pointer', ['void']]], 'AcquireForReadAhead' : [ 0x8, ['pointer', ['void']]], 'ReleaseFromReadAhead' : [ 0xc, ['pointer', ['void']]], } ], '_FILE_BASIC_INFORMATION' : [ 0x28, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x20, ['unsigned long']], } ], '_RTL_RANGE' : [ 0x20, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'UserData' : [ 0x10, ['pointer', ['void']]], 'Owner' : [ 0x14, ['pointer', ['void']]], 'Attributes' : [ 0x18, ['unsigned char']], 'Flags' : [ 0x19, ['unsigned char']], } ], '_SYSTEM_POWER_POLICY' : [ 0xe8, { 'Revision' : [ 0x0, ['unsigned long']], 'PowerButton' : [ 0x4, ['POWER_ACTION_POLICY']], 'SleepButton' : [ 0x10, ['POWER_ACTION_POLICY']], 'LidClose' : [ 0x1c, ['POWER_ACTION_POLICY']], 'LidOpenWake' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'Reserved' : [ 0x2c, ['unsigned long']], 'Idle' : [ 0x30, ['POWER_ACTION_POLICY']], 'IdleTimeout' : [ 0x3c, ['unsigned long']], 'IdleSensitivity' : [ 0x40, ['unsigned char']], 'DynamicThrottle' : [ 0x41, ['unsigned char']], 'Spare2' : [ 0x42, ['array', 2, ['unsigned char']]], 'MinSleep' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MaxSleep' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'ReducedLatencySleep' : [ 0x4c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'WinLogonFlags' : [ 0x50, ['unsigned long']], 'Spare3' : [ 0x54, ['unsigned long']], 'DozeS4Timeout' : [ 0x58, ['unsigned long']], 'BroadcastCapacityResolution' : [ 0x5c, ['unsigned long']], 'DischargePolicy' : [ 0x60, ['array', 4, ['SYSTEM_POWER_LEVEL']]], 'VideoTimeout' : [ 0xc0, ['unsigned long']], 'VideoDimDisplay' : [ 0xc4, ['unsigned char']], 'VideoReserved' : [ 0xc8, ['array', 3, ['unsigned long']]], 'SpindownTimeout' : [ 0xd4, ['unsigned long']], 'OptimizeForPower' : [ 0xd8, ['unsigned char']], 'FanThrottleTolerance' : [ 0xd9, ['unsigned char']], 'ForcedThrottle' : [ 0xda, ['unsigned char']], 'MinThrottle' : [ 0xdb, ['unsigned char']], 'OverThrottled' : [ 0xdc, ['POWER_ACTION_POLICY']], } ], '_POOL_HEADER' : [ 0x8, { 'PreviousSize' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolIndex' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'BlockSize' : [ 0x2, ['BitField', dict(start_bit = 0, end_bit = 9, native_type='unsigned short')]], 'PoolType' : [ 0x2, ['BitField', dict(start_bit = 9, end_bit = 16, native_type='unsigned short')]], 'Ulong1' : [ 0x0, ['unsigned long']], 'PoolTag' : [ 0x4, ['unsigned long']], 'AllocatorBackTraceIndex' : [ 0x4, ['unsigned short']], 'PoolTagHash' : [ 0x6, ['unsigned short']], } ], '_ETW_PROVIDER_TABLE_ENTRY' : [ 0x10, { 'RefCount' : [ 0x0, ['long']], 'State' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'EtwProviderStateFree', 1: 'EtwProviderStateTransition', 2: 'EtwProviderStateActive', 3: 'EtwProviderStateMax'})]], 'RegEntry' : [ 0x8, ['pointer', ['_ETW_REG_ENTRY']]], 'Caller' : [ 0xc, ['pointer', ['void']]], } ], '_SE_AUDIT_PROCESS_CREATION_INFO' : [ 0x4, { 'ImageFileName' : [ 0x0, ['pointer', ['_OBJECT_NAME_INFORMATION']]], } ], '_HEAP_ENTRY_EXTRA' : [ 0x8, { 'AllocatorBackTraceIndex' : [ 0x0, ['unsigned short']], 'TagIndex' : [ 0x2, ['unsigned short']], 'Settable' : [ 0x4, ['unsigned long']], 'ZeroInit' : [ 0x0, ['unsigned long long']], } ], '_VF_POOL_TRACE' : [ 0x40, { 'Address' : [ 0x0, ['pointer', ['void']]], 'Size' : [ 0x4, ['unsigned long']], 'Thread' : [ 0x8, ['pointer', ['_ETHREAD']]], 'StackTrace' : [ 0xc, ['array', 13, ['pointer', ['void']]]], } ], '__unnamed_1e6b' : [ 0x4, { 'LongFlags' : [ 0x0, ['unsigned long']], 'Flags' : [ 0x0, ['_MM_SESSION_SPACE_FLAGS']], } ], '_MM_SESSION_SPACE' : [ 0x1ec0, { 'ReferenceCount' : [ 0x0, ['long']], 'u' : [ 0x4, ['__unnamed_1e6b']], 'SessionId' : [ 0x8, ['unsigned long']], 'ProcessReferenceToSession' : [ 0xc, ['long']], 'ProcessList' : [ 0x10, ['_LIST_ENTRY']], 'LastProcessSwappedOutTime' : [ 0x18, ['_LARGE_INTEGER']], 'SessionPageDirectoryIndex' : [ 0x20, ['unsigned long']], 'NonPagablePages' : [ 0x24, ['unsigned long']], 'CommittedPages' : [ 0x28, ['unsigned long']], 'PagedPoolStart' : [ 0x2c, ['pointer', ['void']]], 'PagedPoolEnd' : [ 0x30, ['pointer', ['void']]], 'SessionObject' : [ 0x34, ['pointer', ['void']]], 'SessionObjectHandle' : [ 0x38, ['pointer', ['void']]], 'ResidentProcessCount' : [ 0x3c, ['long']], 'ImageLoadingCount' : [ 0x40, ['long']], 'SessionPoolAllocationFailures' : [ 0x44, ['array', 4, ['unsigned long']]], 'ImageList' : [ 0x54, ['_LIST_ENTRY']], 'LocaleId' : [ 0x5c, ['unsigned long']], 'AttachCount' : [ 0x60, ['unsigned long']], 'AttachGate' : [ 0x64, ['_KGATE']], 'WsListEntry' : [ 0x74, ['_LIST_ENTRY']], 'Lookaside' : [ 0x80, ['array', 25, ['_GENERAL_LOOKASIDE']]], 'Session' : [ 0xd00, ['_MMSESSION']], 'PagedPoolInfo' : [ 0xd38, ['_MM_PAGED_POOL_INFO']], 'Vm' : [ 0xd70, ['_MMSUPPORT']], 'Wsle' : [ 0xdb8, ['pointer', ['_MMWSLE']]], 'DriverUnload' : [ 0xdbc, ['pointer', ['void']]], 'PagedPool' : [ 0xdc0, ['_POOL_DESCRIPTOR']], 'PageTables' : [ 0x1df4, ['pointer', ['_MMPTE']]], 'SpecialPool' : [ 0x1df8, ['_MI_SPECIAL_POOL']], 'SessionPteLock' : [ 0x1e10, ['_KGUARDED_MUTEX']], 'PoolBigEntriesInUse' : [ 0x1e30, ['long']], 'PagedPoolPdeCount' : [ 0x1e34, ['unsigned long']], 'SpecialPoolPdeCount' : [ 0x1e38, ['unsigned long']], 'DynamicSessionPdeCount' : [ 0x1e3c, ['unsigned long']], 'SystemPteInfo' : [ 0x1e40, ['_MI_SYSTEM_PTE_TYPE']], 'PoolTrackTableExpansion' : [ 0x1e6c, ['pointer', ['void']]], 'PoolTrackTableExpansionSize' : [ 0x1e70, ['unsigned long']], 'PoolTrackBigPages' : [ 0x1e74, ['pointer', ['void']]], 'PoolTrackBigPagesSize' : [ 0x1e78, ['unsigned long']], 'SessionPoolPdes' : [ 0x1e7c, ['_RTL_BITMAP']], } ], '_WORK_QUEUE_ITEM' : [ 0x10, { 'List' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '_OBJECT_HANDLE_COUNT_ENTRY' : [ 0x8, { 'Process' : [ 0x0, ['pointer', ['_EPROCESS']]], 'HandleCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'LockCount' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_CLIENT_ID' : [ 0x8, { 'UniqueProcess' : [ 0x0, ['pointer', ['void']]], 'UniqueThread' : [ 0x4, ['pointer', ['void']]], } ], '_VI_DEADLOCK_RESOURCE' : [ 0x80, { 'Type' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'VfDeadlockUnknown', 1: 'VfDeadlockMutex', 2: 'VfDeadlockMutexAbandoned', 3: 'VfDeadlockFastMutex', 4: 'VfDeadlockFastMutexUnsafe', 5: 'VfDeadlockSpinLock', 6: 'VfDeadlockTypeMaximum'})]], 'NodeCount' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'RecursionCount' : [ 0x4, ['BitField', dict(start_bit = 16, end_bit = 32, native_type='unsigned long')]], 'ResourceAddress' : [ 0x8, ['pointer', ['void']]], 'ThreadOwner' : [ 0xc, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'ResourceList' : [ 0x10, ['_LIST_ENTRY']], 'HashChainList' : [ 0x18, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x18, ['_LIST_ENTRY']], 'StackTrace' : [ 0x20, ['array', 8, ['pointer', ['void']]]], 'LastAcquireTrace' : [ 0x40, ['array', 8, ['pointer', ['void']]]], 'LastReleaseTrace' : [ 0x60, ['array', 8, ['pointer', ['void']]]], } ], '_DBGKD_GET_SET_BUS_DATA' : [ 0x14, { 'BusDataType' : [ 0x0, ['unsigned long']], 'BusNumber' : [ 0x4, ['unsigned long']], 'SlotNumber' : [ 0x8, ['unsigned long']], 'Offset' : [ 0xc, ['unsigned long']], 'Length' : [ 0x10, ['unsigned long']], } ], '_PRIVILEGE_SET' : [ 0x14, { 'PrivilegeCount' : [ 0x0, ['unsigned long']], 'Control' : [ 0x4, ['unsigned long']], 'Privilege' : [ 0x8, ['array', 1, ['_LUID_AND_ATTRIBUTES']]], } ], '_MMSECTION_FLAGS' : [ 0x4, { 'BeingDeleted' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'BeingCreated' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'BeingPurged' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'NoModifiedWriting' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'FailAllIo' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Image' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Based' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long')]], 'File' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long')]], 'Networked' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long')]], 'Rom' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long')]], 'PhysicalMemory' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'CopyOnWrite' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'Reserve' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'Commit' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'Accessed' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'WasPurged' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'UserReference' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'GlobalMemory' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'DeleteOnClose' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 19, native_type='unsigned long')]], 'FilePointerNull' : [ 0x0, ['BitField', dict(start_bit = 19, end_bit = 20, native_type='unsigned long')]], 'GlobalOnlyPerSession' : [ 0x0, ['BitField', dict(start_bit = 20, end_bit = 21, native_type='unsigned long')]], 'SetMappedFileIoComplete' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 22, native_type='unsigned long')]], 'CollidedFlush' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'NoChange' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 25, native_type='unsigned long')]], 'UserWritable' : [ 0x0, ['BitField', dict(start_bit = 25, end_bit = 26, native_type='unsigned long')]], 'PreferredNode' : [ 0x0, ['BitField', dict(start_bit = 26, end_bit = 32, native_type='unsigned long')]], } ], '_SECURITY_CLIENT_CONTEXT' : [ 0x3c, { 'SecurityQos' : [ 0x0, ['_SECURITY_QUALITY_OF_SERVICE']], 'ClientToken' : [ 0xc, ['pointer', ['void']]], 'DirectlyAccessClientToken' : [ 0x10, ['unsigned char']], 'DirectAccessEffectiveOnly' : [ 0x11, ['unsigned char']], 'ServerIsRemote' : [ 0x12, ['unsigned char']], 'ClientTokenControl' : [ 0x14, ['_TOKEN_CONTROL']], } ], '_MM_PAGED_POOL_INFO' : [ 0x38, { 'Mutex' : [ 0x0, ['_KGUARDED_MUTEX']], 'PagedPoolAllocationMap' : [ 0x20, ['_RTL_BITMAP']], 'FirstPteForPagedPool' : [ 0x28, ['pointer', ['_MMPTE']]], 'PagedPoolHint' : [ 0x2c, ['unsigned long']], 'PagedPoolCommit' : [ 0x30, ['unsigned long']], 'AllocatedPagedPool' : [ 0x34, ['unsigned long']], } ], '_BITMAP_RANGE' : [ 0x20, { 'Links' : [ 0x0, ['_LIST_ENTRY']], 'BasePage' : [ 0x8, ['long long']], 'FirstDirtyPage' : [ 0x10, ['unsigned long']], 'LastDirtyPage' : [ 0x14, ['unsigned long']], 'DirtyPages' : [ 0x18, ['unsigned long']], 'Bitmap' : [ 0x1c, ['pointer', ['unsigned long']]], } ], '_IO_SECURITY_CONTEXT' : [ 0x10, { 'SecurityQos' : [ 0x0, ['pointer', ['_SECURITY_QUALITY_OF_SERVICE']]], 'AccessState' : [ 0x4, ['pointer', ['_ACCESS_STATE']]], 'DesiredAccess' : [ 0x8, ['unsigned long']], 'FullCreateOptions' : [ 0xc, ['unsigned long']], } ], '_WHEA_GENERIC_PROCESSOR_ERROR' : [ 0xc0, { 'ValidBits' : [ 0x0, ['_WHEA_GENERIC_PROCESSOR_ERROR_VALIDBITS']], 'ProcessorType' : [ 0x8, ['unsigned char']], 'InstructionSet' : [ 0x9, ['unsigned char']], 'ErrorType' : [ 0xa, ['unsigned char']], 'Operation' : [ 0xb, ['unsigned char']], 'Flags' : [ 0xc, ['unsigned char']], 'Level' : [ 0xd, ['unsigned char']], 'Reserved' : [ 0xe, ['unsigned short']], 'CPUVersion' : [ 0x10, ['unsigned long long']], 'CPUBrandString' : [ 0x18, ['array', 128, ['unsigned char']]], 'ProcessorId' : [ 0x98, ['unsigned long long']], 'TargetAddress' : [ 0xa0, ['unsigned long long']], 'RequesterId' : [ 0xa8, ['unsigned long long']], 'ResponderId' : [ 0xb0, ['unsigned long long']], 'InstructionPointer' : [ 0xb8, ['unsigned long long']], } ], '_HANDLE_TRACE_DB_ENTRY' : [ 0x50, { 'ClientId' : [ 0x0, ['_CLIENT_ID']], 'Handle' : [ 0x8, ['pointer', ['void']]], 'Type' : [ 0xc, ['unsigned long']], 'StackTrace' : [ 0x10, ['array', 16, ['pointer', ['void']]]], } ], '_POP_TRIGGER_WAIT' : [ 0x20, { 'Event' : [ 0x0, ['_KEVENT']], 'Status' : [ 0x10, ['long']], 'Link' : [ 0x14, ['_LIST_ENTRY']], 'Trigger' : [ 0x1c, ['pointer', ['_POP_ACTION_TRIGGER']]], } ], '_IO_TIMER' : [ 0x18, { 'Type' : [ 0x0, ['short']], 'TimerFlag' : [ 0x2, ['short']], 'TimerList' : [ 0x4, ['_LIST_ENTRY']], 'TimerRoutine' : [ 0xc, ['pointer', ['void']]], 'Context' : [ 0x10, ['pointer', ['void']]], 'DeviceObject' : [ 0x14, ['pointer', ['_DEVICE_OBJECT']]], } ], '_FXSAVE_FORMAT' : [ 0x208, { 'ControlWord' : [ 0x0, ['unsigned short']], 'StatusWord' : [ 0x2, ['unsigned short']], 'TagWord' : [ 0x4, ['unsigned short']], 'ErrorOpcode' : [ 0x6, ['unsigned short']], 'ErrorOffset' : [ 0x8, ['unsigned long']], 'ErrorSelector' : [ 0xc, ['unsigned long']], 'DataOffset' : [ 0x10, ['unsigned long']], 'DataSelector' : [ 0x14, ['unsigned long']], 'MXCsr' : [ 0x18, ['unsigned long']], 'MXCsrMask' : [ 0x1c, ['unsigned long']], 'RegisterArea' : [ 0x20, ['array', 128, ['unsigned char']]], 'Reserved3' : [ 0xa0, ['array', 128, ['unsigned char']]], 'Reserved4' : [ 0x120, ['array', 224, ['unsigned char']]], 'Align16Byte' : [ 0x200, ['array', 8, ['unsigned char']]], } ], '_ARBITER_TEST_ALLOCATION_PARAMETERS' : [ 0xc, { 'ArbitrationList' : [ 0x0, ['pointer', ['_LIST_ENTRY']]], 'AllocateFromCount' : [ 0x4, ['unsigned long']], 'AllocateFrom' : [ 0x8, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], } ], '_MI_SPECIAL_POOL' : [ 0x18, { 'PteBase' : [ 0x0, ['pointer', ['_MMPTE']]], 'FreePteHead' : [ 0x4, ['_MMPTE']], 'FreePteTail' : [ 0x8, ['_MMPTE']], 'PagesInUse' : [ 0xc, ['long']], 'SpecialPoolPdes' : [ 0x10, ['_RTL_BITMAP']], } ], '_ARBITER_QUERY_CONFLICT_PARAMETERS' : [ 0x10, { 'PhysicalDeviceObject' : [ 0x0, ['pointer', ['_DEVICE_OBJECT']]], 'ConflictingResource' : [ 0x4, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'ConflictCount' : [ 0x8, ['pointer', ['unsigned long']]], 'Conflicts' : [ 0xc, ['pointer', ['pointer', ['_ARBITER_CONFLICT_INFO']]]], } ], '_PHYSICAL_MEMORY_DESCRIPTOR' : [ 0x10, { 'NumberOfRuns' : [ 0x0, ['unsigned long']], 'NumberOfPages' : [ 0x4, ['unsigned long']], 'Run' : [ 0x8, ['array', 1, ['_PHYSICAL_MEMORY_RUN']]], } ], '_PNP_DEVICE_EVENT_LIST' : [ 0x4c, { 'Status' : [ 0x0, ['long']], 'EventQueueMutex' : [ 0x4, ['_KMUTANT']], 'Lock' : [ 0x24, ['_KGUARDED_MUTEX']], 'List' : [ 0x44, ['_LIST_ENTRY']], } ], '_MAILSLOT_CREATE_PARAMETERS' : [ 0x18, { 'MailslotQuota' : [ 0x0, ['unsigned long']], 'MaximumMessageSize' : [ 0x4, ['unsigned long']], 'ReadTimeout' : [ 0x8, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x10, ['unsigned char']], } ], '_PO_IRP_MANAGER' : [ 0x10, { 'DeviceIrpQueue' : [ 0x0, ['_PO_IRP_QUEUE']], 'SystemIrpQueue' : [ 0x8, ['_PO_IRP_QUEUE']], } ], '_WHEA_PCIEXPRESS_BRIDGE_CONTROL_STATUS' : [ 0x4, { 'BridgeSecondaryStatus' : [ 0x0, ['unsigned short']], 'BridgeControl' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KDPC_DATA' : [ 0x14, { 'DpcListHead' : [ 0x0, ['_LIST_ENTRY']], 'DpcLock' : [ 0x8, ['unsigned long']], 'DpcQueueDepth' : [ 0xc, ['long']], 'DpcCount' : [ 0x10, ['unsigned long']], } ], '_NAMED_PIPE_CREATE_PARAMETERS' : [ 0x28, { 'NamedPipeType' : [ 0x0, ['unsigned long']], 'ReadMode' : [ 0x4, ['unsigned long']], 'CompletionMode' : [ 0x8, ['unsigned long']], 'MaximumInstances' : [ 0xc, ['unsigned long']], 'InboundQuota' : [ 0x10, ['unsigned long']], 'OutboundQuota' : [ 0x14, ['unsigned long']], 'DefaultTimeout' : [ 0x18, ['_LARGE_INTEGER']], 'TimeoutSpecified' : [ 0x20, ['unsigned char']], } ], '_CM_BIG_DATA' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['unsigned long']], } ], '_CM_WORKITEM' : [ 0x10, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'WorkerRoutine' : [ 0x8, ['pointer', ['void']]], 'Parameter' : [ 0xc, ['pointer', ['void']]], } ], '__unnamed_1ee4' : [ 0x8, { 'UserData' : [ 0x0, ['pointer', ['void']]], 'Owner' : [ 0x4, ['pointer', ['void']]], } ], '__unnamed_1ee6' : [ 0x8, { 'ListHead' : [ 0x0, ['_LIST_ENTRY']], } ], '_RTLP_RANGE_LIST_ENTRY' : [ 0x28, { 'Start' : [ 0x0, ['unsigned long long']], 'End' : [ 0x8, ['unsigned long long']], 'Allocated' : [ 0x10, ['__unnamed_1ee4']], 'Merged' : [ 0x10, ['__unnamed_1ee6']], 'Attributes' : [ 0x18, ['unsigned char']], 'PublicFlags' : [ 0x19, ['unsigned char']], 'PrivateFlags' : [ 0x1a, ['unsigned short']], 'ListEntry' : [ 0x1c, ['_LIST_ENTRY']], } ], '_ALPC_COMPLETION_PACKET_LOOKASIDE_ENTRY' : [ 0xc, { 'ListEntry' : [ 0x0, ['_SINGLE_LIST_ENTRY']], 'Packet' : [ 0x4, ['pointer', ['void']]], 'Lookaside' : [ 0x8, ['pointer', ['_ALPC_COMPLETION_PACKET_LOOKASIDE']]], } ], '__unnamed_1eed' : [ 0x2, { 'AsUSHORT' : [ 0x0, ['unsigned short']], 'AllowScaling' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned short')]], 'Disabled' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned short')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 16, native_type='unsigned short')]], } ], 'PROCESSOR_IDLESTATE_POLICY' : [ 0x20, { 'Revision' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['__unnamed_1eed']], 'PolicyCount' : [ 0x4, ['unsigned long']], 'Policy' : [ 0x8, ['array', 3, ['PROCESSOR_IDLESTATE_INFO']]], } ], '_ACTIVATION_CONTEXT_STACK' : [ 0x18, { 'ActiveFrame' : [ 0x0, ['pointer', ['_RTL_ACTIVATION_CONTEXT_STACK_FRAME']]], 'FrameListCache' : [ 0x4, ['_LIST_ENTRY']], 'Flags' : [ 0xc, ['unsigned long']], 'NextCookieSequenceNumber' : [ 0x10, ['unsigned long']], 'StackId' : [ 0x14, ['unsigned long']], } ], '_MSUBSECTION' : [ 0x38, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'SubsectionBase' : [ 0x4, ['pointer', ['_MMPTE']]], 'NextSubsection' : [ 0x8, ['pointer', ['_SUBSECTION']]], 'NextMappedSubsection' : [ 0x8, ['pointer', ['_MSUBSECTION']]], 'PtesInSubsection' : [ 0xc, ['unsigned long']], 'UnusedPtes' : [ 0x10, ['unsigned long']], 'GlobalPerSessionHead' : [ 0x10, ['pointer', ['_MM_AVL_TABLE']]], 'u' : [ 0x14, ['__unnamed_14c1']], 'StartingSector' : [ 0x18, ['unsigned long']], 'NumberOfFullSectors' : [ 0x1c, ['unsigned long']], 'u1' : [ 0x20, ['__unnamed_1cfb']], 'LeftChild' : [ 0x24, ['pointer', ['_MMSUBSECTION_NODE']]], 'RightChild' : [ 0x28, ['pointer', ['_MMSUBSECTION_NODE']]], 'DereferenceList' : [ 0x2c, ['_LIST_ENTRY']], 'NumberOfMappedViews' : [ 0x34, ['unsigned long']], } ], '_RTL_DRIVE_LETTER_CURDIR' : [ 0x10, { 'Flags' : [ 0x0, ['unsigned short']], 'Length' : [ 0x2, ['unsigned short']], 'TimeStamp' : [ 0x4, ['unsigned long']], 'DosPath' : [ 0x8, ['_STRING']], } ], '_VIRTUAL_EFI_RUNTIME_SERVICES' : [ 0x38, { 'GetTime' : [ 0x0, ['unsigned long']], 'SetTime' : [ 0x4, ['unsigned long']], 'GetWakeupTime' : [ 0x8, ['unsigned long']], 'SetWakeupTime' : [ 0xc, ['unsigned long']], 'SetVirtualAddressMap' : [ 0x10, ['unsigned long']], 'ConvertPointer' : [ 0x14, ['unsigned long']], 'GetVariable' : [ 0x18, ['unsigned long']], 'GetNextVariableName' : [ 0x1c, ['unsigned long']], 'SetVariable' : [ 0x20, ['unsigned long']], 'GetNextHighMonotonicCount' : [ 0x24, ['unsigned long']], 'ResetSystem' : [ 0x28, ['unsigned long']], 'UpdateCapsule' : [ 0x2c, ['unsigned long']], 'QueryCapsuleCapabilities' : [ 0x30, ['unsigned long']], 'QueryVariableInfo' : [ 0x34, ['unsigned long']], } ], 'SYSTEM_POWER_CAPABILITIES' : [ 0x4c, { 'PowerButtonPresent' : [ 0x0, ['unsigned char']], 'SleepButtonPresent' : [ 0x1, ['unsigned char']], 'LidPresent' : [ 0x2, ['unsigned char']], 'SystemS1' : [ 0x3, ['unsigned char']], 'SystemS2' : [ 0x4, ['unsigned char']], 'SystemS3' : [ 0x5, ['unsigned char']], 'SystemS4' : [ 0x6, ['unsigned char']], 'SystemS5' : [ 0x7, ['unsigned char']], 'HiberFilePresent' : [ 0x8, ['unsigned char']], 'FullWake' : [ 0x9, ['unsigned char']], 'VideoDimPresent' : [ 0xa, ['unsigned char']], 'ApmPresent' : [ 0xb, ['unsigned char']], 'UpsPresent' : [ 0xc, ['unsigned char']], 'ThermalControl' : [ 0xd, ['unsigned char']], 'ProcessorThrottle' : [ 0xe, ['unsigned char']], 'ProcessorMinThrottle' : [ 0xf, ['unsigned char']], 'ProcessorMaxThrottle' : [ 0x10, ['unsigned char']], 'FastSystemS4' : [ 0x11, ['unsigned char']], 'spare2' : [ 0x12, ['array', 3, ['unsigned char']]], 'DiskSpinDown' : [ 0x15, ['unsigned char']], 'spare3' : [ 0x16, ['array', 8, ['unsigned char']]], 'SystemBatteriesPresent' : [ 0x1e, ['unsigned char']], 'BatteriesAreShortTerm' : [ 0x1f, ['unsigned char']], 'BatteryScale' : [ 0x20, ['array', 3, ['BATTERY_REPORTING_SCALE']]], 'AcOnLineWake' : [ 0x38, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SoftLidWake' : [ 0x3c, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'RtcWake' : [ 0x40, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'MinDeviceWakeState' : [ 0x44, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'DefaultLowLatencyWake' : [ 0x48, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_WHEA_MEMORY_ERROR_VALIDBITS' : [ 0x8, { 'ErrorStatus' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'PhysicalAddress' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'PhysicalAddressMask' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'Node' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'Card' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'Module' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'Bank' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'Device' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Row' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 9, native_type='unsigned long long')]], 'Column' : [ 0x0, ['BitField', dict(start_bit = 9, end_bit = 10, native_type='unsigned long long')]], 'BitPosition' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long long')]], 'RequesterId' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long long')]], 'ResponderId' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long long')]], 'TargetId' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long long')]], 'ErrorType' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_DEVICE_ID' : [ 0x10, { 'VendorID' : [ 0x0, ['unsigned short']], 'DeviceID' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Segment' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 24, native_type='unsigned long')]], 'PrimaryBusNumber' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'SecondaryBusNumber' : [ 0xc, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'Reserved1' : [ 0xc, ['BitField', dict(start_bit = 8, end_bit = 10, native_type='unsigned long')]], 'SlotNumber' : [ 0xc, ['BitField', dict(start_bit = 10, end_bit = 24, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_WNODE_HEADER' : [ 0x30, { 'BufferSize' : [ 0x0, ['unsigned long']], 'ProviderId' : [ 0x4, ['unsigned long']], 'HistoricalContext' : [ 0x8, ['unsigned long long']], 'Version' : [ 0x8, ['unsigned long']], 'Linkage' : [ 0xc, ['unsigned long']], 'CountLost' : [ 0x10, ['unsigned long']], 'KernelHandle' : [ 0x10, ['pointer', ['void']]], 'TimeStamp' : [ 0x10, ['_LARGE_INTEGER']], 'Guid' : [ 0x18, ['_GUID']], 'ClientContext' : [ 0x28, ['unsigned long']], 'Flags' : [ 0x2c, ['unsigned long']], } ], '__unnamed_1f11' : [ 0x4, { 'ImageCommitment' : [ 0x0, ['unsigned long']], 'CreatingProcess' : [ 0x0, ['pointer', ['_EPROCESS']]], } ], '__unnamed_1f15' : [ 0x4, { 'ImageInformation' : [ 0x0, ['pointer', ['_MI_SECTION_IMAGE_INFORMATION']]], 'FirstMappedVa' : [ 0x0, ['pointer', ['void']]], } ], '_SEGMENT' : [ 0x30, { 'ControlArea' : [ 0x0, ['pointer', ['_CONTROL_AREA']]], 'TotalNumberOfPtes' : [ 0x4, ['unsigned long']], 'SegmentFlags' : [ 0x8, ['_SEGMENT_FLAGS']], 'NumberOfCommittedPages' : [ 0xc, ['unsigned long']], 'SizeOfSegment' : [ 0x10, ['unsigned long long']], 'ExtendInfo' : [ 0x18, ['pointer', ['_MMEXTEND_INFO']]], 'BasedAddress' : [ 0x18, ['pointer', ['void']]], 'SegmentLock' : [ 0x1c, ['_EX_PUSH_LOCK']], 'u1' : [ 0x20, ['__unnamed_1f11']], 'u2' : [ 0x24, ['__unnamed_1f15']], 'PrototypePte' : [ 0x28, ['pointer', ['_MMPTE']]], 'ThePtes' : [ 0x2c, ['array', 1, ['_MMPTE']]], } ], '_WHEA_PCIXDEVICE_ID' : [ 0x10, { 'VendorId' : [ 0x0, ['unsigned short']], 'DeviceId' : [ 0x2, ['unsigned short']], 'ClassCode' : [ 0x4, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long')]], 'FunctionNumber' : [ 0x4, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'DeviceNumber' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 8, native_type='unsigned long')]], 'BusNumber' : [ 0x8, ['BitField', dict(start_bit = 8, end_bit = 16, native_type='unsigned long')]], 'SegmentNumber' : [ 0x8, ['BitField', dict(start_bit = 16, end_bit = 24, native_type='unsigned long')]], 'Reserved1' : [ 0x8, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'Reserved2' : [ 0xc, ['unsigned long']], } ], '_PCAT_FIRMWARE_INFORMATION' : [ 0x4, { 'PlaceHolder' : [ 0x0, ['unsigned long']], } ], '_PRIVATE_CACHE_MAP' : [ 0x58, { 'NodeTypeCode' : [ 0x0, ['short']], 'Flags' : [ 0x0, ['_PRIVATE_CACHE_MAP_FLAGS']], 'UlongFlags' : [ 0x0, ['unsigned long']], 'ReadAheadMask' : [ 0x4, ['unsigned long']], 'FileObject' : [ 0x8, ['pointer', ['_FILE_OBJECT']]], 'FileOffset1' : [ 0x10, ['_LARGE_INTEGER']], 'BeyondLastByte1' : [ 0x18, ['_LARGE_INTEGER']], 'FileOffset2' : [ 0x20, ['_LARGE_INTEGER']], 'BeyondLastByte2' : [ 0x28, ['_LARGE_INTEGER']], 'ReadAheadOffset' : [ 0x30, ['array', 2, ['_LARGE_INTEGER']]], 'ReadAheadLength' : [ 0x40, ['array', 2, ['unsigned long']]], 'ReadAheadSpinLock' : [ 0x48, ['unsigned long']], 'PrivateLinks' : [ 0x4c, ['_LIST_ENTRY']], 'ReadAheadWorkItem' : [ 0x54, ['pointer', ['void']]], } ], '_CM_KEY_NODE' : [ 0x50, { 'Signature' : [ 0x0, ['unsigned short']], 'Flags' : [ 0x2, ['unsigned short']], 'LastWriteTime' : [ 0x4, ['_LARGE_INTEGER']], 'Spare' : [ 0xc, ['unsigned long']], 'Parent' : [ 0x10, ['unsigned long']], 'SubKeyCounts' : [ 0x14, ['array', 2, ['unsigned long']]], 'SubKeyLists' : [ 0x1c, ['array', 2, ['unsigned long']]], 'ValueList' : [ 0x24, ['_CHILD_LIST']], 'ChildHiveReference' : [ 0x1c, ['_CM_KEY_REFERENCE']], 'Security' : [ 0x2c, ['unsigned long']], 'Class' : [ 0x30, ['unsigned long']], 'MaxNameLen' : [ 0x34, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'UserFlags' : [ 0x34, ['BitField', dict(start_bit = 16, end_bit = 20, native_type='unsigned long')]], 'VirtControlFlags' : [ 0x34, ['BitField', dict(start_bit = 20, end_bit = 24, native_type='unsigned long')]], 'Debug' : [ 0x34, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], 'MaxClassLen' : [ 0x38, ['unsigned long']], 'MaxValueNameLen' : [ 0x3c, ['unsigned long']], 'MaxValueDataLen' : [ 0x40, ['unsigned long']], 'WorkVar' : [ 0x44, ['unsigned long']], 'NameLength' : [ 0x48, ['unsigned short']], 'ClassLength' : [ 0x4a, ['unsigned short']], 'Name' : [ 0x4c, ['array', 1, ['wchar']]], } ], '_RTL_HANDLE_TABLE' : [ 0x20, { 'MaximumNumberOfHandles' : [ 0x0, ['unsigned long']], 'SizeOfHandleTableEntry' : [ 0x4, ['unsigned long']], 'Reserved' : [ 0x8, ['array', 2, ['unsigned long']]], 'FreeHandles' : [ 0x10, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'CommittedHandles' : [ 0x14, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'UnCommittedHandles' : [ 0x18, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], 'MaxReservedHandles' : [ 0x1c, ['pointer', ['_RTL_HANDLE_TABLE_ENTRY']]], } ], '_PTE_TRACKER' : [ 0x30, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Mdl' : [ 0x8, ['pointer', ['_MDL']]], 'Count' : [ 0xc, ['unsigned long']], 'SystemVa' : [ 0x10, ['pointer', ['void']]], 'StartVa' : [ 0x14, ['pointer', ['void']]], 'Offset' : [ 0x18, ['unsigned long']], 'Length' : [ 0x1c, ['unsigned long']], 'Page' : [ 0x20, ['unsigned long']], 'IoMapping' : [ 0x24, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Matched' : [ 0x24, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'CacheAttribute' : [ 0x24, ['BitField', dict(start_bit = 2, end_bit = 4, native_type='unsigned long')]], 'Spare' : [ 0x24, ['BitField', dict(start_bit = 4, end_bit = 32, native_type='unsigned long')]], 'CallingAddress' : [ 0x28, ['pointer', ['void']]], 'CallersCaller' : [ 0x2c, ['pointer', ['void']]], } ], '_MMPFNLIST' : [ 0x10, { 'Total' : [ 0x0, ['unsigned long']], 'ListName' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ZeroedPageList', 1: 'FreePageList', 2: 'StandbyPageList', 3: 'ModifiedPageList', 4: 'ModifiedNoWritePageList', 5: 'BadPageList', 6: 'ActiveAndValid', 7: 'TransitionPage'})]], 'Flink' : [ 0x8, ['unsigned long']], 'Blink' : [ 0xc, ['unsigned long']], } ], '_DEVOBJ_EXTENSION' : [ 0x3c, { 'Type' : [ 0x0, ['short']], 'Size' : [ 0x2, ['unsigned short']], 'DeviceObject' : [ 0x4, ['pointer', ['_DEVICE_OBJECT']]], 'PowerFlags' : [ 0x8, ['unsigned long']], 'Dope' : [ 0xc, ['pointer', ['_DEVICE_OBJECT_POWER_EXTENSION']]], 'ExtensionFlags' : [ 0x10, ['unsigned long']], 'DeviceNode' : [ 0x14, ['pointer', ['void']]], 'AttachedTo' : [ 0x18, ['pointer', ['_DEVICE_OBJECT']]], 'StartIoCount' : [ 0x1c, ['long']], 'StartIoKey' : [ 0x20, ['long']], 'StartIoFlags' : [ 0x24, ['unsigned long']], 'Vpb' : [ 0x28, ['pointer', ['_VPB']]], 'DependentList' : [ 0x2c, ['_LIST_ENTRY']], 'ProviderList' : [ 0x34, ['_LIST_ENTRY']], } ], '_DBGKD_GET_VERSION64' : [ 0x28, { 'MajorVersion' : [ 0x0, ['unsigned short']], 'MinorVersion' : [ 0x2, ['unsigned short']], 'ProtocolVersion' : [ 0x4, ['unsigned char']], 'KdSecondaryVersion' : [ 0x5, ['unsigned char']], 'Flags' : [ 0x6, ['unsigned short']], 'MachineType' : [ 0x8, ['unsigned short']], 'MaxPacketType' : [ 0xa, ['unsigned char']], 'MaxStateChange' : [ 0xb, ['unsigned char']], 'MaxManipulate' : [ 0xc, ['unsigned char']], 'Simulation' : [ 0xd, ['unsigned char']], 'Unused' : [ 0xe, ['array', 1, ['unsigned short']]], 'KernBase' : [ 0x10, ['unsigned long long']], 'PsLoadedModuleList' : [ 0x18, ['unsigned long long']], 'DebuggerDataList' : [ 0x20, ['unsigned long long']], } ], '_WHEA_PCIEXPRESS_COMMAND_STATUS' : [ 0x4, { 'Command' : [ 0x0, ['unsigned short']], 'Status' : [ 0x2, ['unsigned short']], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_HMAP_ENTRY' : [ 0x10, { 'BlockAddress' : [ 0x0, ['unsigned long']], 'BinAddress' : [ 0x4, ['unsigned long']], 'CmView' : [ 0x8, ['pointer', ['_CM_VIEW_OF_FILE']]], 'MemAlloc' : [ 0xc, ['unsigned long']], } ], '_RTL_ATOM_TABLE_ENTRY' : [ 0x10, { 'HashLink' : [ 0x0, ['pointer', ['_RTL_ATOM_TABLE_ENTRY']]], 'HandleIndex' : [ 0x4, ['unsigned short']], 'Atom' : [ 0x6, ['unsigned short']], 'ReferenceCount' : [ 0x8, ['unsigned short']], 'Flags' : [ 0xa, ['unsigned char']], 'NameLength' : [ 0xb, ['unsigned char']], 'Name' : [ 0xc, ['array', 1, ['wchar']]], } ], '_TXN_PARAMETER_BLOCK' : [ 0x8, { 'Length' : [ 0x0, ['unsigned short']], 'TxFsContext' : [ 0x2, ['unsigned short']], 'TransactionObject' : [ 0x4, ['pointer', ['void']]], } ], '_LOADER_PERFORMANCE_DATA' : [ 0x10, { 'StartTime' : [ 0x0, ['unsigned long long']], 'EndTime' : [ 0x8, ['unsigned long long']], } ], '_X86_DBGKD_CONTROL_SET' : [ 0x10, { 'TraceFlag' : [ 0x0, ['unsigned long']], 'Dr7' : [ 0x4, ['unsigned long']], 'CurrentSymbolStart' : [ 0x8, ['unsigned long']], 'CurrentSymbolEnd' : [ 0xc, ['unsigned long']], } ], '_MMSESSION' : [ 0x38, { 'SystemSpaceViewLock' : [ 0x0, ['_KGUARDED_MUTEX']], 'SystemSpaceViewLockPointer' : [ 0x20, ['pointer', ['_KGUARDED_MUTEX']]], 'SystemSpaceViewTable' : [ 0x24, ['pointer', ['_MMVIEW']]], 'SystemSpaceHashSize' : [ 0x28, ['unsigned long']], 'SystemSpaceHashEntries' : [ 0x2c, ['unsigned long']], 'SystemSpaceHashKey' : [ 0x30, ['unsigned long']], 'BitmapFailures' : [ 0x34, ['unsigned long']], } ], '_WHEA_PCIEXPRESS_ERROR_VALIDBITS' : [ 0x8, { 'PortType' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long long')]], 'Version' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long long')]], 'CommandStatus' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long long')]], 'DeviceId' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long long')]], 'DeviceSerialNumber' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long long')]], 'BridgeControlStatus' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long long')]], 'ExpressCapability' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 7, native_type='unsigned long long')]], 'AerInfo' : [ 0x0, ['BitField', dict(start_bit = 7, end_bit = 8, native_type='unsigned long long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 8, end_bit = 64, native_type='unsigned long long')]], 'ValidBits' : [ 0x0, ['unsigned long long']], } ], '_ETW_REG_ENTRY' : [ 0x2c, { 'RegList' : [ 0x0, ['_LIST_ENTRY']], 'GuidEntry' : [ 0x8, ['pointer', ['_ETW_GUID_ENTRY']]], 'Index' : [ 0xc, ['unsigned short']], 'Flags' : [ 0xe, ['unsigned short']], 'EnableMask' : [ 0x10, ['unsigned char']], 'ReplyQueue' : [ 0x14, ['pointer', ['_ETW_REPLY_QUEUE']]], 'ReplySlot' : [ 0x14, ['array', 4, ['pointer', ['_ETW_REG_ENTRY']]]], 'Process' : [ 0x24, ['pointer', ['_EPROCESS']]], 'Callback' : [ 0x24, ['pointer', ['void']]], 'CallbackContext' : [ 0x28, ['pointer', ['void']]], } ], '_LPCP_PORT_OBJECT' : [ 0xa4, { 'ConnectionPort' : [ 0x0, ['pointer', ['_LPCP_PORT_OBJECT']]], 'ConnectedPort' : [ 0x4, ['pointer', ['_LPCP_PORT_OBJECT']]], 'MsgQueue' : [ 0x8, ['_LPCP_PORT_QUEUE']], 'Creator' : [ 0x18, ['_CLIENT_ID']], 'ClientSectionBase' : [ 0x20, ['pointer', ['void']]], 'ServerSectionBase' : [ 0x24, ['pointer', ['void']]], 'PortContext' : [ 0x28, ['pointer', ['void']]], 'ClientThread' : [ 0x2c, ['pointer', ['_ETHREAD']]], 'SecurityQos' : [ 0x30, ['_SECURITY_QUALITY_OF_SERVICE']], 'StaticSecurity' : [ 0x3c, ['_SECURITY_CLIENT_CONTEXT']], 'LpcReplyChainHead' : [ 0x78, ['_LIST_ENTRY']], 'LpcDataInfoChainHead' : [ 0x80, ['_LIST_ENTRY']], 'ServerProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MappingProcess' : [ 0x88, ['pointer', ['_EPROCESS']]], 'MaxMessageLength' : [ 0x8c, ['unsigned short']], 'MaxConnectionInfoLength' : [ 0x8e, ['unsigned short']], 'Flags' : [ 0x90, ['unsigned long']], 'WaitEvent' : [ 0x94, ['_KEVENT']], } ], '_ARBITER_LIST_ENTRY' : [ 0x38, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'AlternativeCount' : [ 0x8, ['unsigned long']], 'Alternatives' : [ 0xc, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'PhysicalDeviceObject' : [ 0x10, ['pointer', ['_DEVICE_OBJECT']]], 'RequestSource' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterRequestLegacyReported', 1: 'ArbiterRequestHalReported', 2: 'ArbiterRequestLegacyAssigned', 3: 'ArbiterRequestPnpDetected', 4: 'ArbiterRequestPnpEnumerated', -1: 'ArbiterRequestUndefined'})]], 'Flags' : [ 0x18, ['unsigned long']], 'WorkSpace' : [ 0x1c, ['long']], 'InterfaceType' : [ 0x20, ['Enumeration', dict(target = 'long', choices = {0: 'Internal', 1: 'Isa', 2: 'Eisa', 3: 'MicroChannel', 4: 'TurboChannel', 5: 'PCIBus', 6: 'VMEBus', 7: 'NuBus', 8: 'PCMCIABus', 9: 'CBus', 10: 'MPIBus', 11: 'MPSABus', 12: 'ProcessorInternal', 13: 'InternalPowerBus', 14: 'PNPISABus', 15: 'PNPBus', 16: 'Vmcs', 17: 'MaximumInterfaceType', -1: 'InterfaceTypeUndefined'})]], 'SlotNumber' : [ 0x24, ['unsigned long']], 'BusNumber' : [ 0x28, ['unsigned long']], 'Assignment' : [ 0x2c, ['pointer', ['_CM_PARTIAL_RESOURCE_DESCRIPTOR']]], 'SelectedAlternative' : [ 0x30, ['pointer', ['_IO_RESOURCE_DESCRIPTOR']]], 'Result' : [ 0x34, ['Enumeration', dict(target = 'long', choices = {0: 'ArbiterResultSuccess', 1: 'ArbiterResultExternalConflict', 2: 'ArbiterResultNullRequest', -1: 'ArbiterResultUndefined'})]], } ], '_KNODE' : [ 0x80, { 'PagedPoolSListHead' : [ 0x0, ['_SLIST_HEADER']], 'NonPagedPoolSListHead' : [ 0x8, ['array', 3, ['_SLIST_HEADER']]], 'PfnDereferenceSListHead' : [ 0x20, ['_SLIST_HEADER']], 'ProcessorMask' : [ 0x28, ['unsigned long']], 'Color' : [ 0x2c, ['unsigned char']], 'Seed' : [ 0x2d, ['unsigned char']], 'NodeNumber' : [ 0x2e, ['unsigned char']], 'Flags' : [ 0x2f, ['_flags']], 'MmShiftedColor' : [ 0x30, ['unsigned long']], 'FreeCount' : [ 0x34, ['array', 2, ['unsigned long']]], 'PfnDeferredList' : [ 0x3c, ['pointer', ['_SINGLE_LIST_ENTRY']]], 'CachedKernelStacks' : [ 0x40, ['_CACHED_KSTACK_LIST']], } ], '_CACHED_KSTACK_LIST' : [ 0x18, { 'SListHead' : [ 0x0, ['_SLIST_HEADER']], 'MinimumFree' : [ 0x8, ['long']], 'Misses' : [ 0xc, ['unsigned long']], 'MissesLast' : [ 0x10, ['unsigned long']], } ], '_POP_DEVICE_SYS_STATE' : [ 0x188, { 'IrpMinor' : [ 0x0, ['unsigned char']], 'SystemState' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], 'SpinLock' : [ 0x8, ['unsigned long']], 'Thread' : [ 0xc, ['pointer', ['_KTHREAD']]], 'AbortEvent' : [ 0x10, ['pointer', ['_KEVENT']]], 'ReadySemaphore' : [ 0x14, ['pointer', ['_KSEMAPHORE']]], 'FinishedSemaphore' : [ 0x18, ['pointer', ['_KSEMAPHORE']]], 'GetNewDeviceList' : [ 0x1c, ['unsigned char']], 'Order' : [ 0x20, ['_PO_DEVICE_NOTIFY_ORDER']], 'NotifyGdiLevelForPowerOn' : [ 0x168, ['long']], 'NotifyGdiLevelForResumeUI' : [ 0x16c, ['long']], 'Pending' : [ 0x170, ['_LIST_ENTRY']], 'Status' : [ 0x178, ['long']], 'FailedDevice' : [ 0x17c, ['pointer', ['_DEVICE_OBJECT']]], 'Waking' : [ 0x180, ['unsigned char']], 'Cancelled' : [ 0x181, ['unsigned char']], 'IgnoreErrors' : [ 0x182, ['unsigned char']], 'IgnoreNotImplemented' : [ 0x183, ['unsigned char']], 'TimeRefreshLockAcquired' : [ 0x184, ['unsigned char']], } ], '_SEGMENT_FLAGS' : [ 0x4, { 'TotalNumberOfPtes4132' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 10, native_type='unsigned long')]], 'ExtraSharedWowSubsections' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'LargePages' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'WatchProto' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 13, native_type='unsigned long')]], 'DebugSymbolsLoaded' : [ 0x0, ['BitField', dict(start_bit = 13, end_bit = 14, native_type='unsigned long')]], 'WriteCombined' : [ 0x0, ['BitField', dict(start_bit = 14, end_bit = 15, native_type='unsigned long')]], 'NoCache' : [ 0x0, ['BitField', dict(start_bit = 15, end_bit = 16, native_type='unsigned long')]], 'FloppyMedia' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'DefaultProtectionMask' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 22, native_type='unsigned long')]], 'ContainsPxeSubsection' : [ 0x0, ['BitField', dict(start_bit = 22, end_bit = 23, native_type='unsigned long')]], 'Binary32' : [ 0x0, ['BitField', dict(start_bit = 23, end_bit = 24, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 32, native_type='unsigned long')]], } ], '_EX_WORK_QUEUE' : [ 0x3c, { 'WorkerQueue' : [ 0x0, ['_KQUEUE']], 'DynamicThreadCount' : [ 0x28, ['unsigned long']], 'WorkItemsProcessed' : [ 0x2c, ['unsigned long']], 'WorkItemsProcessedLastPass' : [ 0x30, ['unsigned long']], 'QueueDepthLastPass' : [ 0x34, ['unsigned long']], 'Info' : [ 0x38, ['EX_QUEUE_WORKER_INFO']], } ], '_SHARED_CACHE_MAP_LIST_CURSOR' : [ 0xc, { 'SharedCacheMapLinks' : [ 0x0, ['_LIST_ENTRY']], 'Flags' : [ 0x8, ['unsigned long']], } ], '_CM_KEY_INDEX' : [ 0x8, { 'Signature' : [ 0x0, ['unsigned short']], 'Count' : [ 0x2, ['unsigned short']], 'List' : [ 0x4, ['array', 1, ['unsigned long']]], } ], '_VI_DEADLOCK_THREAD' : [ 0x1c, { 'Thread' : [ 0x0, ['pointer', ['_KTHREAD']]], 'CurrentSpinNode' : [ 0x4, ['pointer', ['_VI_DEADLOCK_NODE']]], 'CurrentOtherNode' : [ 0x8, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ListEntry' : [ 0xc, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0xc, ['_LIST_ENTRY']], 'NodeCount' : [ 0x14, ['unsigned long']], 'PagingCount' : [ 0x18, ['unsigned long']], } ], '_PPM_IDLE_STATE' : [ 0x20, { 'IdleHandler' : [ 0x0, ['pointer', ['void']]], 'Context' : [ 0x4, ['pointer', ['void']]], 'Latency' : [ 0x8, ['unsigned long']], 'Power' : [ 0xc, ['unsigned long']], 'TimeCheck' : [ 0x10, ['unsigned long']], 'StateFlags' : [ 0x14, ['unsigned long']], 'PromotePercent' : [ 0x18, ['unsigned char']], 'DemotePercent' : [ 0x19, ['unsigned char']], 'PromotePercentBase' : [ 0x1a, ['unsigned char']], 'DemotePercentBase' : [ 0x1b, ['unsigned char']], 'StateType' : [ 0x1c, ['unsigned char']], } ], '_WHEA_ERROR_RECORD_SECTION_DESCRIPTOR_FLAGS' : [ 0x4, { 'Primary' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'ContainmentWarning' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Reset' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'ThresholdExceeded' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'ResourceNotAvailable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'LatentError' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 6, native_type='unsigned long')]], 'Reserved' : [ 0x0, ['BitField', dict(start_bit = 6, end_bit = 32, native_type='unsigned long')]], 'AsULONG' : [ 0x0, ['unsigned long']], } ], '_KRESOURCEMANAGER' : [ 0x154, { 'NotificationAvailable' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'State' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'KResourceManagerUninitialized', 1: 'KResourceManagerOffline', 2: 'KResourceManagerOnline'})]], 'Flags' : [ 0x18, ['unsigned long']], 'Mutex' : [ 0x1c, ['_KMUTANT']], 'NamespaceLink' : [ 0x3c, ['_KTMOBJECT_NAMESPACE_LINK']], 'RmId' : [ 0x50, ['_GUID']], 'NotificationQueue' : [ 0x60, ['_KQUEUE']], 'NotificationMutex' : [ 0x88, ['_KMUTANT']], 'EnlistmentHead' : [ 0xa8, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0xb0, ['unsigned long']], 'NotificationRoutine' : [ 0xb4, ['pointer', ['void']]], 'Key' : [ 0xb8, ['pointer', ['void']]], 'ProtocolListHead' : [ 0xbc, ['_LIST_ENTRY']], 'PendingPropReqListHead' : [ 0xc4, ['_LIST_ENTRY']], 'CRMListEntry' : [ 0xcc, ['_LIST_ENTRY']], 'Tm' : [ 0xd4, ['pointer', ['_KTM']]], 'Description' : [ 0xd8, ['_UNICODE_STRING']], 'Enlistments' : [ 0xe0, ['_KTMOBJECT_NAMESPACE']], 'CompletionBinding' : [ 0x140, ['_KRESOURCEMANAGER_COMPLETION_BINDING']], } ], '_FILE_NETWORK_OPEN_INFORMATION' : [ 0x38, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LastAccessTime' : [ 0x8, ['_LARGE_INTEGER']], 'LastWriteTime' : [ 0x10, ['_LARGE_INTEGER']], 'ChangeTime' : [ 0x18, ['_LARGE_INTEGER']], 'AllocationSize' : [ 0x20, ['_LARGE_INTEGER']], 'EndOfFile' : [ 0x28, ['_LARGE_INTEGER']], 'FileAttributes' : [ 0x30, ['unsigned long']], } ], '_MM_DRIVER_VERIFIER_DATA' : [ 0x78, { 'Level' : [ 0x0, ['unsigned long']], 'RaiseIrqls' : [ 0x4, ['unsigned long']], 'AcquireSpinLocks' : [ 0x8, ['unsigned long']], 'SynchronizeExecutions' : [ 0xc, ['unsigned long']], 'AllocationsAttempted' : [ 0x10, ['unsigned long']], 'AllocationsSucceeded' : [ 0x14, ['unsigned long']], 'AllocationsSucceededSpecialPool' : [ 0x18, ['unsigned long']], 'AllocationsWithNoTag' : [ 0x1c, ['unsigned long']], 'TrimRequests' : [ 0x20, ['unsigned long']], 'Trims' : [ 0x24, ['unsigned long']], 'AllocationsFailed' : [ 0x28, ['unsigned long']], 'AllocationsFailedDeliberately' : [ 0x2c, ['unsigned long']], 'Loads' : [ 0x30, ['unsigned long']], 'Unloads' : [ 0x34, ['unsigned long']], 'UnTrackedPool' : [ 0x38, ['unsigned long']], 'UserTrims' : [ 0x3c, ['unsigned long']], 'CurrentPagedPoolAllocations' : [ 0x40, ['unsigned long']], 'CurrentNonPagedPoolAllocations' : [ 0x44, ['unsigned long']], 'PeakPagedPoolAllocations' : [ 0x48, ['unsigned long']], 'PeakNonPagedPoolAllocations' : [ 0x4c, ['unsigned long']], 'PagedBytes' : [ 0x50, ['unsigned long']], 'NonPagedBytes' : [ 0x54, ['unsigned long']], 'PeakPagedBytes' : [ 0x58, ['unsigned long']], 'PeakNonPagedBytes' : [ 0x5c, ['unsigned long']], 'BurstAllocationsFailedDeliberately' : [ 0x60, ['unsigned long']], 'SessionTrims' : [ 0x64, ['unsigned long']], 'OptionChanges' : [ 0x68, ['unsigned long']], 'VerifyMode' : [ 0x6c, ['unsigned long']], 'PreviousBucketName' : [ 0x70, ['_UNICODE_STRING']], } ], '_HEAP_FREE_ENTRY_EXTRA' : [ 0x4, { 'TagIndex' : [ 0x0, ['unsigned short']], 'FreeBackTraceIndex' : [ 0x2, ['unsigned short']], } ], '_VI_DEADLOCK_GLOBALS' : [ 0x40e0, { 'TimeAcquire' : [ 0x0, ['long long']], 'TimeRelease' : [ 0x8, ['long long']], 'ResourceDatabase' : [ 0x10, ['pointer', ['_LIST_ENTRY']]], 'ResourceDatabaseCount' : [ 0x14, ['unsigned long']], 'ResourceAddressRange' : [ 0x18, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'ThreadDatabase' : [ 0x2010, ['pointer', ['_LIST_ENTRY']]], 'ThreadDatabaseCount' : [ 0x2014, ['unsigned long']], 'ThreadAddressRange' : [ 0x2018, ['array', 1023, ['_VI_DEADLOCK_ADDRESS_RANGE']]], 'AllocationFailures' : [ 0x4010, ['unsigned long']], 'NodesTrimmedBasedOnAge' : [ 0x4014, ['unsigned long']], 'NodesTrimmedBasedOnCount' : [ 0x4018, ['unsigned long']], 'NodesSearched' : [ 0x401c, ['unsigned long']], 'MaxNodesSearched' : [ 0x4020, ['unsigned long']], 'SequenceNumber' : [ 0x4024, ['unsigned long']], 'RecursionDepthLimit' : [ 0x4028, ['unsigned long']], 'SearchedNodesLimit' : [ 0x402c, ['unsigned long']], 'DepthLimitHits' : [ 0x4030, ['unsigned long']], 'SearchLimitHits' : [ 0x4034, ['unsigned long']], 'ABC_ACB_Skipped' : [ 0x4038, ['unsigned long']], 'OutOfOrderReleases' : [ 0x403c, ['unsigned long']], 'NodesReleasedOutOfOrder' : [ 0x4040, ['unsigned long']], 'TotalReleases' : [ 0x4044, ['unsigned long']], 'RootNodesDeleted' : [ 0x4048, ['unsigned long']], 'ForgetHistoryCounter' : [ 0x404c, ['unsigned long']], 'Instigator' : [ 0x4050, ['pointer', ['void']]], 'NumberOfParticipants' : [ 0x4054, ['unsigned long']], 'Participant' : [ 0x4058, ['array', 32, ['pointer', ['_VI_DEADLOCK_NODE']]]], 'ChildrenCountWatermark' : [ 0x40d8, ['long']], } ], '_POP_DISPLAY_RESUME_CONTEXT' : [ 0x50, { 'WorkItem' : [ 0x0, ['_WORK_QUEUE_ITEM']], 'WorkerThread' : [ 0x10, ['pointer', ['_ETHREAD']]], 'PrepareUIEvent' : [ 0x14, ['_KEVENT']], 'PowerOnEvent' : [ 0x24, ['_KEVENT']], 'DoneEvent' : [ 0x34, ['_KEVENT']], 'WorkerQueued' : [ 0x44, ['unsigned long']], 'WorkerAbort' : [ 0x48, ['unsigned long']], 'NoResumeUI' : [ 0x4c, ['unsigned long']], } ], '_KTM' : [ 0x228, { 'cookie' : [ 0x0, ['unsigned long']], 'Mutex' : [ 0x4, ['_KMUTANT']], 'State' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'KKtmUninitialized', 1: 'KKtmInitialized', 2: 'KKtmRecovering', 3: 'KKtmOnline', 4: 'KKtmRecoveryFailed', 5: 'KKtmOffline'})]], 'NamespaceLink' : [ 0x28, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmIdentity' : [ 0x3c, ['_GUID']], 'Flags' : [ 0x4c, ['unsigned long']], 'VolatileFlags' : [ 0x50, ['unsigned long']], 'LogFileName' : [ 0x54, ['_UNICODE_STRING']], 'LogFileObject' : [ 0x5c, ['pointer', ['_FILE_OBJECT']]], 'MarshallingContext' : [ 0x60, ['pointer', ['void']]], 'LogManagementContext' : [ 0x64, ['pointer', ['void']]], 'Transactions' : [ 0x68, ['_KTMOBJECT_NAMESPACE']], 'ResourceManagers' : [ 0xc8, ['_KTMOBJECT_NAMESPACE']], 'LsnOrderedMutex' : [ 0x128, ['_KMUTANT']], 'LsnOrderedList' : [ 0x148, ['_LIST_ENTRY']], 'CommitVirtualClock' : [ 0x150, ['_LARGE_INTEGER']], 'CommitVirtualClockMutex' : [ 0x158, ['_FAST_MUTEX']], 'BaseLsn' : [ 0x178, ['_CLS_LSN']], 'CurrentReadLsn' : [ 0x180, ['_CLS_LSN']], 'LastRecoveredLsn' : [ 0x188, ['_CLS_LSN']], 'TmRmHandle' : [ 0x190, ['pointer', ['void']]], 'TmRm' : [ 0x194, ['pointer', ['_KRESOURCEMANAGER']]], 'LogFullNotifyEvent' : [ 0x198, ['_KEVENT']], 'CheckpointWorkItem' : [ 0x1a8, ['_WORK_QUEUE_ITEM']], 'CheckpointTargetLsn' : [ 0x1b8, ['_CLS_LSN']], 'LogFullCompletedWorkItem' : [ 0x1c0, ['_WORK_QUEUE_ITEM']], 'LogWriteResource' : [ 0x1d0, ['_ERESOURCE']], 'LogFlags' : [ 0x208, ['unsigned long']], 'LogFullStatus' : [ 0x20c, ['long']], 'RecoveryStatus' : [ 0x210, ['long']], 'LastCheckBaseLsn' : [ 0x218, ['_CLS_LSN']], 'RestartOrderedList' : [ 0x220, ['_LIST_ENTRY']], } ], '_PNP_DEVICE_EVENT_ENTRY' : [ 0x60, { 'ListEntry' : [ 0x0, ['_LIST_ENTRY']], 'Argument' : [ 0x8, ['unsigned long']], 'CallerEvent' : [ 0xc, ['pointer', ['_KEVENT']]], 'Callback' : [ 0x10, ['pointer', ['void']]], 'Context' : [ 0x14, ['pointer', ['void']]], 'VetoType' : [ 0x18, ['pointer', ['Enumeration', dict(target = 'long', choices = {0: 'PNP_VetoTypeUnknown', 1: 'PNP_VetoLegacyDevice', 2: 'PNP_VetoPendingClose', 3: 'PNP_VetoWindowsApp', 4: 'PNP_VetoWindowsService', 5: 'PNP_VetoOutstandingOpen', 6: 'PNP_VetoDevice', 7: 'PNP_VetoDriver', 8: 'PNP_VetoIllegalDeviceRequest', 9: 'PNP_VetoInsufficientPower', 10: 'PNP_VetoNonDisableable', 11: 'PNP_VetoLegacyDriver', 12: 'PNP_VetoInsufficientRights'})]]], 'VetoName' : [ 0x1c, ['pointer', ['_UNICODE_STRING']]], 'Data' : [ 0x20, ['_PLUGPLAY_EVENT_BLOCK']], } ], '_CONFIGURATION_COMPONENT' : [ 0x24, { 'Class' : [ 0x0, ['Enumeration', dict(target = 'long', choices = {0: 'SystemClass', 1: 'ProcessorClass', 2: 'CacheClass', 3: 'AdapterClass', 4: 'ControllerClass', 5: 'PeripheralClass', 6: 'MemoryClass', 7: 'MaximumClass'})]], 'Type' : [ 0x4, ['Enumeration', dict(target = 'long', choices = {0: 'ArcSystem', 1: 'CentralProcessor', 2: 'FloatingPointProcessor', 3: 'PrimaryIcache', 4: 'PrimaryDcache', 5: 'SecondaryIcache', 6: 'SecondaryDcache', 7: 'SecondaryCache', 8: 'EisaAdapter', 9: 'TcAdapter', 10: 'ScsiAdapter', 11: 'DtiAdapter', 12: 'MultiFunctionAdapter', 13: 'DiskController', 14: 'TapeController', 15: 'CdromController', 16: 'WormController', 17: 'SerialController', 18: 'NetworkController', 19: 'DisplayController', 20: 'ParallelController', 21: 'PointerController', 22: 'KeyboardController', 23: 'AudioController', 24: 'OtherController', 25: 'DiskPeripheral', 26: 'FloppyDiskPeripheral', 27: 'TapePeripheral', 28: 'ModemPeripheral', 29: 'MonitorPeripheral', 30: 'PrinterPeripheral', 31: 'PointerPeripheral', 32: 'KeyboardPeripheral', 33: 'TerminalPeripheral', 34: 'OtherPeripheral', 35: 'LinePeripheral', 36: 'NetworkPeripheral', 37: 'SystemMemory', 38: 'DockingInformation', 39: 'RealModeIrqRoutingTable', 40: 'RealModePCIEnumeration', 41: 'MaximumType'})]], 'Flags' : [ 0x8, ['_DEVICE_FLAGS']], 'Version' : [ 0xc, ['unsigned short']], 'Revision' : [ 0xe, ['unsigned short']], 'Key' : [ 0x10, ['unsigned long']], 'AffinityMask' : [ 0x14, ['unsigned long']], 'ConfigurationDataLength' : [ 0x18, ['unsigned long']], 'IdentifierLength' : [ 0x1c, ['unsigned long']], 'Identifier' : [ 0x20, ['pointer', ['unsigned char']]], } ], '_VF_BTS_RECORD' : [ 0xc, { 'JumpedFrom' : [ 0x0, ['pointer', ['void']]], 'JumpedTo' : [ 0x4, ['pointer', ['void']]], 'Unused1' : [ 0x8, ['BitField', dict(start_bit = 0, end_bit = 3, native_type='unsigned long')]], 'Predicted' : [ 0x8, ['BitField', dict(start_bit = 3, end_bit = 7, native_type='unsigned long')]], 'Unused2' : [ 0x8, ['BitField', dict(start_bit = 7, end_bit = 32, native_type='unsigned long')]], } ], '_KTRANSACTION' : [ 0x1e0, { 'OutcomeEvent' : [ 0x0, ['_KEVENT']], 'cookie' : [ 0x10, ['unsigned long']], 'Mutex' : [ 0x14, ['_KMUTANT']], 'TreeTx' : [ 0x34, ['pointer', ['_KTRANSACTION']]], 'GlobalNamespaceLink' : [ 0x38, ['_KTMOBJECT_NAMESPACE_LINK']], 'TmNamespaceLink' : [ 0x4c, ['_KTMOBJECT_NAMESPACE_LINK']], 'UOW' : [ 0x60, ['_GUID']], 'State' : [ 0x70, ['Enumeration', dict(target = 'long', choices = {0: 'KTransactionUninitialized', 1: 'KTransactionActive', 2: 'KTransactionPreparing', 3: 'KTransactionPrepared', 4: 'KTransactionInDoubt', 5: 'KTransactionCommitted', 6: 'KTransactionAborted', 7: 'KTransactionDelegated', 8: 'KTransactionPrePreparing', 9: 'KTransactionForgotten', 10: 'KTransactionRecovering', 11: 'KTransactionPrePrepared'})]], 'Flags' : [ 0x74, ['unsigned long']], 'EnlistmentHead' : [ 0x78, ['_LIST_ENTRY']], 'EnlistmentCount' : [ 0x80, ['unsigned long']], 'RecoverableEnlistmentCount' : [ 0x84, ['unsigned long']], 'PrePrepareRequiredEnlistmentCount' : [ 0x88, ['unsigned long']], 'PrepareRequiredEnlistmentCount' : [ 0x8c, ['unsigned long']], 'OutcomeRequiredEnlistmentCount' : [ 0x90, ['unsigned long']], 'PendingResponses' : [ 0x94, ['unsigned long']], 'SuperiorEnlistment' : [ 0x98, ['pointer', ['_KENLISTMENT']]], 'LastLsn' : [ 0xa0, ['_CLS_LSN']], 'PromotedEntry' : [ 0xa8, ['_LIST_ENTRY']], 'PromoterTransaction' : [ 0xb0, ['pointer', ['_KTRANSACTION']]], 'PromotePropagation' : [ 0xb4, ['pointer', ['void']]], 'IsolationLevel' : [ 0xb8, ['unsigned long']], 'IsolationFlags' : [ 0xbc, ['unsigned long']], 'Timeout' : [ 0xc0, ['_LARGE_INTEGER']], 'Description' : [ 0xc8, ['_UNICODE_STRING']], 'RollbackThread' : [ 0xd0, ['pointer', ['_KTHREAD']]], 'RollbackWorkItem' : [ 0xd4, ['_WORK_QUEUE_ITEM']], 'RollbackDpc' : [ 0xe4, ['_KDPC']], 'RollbackTimer' : [ 0x108, ['_KTIMER']], 'LsnOrderedEntry' : [ 0x130, ['_LIST_ENTRY']], 'Outcome' : [ 0x138, ['Enumeration', dict(target = 'long', choices = {0: 'KTxOutcomeUninitialized', 1: 'KTxOutcomeUndetermined', 2: 'KTxOutcomeCommitted', 3: 'KTxOutcomeAborted', 4: 'KTxOutcomeUnavailable'})]], 'Tm' : [ 0x13c, ['pointer', ['_KTM']]], 'CommitReservation' : [ 0x140, ['long long']], 'TransactionHistory' : [ 0x148, ['array', 10, ['_KTRANSACTION_HISTORY']]], 'TransactionHistoryCount' : [ 0x198, ['unsigned long']], 'DTCPrivateInformation' : [ 0x19c, ['pointer', ['void']]], 'DTCPrivateInformationLength' : [ 0x1a0, ['unsigned long']], 'DTCPrivateInformationMutex' : [ 0x1a4, ['_KMUTANT']], 'PromotedTxSelfHandle' : [ 0x1c4, ['pointer', ['void']]], 'PendingPromotionCount' : [ 0x1c8, ['unsigned long']], 'PromotionCompletedEvent' : [ 0x1cc, ['_KEVENT']], } ], '_PRIVATE_CACHE_MAP_FLAGS' : [ 0x4, { 'DontUse' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 16, native_type='unsigned long')]], 'ReadAheadActive' : [ 0x0, ['BitField', dict(start_bit = 16, end_bit = 17, native_type='unsigned long')]], 'ReadAheadEnabled' : [ 0x0, ['BitField', dict(start_bit = 17, end_bit = 18, native_type='unsigned long')]], 'PagePriority' : [ 0x0, ['BitField', dict(start_bit = 18, end_bit = 21, native_type='unsigned long')]], 'Available' : [ 0x0, ['BitField', dict(start_bit = 21, end_bit = 32, native_type='unsigned long')]], } ], '_CM_KCB_UOW' : [ 0x38, { 'TransactionListEntry' : [ 0x0, ['_LIST_ENTRY']], 'KCBLock' : [ 0x8, ['pointer', ['_CM_INTENT_LOCK']]], 'KeyLock' : [ 0xc, ['pointer', ['_CM_INTENT_LOCK']]], 'KCBListEntry' : [ 0x10, ['_LIST_ENTRY']], 'KeyControlBlock' : [ 0x18, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'Transaction' : [ 0x1c, ['pointer', ['_CM_TRANS']]], 'UoWState' : [ 0x20, ['unsigned long']], 'ActionType' : [ 0x24, ['Enumeration', dict(target = 'long', choices = {0: 'UoWAddThisKey', 1: 'UoWAddChildKey', 2: 'UoWDeleteThisKey', 3: 'UoWDeleteChildKey', 4: 'UoWSetValueNew', 5: 'UoWSetValueExisting', 6: 'UoWDeleteValue', 7: 'UoWSetKeyUserFlags', 8: 'UoWSetLastWriteTime', 9: 'UoWSetSecurityDescriptor', 10: 'UoWRenameSubKey', 11: 'UoWRenameOldSubKey', 12: 'UoWRenameNewSubKey', 13: 'UoWIsolation', 14: 'UoWInvalid'})]], 'StorageType' : [ 0x28, ['Enumeration', dict(target = 'long', choices = {0: 'Stable', 1: 'Volatile', 2: 'InvalidStorage'})]], 'ChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'VolatileKeyCell' : [ 0x30, ['unsigned long']], 'OldValueCell' : [ 0x30, ['unsigned long']], 'NewValueCell' : [ 0x34, ['unsigned long']], 'UserFlags' : [ 0x30, ['unsigned long']], 'LastWriteTime' : [ 0x30, ['_LARGE_INTEGER']], 'TxSecurityCell' : [ 0x30, ['unsigned long']], 'OldChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'NewChildKCB' : [ 0x34, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'OtherChildKCB' : [ 0x30, ['pointer', ['_CM_KEY_CONTROL_BLOCK']]], 'ThisVolatileKeyCell' : [ 0x34, ['unsigned long']], } ], '_KPROCESSOR_STATE' : [ 0x320, { 'ContextFrame' : [ 0x0, ['_CONTEXT']], 'SpecialRegisters' : [ 0x2cc, ['_KSPECIAL_REGISTERS']], } ], '_MMPTE_TRANSITION' : [ 0x4, { 'Valid' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'Write' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Owner' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'WriteThrough' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 4, native_type='unsigned long')]], 'CacheDisable' : [ 0x0, ['BitField', dict(start_bit = 4, end_bit = 5, native_type='unsigned long')]], 'Protection' : [ 0x0, ['BitField', dict(start_bit = 5, end_bit = 10, native_type='unsigned long')]], 'Prototype' : [ 0x0, ['BitField', dict(start_bit = 10, end_bit = 11, native_type='unsigned long')]], 'Transition' : [ 0x0, ['BitField', dict(start_bit = 11, end_bit = 12, native_type='unsigned long')]], 'PageFrameNumber' : [ 0x0, ['BitField', dict(start_bit = 12, end_bit = 32, native_type='unsigned long')]], } ], '_flags' : [ 0x1, { 'Removable' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned char')]], 'Fill' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 8, native_type='unsigned char')]], } ], '__unnamed_1fd5' : [ 0x8, { 'Head' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 24, native_type='unsigned long long')]], 'Tail' : [ 0x0, ['BitField', dict(start_bit = 24, end_bit = 48, native_type='unsigned long long')]], 'ActiveThreadCount' : [ 0x0, ['BitField', dict(start_bit = 48, end_bit = 64, native_type='unsigned long long')]], } ], '__unnamed_1fd7' : [ 0x8, { 's1' : [ 0x0, ['__unnamed_1fd5']], 'Value' : [ 0x0, ['unsigned long long']], } ], '_ALPC_COMPLETION_LIST_STATE' : [ 0x8, { 'u1' : [ 0x0, ['__unnamed_1fd7']], } ], '_CM_KEY_SECURITY_CACHE' : [ 0x2c, { 'Cell' : [ 0x0, ['unsigned long']], 'ConvKey' : [ 0x4, ['unsigned long']], 'List' : [ 0x8, ['_LIST_ENTRY']], 'DescriptorLength' : [ 0x10, ['unsigned long']], 'RealRefCount' : [ 0x14, ['unsigned long']], 'Descriptor' : [ 0x18, ['_SECURITY_DESCRIPTOR_RELATIVE']], } ], '_CM_NAME_HASH' : [ 0xc, { 'ConvKey' : [ 0x0, ['unsigned long']], 'NextHash' : [ 0x4, ['pointer', ['_CM_NAME_HASH']]], 'NameLength' : [ 0x8, ['unsigned short']], 'Name' : [ 0xa, ['array', 1, ['wchar']]], } ], '_MMSECURE_FLAGS' : [ 0x4, { 'ReadOnly' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'NoWrite' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'Spare' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 12, native_type='unsigned long')]], } ], '_PO_IRP_QUEUE' : [ 0x8, { 'CurrentIrp' : [ 0x0, ['pointer', ['_IRP']]], 'PendingIrpList' : [ 0x4, ['pointer', ['_IRP']]], } ], '__unnamed_1fe9' : [ 0x4, { 'Active' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]], 'OnlyTryAcquireUsed' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]], 'ReleasedOutOfOrder' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 3, native_type='unsigned long')]], 'SequenceNumber' : [ 0x0, ['BitField', dict(start_bit = 3, end_bit = 32, native_type='unsigned long')]], 'Whole' : [ 0x0, ['unsigned long']], } ], '_VI_DEADLOCK_NODE' : [ 0x6c, { 'Parent' : [ 0x0, ['pointer', ['_VI_DEADLOCK_NODE']]], 'ChildrenList' : [ 0x4, ['_LIST_ENTRY']], 'SiblingsList' : [ 0xc, ['_LIST_ENTRY']], 'ResourceList' : [ 0x14, ['_LIST_ENTRY']], 'FreeListEntry' : [ 0x14, ['_LIST_ENTRY']], 'Root' : [ 0x1c, ['pointer', ['_VI_DEADLOCK_RESOURCE']]], 'ThreadEntry' : [ 0x20, ['pointer', ['_VI_DEADLOCK_THREAD']]], 'u1' : [ 0x24, ['__unnamed_1fe9']], 'ChildrenCount' : [ 0x28, ['long']], 'StackTrace' : [ 0x2c, ['array', 8, ['pointer', ['void']]]], 'ParentStackTrace' : [ 0x4c, ['array', 8, ['pointer', ['void']]]], } ], 'PROCESSOR_IDLESTATE_INFO' : [ 0x8, { 'TimeCheck' : [ 0x0, ['unsigned long']], 'DemotePercent' : [ 0x4, ['unsigned char']], 'PromotePercent' : [ 0x5, ['unsigned char']], 'Spare' : [ 0x6, ['array', 2, ['unsigned char']]], } ], '_KTMOBJECT_NAMESPACE' : [ 0x60, { 'Table' : [ 0x0, ['_RTL_AVL_TABLE']], 'Mutex' : [ 0x38, ['_KMUTANT']], 'LinksOffset' : [ 0x58, ['unsigned short']], 'GuidOffset' : [ 0x5a, ['unsigned short']], 'Expired' : [ 0x5c, ['unsigned char']], } ], '_LPCP_PORT_QUEUE' : [ 0x10, { 'NonPagedPortQueue' : [ 0x0, ['pointer', ['_LPCP_NONPAGED_PORT_QUEUE']]], 'Semaphore' : [ 0x4, ['pointer', ['_KSEMAPHORE']]], 'ReceiveHead' : [ 0x8, ['_LIST_ENTRY']], } ], '_CM_KEY_REFERENCE' : [ 0x8, { 'KeyCell' : [ 0x0, ['unsigned long']], 'KeyHive' : [ 0x4, ['pointer', ['_HHIVE']]], } ], 'SYSTEM_POWER_LEVEL' : [ 0x18, { 'Enable' : [ 0x0, ['unsigned char']], 'Spare' : [ 0x1, ['array', 3, ['unsigned char']]], 'BatteryLevel' : [ 0x4, ['unsigned long']], 'PowerPolicy' : [ 0x8, ['POWER_ACTION_POLICY']], 'MinSystemState' : [ 0x14, ['Enumeration', dict(target = 'long', choices = {0: 'PowerSystemUnspecified', 1: 'PowerSystemWorking', 2: 'PowerSystemSleeping1', 3: 'PowerSystemSleeping2', 4: 'PowerSystemSleeping3', 5: 'PowerSystemHibernate', 6: 'PowerSystemShutdown', 7: 'PowerSystemMaximum'})]], } ], '_OBJECT_DUMP_CONTROL' : [ 0x8, { 'Stream' : [ 0x0, ['pointer', ['void']]], 'Detail' : [ 0x4, ['unsigned long']], } ], '_OBJECT_SYMBOLIC_LINK' : [ 0x20, { 'CreationTime' : [ 0x0, ['_LARGE_INTEGER']], 'LinkTarget' : [ 0x8, ['_UNICODE_STRING']], 'LinkTargetRemaining' : [ 0x10, ['_UNICODE_STRING']], 'LinkTargetObject' : [ 0x18, ['pointer', ['void']]], 'DosDeviceDriveIndex' : [ 0x1c, ['unsigned long']], } ], '_LPCP_NONPAGED_PORT_QUEUE' : [ 0x18, { 'Semaphore' : [ 0x0, ['_KSEMAPHORE']], 'BackPointer' : [ 0x14, ['pointer', ['_LPCP_PORT_OBJECT']]], } ], } volatility-2.3.1/volatility/plugins/overlays/windows/vista_sp0_x86_syscalls.py0000644000175000017500000012502712227253532027746 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2011 Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # syscalls = [ [ 'NtAcceptConnectPort', # 0x0 'NtAccessCheck', # 0x1 'NtAccessCheckAndAuditAlarm', # 0x2 'NtAccessCheckByType', # 0x3 'NtAccessCheckByTypeAndAuditAlarm', # 0x4 'NtAccessCheckByTypeResultList', # 0x5 'NtAccessCheckByTypeResultListAndAuditAlarm', # 0x6 'NtAccessCheckByTypeResultListAndAuditAlarmByHandle', # 0x7 'NtAddAtom', # 0x8 'NtAddBootEntry', # 0x9 'NtAddDriverEntry', # 0xa 'NtAdjustGroupsToken', # 0xb 'NtAdjustPrivilegesToken', # 0xc 'NtAlertResumeThread', # 0xd 'NtAlertThread', # 0xe 'NtAllocateLocallyUniqueId', # 0xf 'NtAllocateUserPhysicalPages', # 0x10 'NtAllocateUuids', # 0x11 'NtAllocateVirtualMemory', # 0x12 'NtAlpcAcceptConnectPort', # 0x13 'NtAlpcCancelMessage', # 0x14 'NtAlpcConnectPort', # 0x15 'NtAlpcCreatePort', # 0x16 'NtAlpcCreatePortSection', # 0x17 'NtAlpcCreateResourceReserve', # 0x18 'NtAlpcCreateSectionView', # 0x19 'NtAlpcCreateSecurityContext', # 0x1a 'NtAlpcDeletePortSection', # 0x1b 'NtAlpcDeleteResourceReserve', # 0x1c 'NtAlpcDeleteSectionView', # 0x1d 'NtAlpcDeleteSecurityContext', # 0x1e 'NtAlpcDisconnectPort', # 0x1f 'NtAlpcImpersonateClientOfPort', # 0x20 'NtAlpcOpenSenderProcess', # 0x21 'NtAlpcOpenSenderThread', # 0x22 'NtAlpcQueryInformation', # 0x23 'NtAlpcQueryInformationMessage', # 0x24 'NtAlpcRevokeSecurityContext', # 0x25 'NtAlpcSendWaitReceivePort', # 0x26 'NtAlpcSetInformation', # 0x27 'NtApphelpCacheControl', # 0x28 'NtAreMappedFilesTheSame', # 0x29 'NtAssignProcessToJobObject', # 0x2a 'NtCallbackReturn', # 0x2b 'NtCancelDeviceWakeupRequest', # 0x2c 'NtCancelIoFile', # 0x2d 'NtCancelTimer', # 0x2e 'NtClearEvent', # 0x2f 'NtClose', # 0x30 'NtCloseObjectAuditAlarm', # 0x31 'NtCompactKeys', # 0x32 'NtCompareTokens', # 0x33 'NtCompleteConnectPort', # 0x34 'NtCompressKey', # 0x35 'NtConnectPort', # 0x36 'NtContinue', # 0x37 'NtCreateDebugObject', # 0x38 'NtCreateDirectoryObject', # 0x39 'NtCreateEvent', # 0x3a 'NtCreateEventPair', # 0x3b 'NtCreateFile', # 0x3c 'NtCreateIoCompletion', # 0x3d 'NtCreateJobObject', # 0x3e 'NtCreateJobSet', # 0x3f 'NtCreateKey', # 0x40 'NtCreateKeyTransacted', # 0x41 'NtCreateMailslotFile', # 0x42 'NtCreateMutant', # 0x43 'NtCreateNamedPipeFile', # 0x44 'NtCreatePrivateNamespace', # 0x45 'NtCreatePagingFile', # 0x46 'NtCreatePort', # 0x47 'NtCreateProcess', # 0x48 'NtCreateProcessEx', # 0x49 'NtCreateProfile', # 0x4a 'NtCreateSection', # 0x4b 'NtCreateSemaphore', # 0x4c 'NtCreateSymbolicLinkObject', # 0x4d 'NtCreateThread', # 0x4e 'NtCreateTimer', # 0x4f 'NtCreateToken', # 0x50 'NtCreateTransaction', # 0x51 'NtOpenTransaction', # 0x52 'NtQueryInformationTransaction', # 0x53 'NtQueryInformationTransactionManager', # 0x54 'NtPrePrepareEnlistment', # 0x55 'NtPrepareEnlistment', # 0x56 'NtCommitEnlistment', # 0x57 'NtReadOnlyEnlistment', # 0x58 'NtRollbackComplete', # 0x59 'NtRollbackEnlistment', # 0x5a 'NtCommitTransaction', # 0x5b 'NtRollbackTransaction', # 0x5c 'NtPrePrepareComplete', # 0x5d 'NtPrepareComplete', # 0x5e 'NtCommitComplete', # 0x5f 'NtSinglePhaseReject', # 0x60 'NtSetInformationTransaction', # 0x61 'NtSetInformationTransactionManager', # 0x62 'NtSetInformationResourceManager', # 0x63 'NtCreateTransactionManager', # 0x64 'NtOpenTransactionManager', # 0x65 'NtRollforwardTransactionManager', # 0x66 'NtRecoverEnlistment', # 0x67 'NtRecoverResourceManager', # 0x68 'NtRecoverTransactionManager', # 0x69 'NtCreateResourceManager', # 0x6a 'NtOpenResourceManager', # 0x6b 'NtGetNotificationResourceManager', # 0x6c 'NtQueryInformationResourceManager', # 0x6d 'NtCreateEnlistment', # 0x6e 'NtOpenEnlistment', # 0x6f 'NtSetInformationEnlistment', # 0x70 'NtQueryInformationEnlistment', # 0x71 'NtStartTm', # 0x72 'NtCreateWaitablePort', # 0x73 'NtDebugActiveProcess', # 0x74 'NtDebugContinue', # 0x75 'NtDelayExecution', # 0x76 'NtDeleteAtom', # 0x77 'NtDeleteBootEntry', # 0x78 'NtDeleteDriverEntry', # 0x79 'NtDeleteFile', # 0x7a 'NtDeleteKey', # 0x7b 'NtDeletePrivateNamespace', # 0x7c 'NtDeleteObjectAuditAlarm', # 0x7d 'NtDeleteValueKey', # 0x7e 'NtDeviceIoControlFile', # 0x7f 'NtDisplayString', # 0x80 'NtDuplicateObject', # 0x81 'NtDuplicateToken', # 0x82 'NtEnumerateBootEntries', # 0x83 'NtEnumerateDriverEntries', # 0x84 'NtEnumerateKey', # 0x85 'NtEnumerateSystemEnvironmentValuesEx', # 0x86 'NtEnumerateTransactionObject', # 0x87 'NtEnumerateValueKey', # 0x88 'NtExtendSection', # 0x89 'NtFilterToken', # 0x8a 'NtFindAtom', # 0x8b 'NtFlushBuffersFile', # 0x8c 'NtFlushInstructionCache', # 0x8d 'NtFlushKey', # 0x8e 'NtFlushProcessWriteBuffers', # 0x8f 'NtFlushVirtualMemory', # 0x90 'NtFlushWriteBuffer', # 0x91 'NtFreeUserPhysicalPages', # 0x92 'NtFreeVirtualMemory', # 0x93 'NtFreezeRegistry', # 0x94 'NtFreezeTransactions', # 0x95 'NtFsControlFile', # 0x96 'NtGetContextThread', # 0x97 'NtGetDevicePowerState', # 0x98 'NtGetNlsSectionPtr', # 0x99 'NtGetPlugPlayEvent', # 0x9a 'NtGetWriteWatch', # 0x9b 'NtImpersonateAnonymousToken', # 0x9c 'NtImpersonateClientOfPort', # 0x9d 'NtImpersonateThread', # 0x9e 'NtInitializeNlsFiles', # 0x9f 'NtInitializeRegistry', # 0xa0 'NtInitiatePowerAction', # 0xa1 'NtIsProcessInJob', # 0xa2 'NtIsSystemResumeAutomatic', # 0xa3 'NtListenPort', # 0xa4 'NtLoadDriver', # 0xa5 'NtLoadKey', # 0xa6 'NtLoadKey2', # 0xa7 'NtLoadKeyEx', # 0xa8 'NtLockFile', # 0xa9 'NtLockProductActivationKeys', # 0xaa 'NtLockRegistryKey', # 0xab 'NtLockVirtualMemory', # 0xac 'NtMakePermanentObject', # 0xad 'NtMakeTemporaryObject', # 0xae 'NtMapUserPhysicalPages', # 0xaf 'NtMapUserPhysicalPagesScatter', # 0xb0 'NtMapViewOfSection', # 0xb1 'NtModifyBootEntry', # 0xb2 'NtModifyDriverEntry', # 0xb3 'NtNotifyChangeDirectoryFile', # 0xb4 'NtNotifyChangeKey', # 0xb5 'NtNotifyChangeMultipleKeys', # 0xb6 'NtOpenDirectoryObject', # 0xb7 'NtOpenEvent', # 0xb8 'NtOpenEventPair', # 0xb9 'NtOpenFile', # 0xba 'NtOpenIoCompletion', # 0xbb 'NtOpenJobObject', # 0xbc 'NtOpenKey', # 0xbd 'NtOpenKeyTransacted', # 0xbe 'NtOpenMutant', # 0xbf 'NtOpenPrivateNamespace', # 0xc0 'NtOpenObjectAuditAlarm', # 0xc1 'NtOpenProcess', # 0xc2 'NtOpenProcessToken', # 0xc3 'NtOpenProcessTokenEx', # 0xc4 'NtOpenSection', # 0xc5 'NtOpenSemaphore', # 0xc6 'NtOpenSession', # 0xc7 'NtOpenSymbolicLinkObject', # 0xc8 'NtOpenThread', # 0xc9 'NtOpenThreadToken', # 0xca 'NtOpenThreadTokenEx', # 0xcb 'NtOpenTimer', # 0xcc 'NtPlugPlayControl', # 0xcd 'NtPowerInformation', # 0xce 'NtPrivilegeCheck', # 0xcf 'NtPrivilegeObjectAuditAlarm', # 0xd0 'NtPrivilegedServiceAuditAlarm', # 0xd1 'NtProtectVirtualMemory', # 0xd2 'NtPulseEvent', # 0xd3 'NtQueryAttributesFile', # 0xd4 'NtQueryBootEntryOrder', # 0xd5 'NtQueryBootOptions', # 0xd6 'NtQueryDebugFilterState', # 0xd7 'NtQueryDefaultLocale', # 0xd8 'NtQueryDefaultUILanguage', # 0xd9 'NtQueryDirectoryFile', # 0xda 'NtQueryDirectoryObject', # 0xdb 'NtQueryDriverEntryOrder', # 0xdc 'NtQueryEaFile', # 0xdd 'NtQueryEvent', # 0xde 'NtQueryFullAttributesFile', # 0xdf 'NtQueryInformationAtom', # 0xe0 'NtQueryInformationFile', # 0xe1 'NtQueryInformationJobObject', # 0xe2 'NtQueryInformationPort', # 0xe3 'NtQueryInformationProcess', # 0xe4 'NtQueryInformationThread', # 0xe5 'NtQueryInformationToken', # 0xe6 'NtQueryInstallUILanguage', # 0xe7 'NtQueryIntervalProfile', # 0xe8 'NtQueryIoCompletion', # 0xe9 'NtQueryKey', # 0xea 'NtQueryMultipleValueKey', # 0xeb 'NtQueryMutant', # 0xec 'NtQueryObject', # 0xed 'NtQueryOpenSubKeys', # 0xee 'NtQueryOpenSubKeysEx', # 0xef 'NtQueryPerformanceCounter', # 0xf0 'NtQueryQuotaInformationFile', # 0xf1 'NtQuerySection', # 0xf2 'NtQuerySecurityObject', # 0xf3 'NtQuerySemaphore', # 0xf4 'NtQuerySymbolicLinkObject', # 0xf5 'NtQuerySystemEnvironmentValue', # 0xf6 'NtQuerySystemEnvironmentValueEx', # 0xf7 'NtQuerySystemInformation', # 0xf8 'NtQuerySystemTime', # 0xf9 'NtQueryTimer', # 0xfa 'NtQueryTimerResolution', # 0xfb 'NtQueryValueKey', # 0xfc 'NtQueryVirtualMemory', # 0xfd 'NtQueryVolumeInformationFile', # 0xfe 'NtQueueApcThread', # 0xff 'NtRaiseException', # 0x100 'NtRaiseHardError', # 0x101 'NtReadFile', # 0x102 'NtReadFileScatter', # 0x103 'NtReadRequestData', # 0x104 'NtReadVirtualMemory', # 0x105 'NtRegisterThreadTerminatePort', # 0x106 'NtReleaseMutant', # 0x107 'NtReleaseSemaphore', # 0x108 'NtRemoveIoCompletion', # 0x109 'NtRemoveProcessDebug', # 0x10a 'NtRenameKey', # 0x10b 'NtReplaceKey', # 0x10c 'NtReplyPort', # 0x10d 'NtReplyWaitReceivePort', # 0x10e 'NtReplyWaitReceivePortEx', # 0x10f 'NtReplyWaitReplyPort', # 0x110 'NtRequestDeviceWakeup', # 0x111 'NtRequestPort', # 0x112 'NtRequestWaitReplyPort', # 0x113 'NtRequestWakeupLatency', # 0x114 'NtResetEvent', # 0x115 'NtResetWriteWatch', # 0x116 'NtRestoreKey', # 0x117 'NtResumeProcess', # 0x118 'NtResumeThread', # 0x119 'NtSaveKey', # 0x11a 'NtSaveKeyEx', # 0x11b 'NtSaveMergedKeys', # 0x11c 'NtClearSavepointTransaction', # 0x11d 'NtClearAllSavepointsTransaction', # 0x11e 'NtRollbackSavepointTransaction', # 0x11f 'NtSavepointTransaction', # 0x120 'NtSavepointComplete', # 0x121 'NtSecureConnectPort', # 0x122 'NtSetBootEntryOrder', # 0x123 'NtSetBootOptions', # 0x124 'NtSetContextThread', # 0x125 'NtSetDebugFilterState', # 0x126 'NtSetDefaultHardErrorPort', # 0x127 'NtSetDefaultLocale', # 0x128 'NtSetDefaultUILanguage', # 0x129 'NtSetDriverEntryOrder', # 0x12a 'NtSetEaFile', # 0x12b 'NtSetEvent', # 0x12c 'NtSetEventBoostPriority', # 0x12d 'NtSetHighEventPair', # 0x12e 'NtSetHighWaitLowEventPair', # 0x12f 'NtSetInformationDebugObject', # 0x130 'NtSetInformationFile', # 0x131 'NtSetInformationJobObject', # 0x132 'NtSetInformationKey', # 0x133 'NtSetInformationObject', # 0x134 'NtSetInformationProcess', # 0x135 'NtSetInformationThread', # 0x136 'NtSetInformationToken', # 0x137 'NtSetIntervalProfile', # 0x138 'NtSetIoCompletion', # 0x139 'NtSetLdtEntries', # 0x13a 'NtSetLowEventPair', # 0x13b 'NtSetLowWaitHighEventPair', # 0x13c 'NtSetQuotaInformationFile', # 0x13d 'NtSetSecurityObject', # 0x13e 'NtSetSystemEnvironmentValue', # 0x13f 'NtSetSystemEnvironmentValueEx', # 0x140 'NtSetSystemInformation', # 0x141 'NtSetSystemPowerState', # 0x142 'NtSetSystemTime', # 0x143 'NtSetThreadExecutionState', # 0x144 'NtSetTimer', # 0x145 'NtSetTimerResolution', # 0x146 'NtSetUuidSeed', # 0x147 'NtSetValueKey', # 0x148 'NtSetVolumeInformationFile', # 0x149 'NtShutdownSystem', # 0x14a 'NtSignalAndWaitForSingleObject', # 0x14b 'NtStartProfile', # 0x14c 'NtStopProfile', # 0x14d 'NtSuspendProcess', # 0x14e 'NtSuspendThread', # 0x14f 'NtSystemDebugControl', # 0x150 'NtTerminateJobObject', # 0x151 'NtTerminateProcess', # 0x152 'NtTerminateThread', # 0x153 'NtTestAlert', # 0x154 'NtThawRegistry', # 0x155 'NtThawTransactions', # 0x156 'NtTraceEvent', # 0x157 'NtTraceControl', # 0x158 'NtTranslateFilePath', # 0x159 'NtUnloadDriver', # 0x15a 'NtUnloadKey', # 0x15b 'NtUnloadKey2', # 0x15c 'NtUnloadKeyEx', # 0x15d 'NtUnlockFile', # 0x15e 'NtUnlockVirtualMemory', # 0x15f 'NtUnmapViewOfSection', # 0x160 'NtVdmControl', # 0x161 'NtWaitForDebugEvent', # 0x162 'NtWaitForMultipleObjects', # 0x163 'NtWaitForSingleObject', # 0x164 'NtWaitHighEventPair', # 0x165 'NtWaitLowEventPair', # 0x166 'NtWriteFile', # 0x167 'NtWriteFileGather', # 0x168 'NtWriteRequestData', # 0x169 'NtWriteVirtualMemory', # 0x16a 'NtYieldExecution', # 0x16b 'NtCreateKeyedEvent', # 0x16c 'NtOpenKeyedEvent', # 0x16d 'NtReleaseKeyedEvent', # 0x16e 'NtWaitForKeyedEvent', # 0x16f 'NtQueryPortInformationProcess', # 0x170 'NtGetCurrentProcessorNumber', # 0x171 'NtWaitForMultipleObjects32', # 0x172 'NtGetNextProcess', # 0x173 'NtGetNextThread', # 0x174 'NtCancelIoFileEx', # 0x175 'NtCancelSynchronousIoFile', # 0x176 'NtRemoveIoCompletionEx', # 0x177 'NtRegisterProtocolAddressInformation', # 0x178 'NtPullTransaction', # 0x179 'NtMarshallTransaction', # 0x17a 'NtPropagationComplete', # 0x17b 'NtPropagationFailed', # 0x17c 'NtCreateWorkerFactory', # 0x17d 'NtReleaseWorkerFactoryWorker', # 0x17e 'NtWaitForWorkViaWorkerFactory', # 0x17f 'NtSetInformationWorkerFactory', # 0x180 'NtQueryInformationWorkerFactory', # 0x181 'NtWorkerFactoryWorkerReady', # 0x182 'NtShutdownWorkerFactory', # 0x183 'NtCreateThreadEx', # 0x184 'NtCreateUserProcess', # 0x185 'NtQueryLicenseValue', # 0x186 'NtMapCMFModule', # 0x187 'NtListTransactions', # 0x188 'NtIsUILanguageComitted', # 0x189 'NtFlushInstallUILanguage', # 0x18a 'NtGetMUIRegistryInfo', # 0x18b 'NtAcquireCMFViewOwnership', # 0x18c 'NtReleaseCMFViewOwnership', # 0x18d ], [ 'NtGdiAbortDoc', # 0x0 'NtGdiAbortPath', # 0x1 'NtGdiAddFontResourceW', # 0x2 'NtGdiAddRemoteFontToDC', # 0x3 'NtGdiAddFontMemResourceEx', # 0x4 'NtGdiRemoveMergeFont', # 0x5 'NtGdiAddRemoteMMInstanceToDC', # 0x6 'NtGdiAlphaBlend', # 0x7 'NtGdiAngleArc', # 0x8 'NtGdiAnyLinkedFonts', # 0x9 'NtGdiFontIsLinked', # 0xa 'NtGdiArcInternal', # 0xb 'NtGdiBeginPath', # 0xc 'NtGdiBitBlt', # 0xd 'NtGdiCancelDC', # 0xe 'NtGdiCheckBitmapBits', # 0xf 'NtGdiCloseFigure', # 0x10 'NtGdiClearBitmapAttributes', # 0x11 'NtGdiClearBrushAttributes', # 0x12 'NtGdiColorCorrectPalette', # 0x13 'NtGdiCombineRgn', # 0x14 'NtGdiCombineTransform', # 0x15 'NtGdiComputeXformCoefficients', # 0x16 'NtGdiConfigureOPMProtectedOutput', # 0x17 'NtGdiConsoleTextOut', # 0x18 'NtGdiConvertMetafileRect', # 0x19 'NtGdiCreateBitmap', # 0x1a 'NtGdiCreateClientObj', # 0x1b 'NtGdiCreateColorSpace', # 0x1c 'NtGdiCreateColorTransform', # 0x1d 'NtGdiCreateCompatibleBitmap', # 0x1e 'NtGdiCreateCompatibleDC', # 0x1f 'NtGdiCreateDIBBrush', # 0x20 'NtGdiCreateDIBitmapInternal', # 0x21 'NtGdiCreateDIBSection', # 0x22 'NtGdiCreateEllipticRgn', # 0x23 'NtGdiCreateHalftonePalette', # 0x24 'NtGdiCreateHatchBrushInternal', # 0x25 'NtGdiCreateMetafileDC', # 0x26 'NtGdiCreateOPMProtectedOutputs', # 0x27 'NtGdiCreatePaletteInternal', # 0x28 'NtGdiCreatePatternBrushInternal', # 0x29 'NtGdiCreatePen', # 0x2a 'NtGdiCreateRectRgn', # 0x2b 'NtGdiCreateRoundRectRgn', # 0x2c 'NtGdiCreateServerMetaFile', # 0x2d 'NtGdiCreateSolidBrush', # 0x2e 'NtGdiD3dContextCreate', # 0x2f 'NtGdiD3dContextDestroy', # 0x30 'NtGdiD3dContextDestroyAll', # 0x31 'NtGdiD3dValidateTextureStageState', # 0x32 'NtGdiD3dDrawPrimitives2', # 0x33 'NtGdiDdGetDriverState', # 0x34 'NtGdiDdAddAttachedSurface', # 0x35 'NtGdiDdAlphaBlt', # 0x36 'NtGdiDdAttachSurface', # 0x37 'NtGdiDdBeginMoCompFrame', # 0x38 'NtGdiDdBlt', # 0x39 'NtGdiDdCanCreateSurface', # 0x3a 'NtGdiDdCanCreateD3DBuffer', # 0x3b 'NtGdiDdColorControl', # 0x3c 'NtGdiDdCreateDirectDrawObject', # 0x3d 'NtGdiDdCreateSurface', # 0x3e 'NtGdiDdCreateD3DBuffer', # 0x3f 'NtGdiDdCreateMoComp', # 0x40 'NtGdiDdCreateSurfaceObject', # 0x41 'NtGdiDdDeleteDirectDrawObject', # 0x42 'NtGdiDdDeleteSurfaceObject', # 0x43 'NtGdiDdDestroyMoComp', # 0x44 'NtGdiDdDestroySurface', # 0x45 'NtGdiDdDestroyD3DBuffer', # 0x46 'NtGdiDdEndMoCompFrame', # 0x47 'NtGdiDdFlip', # 0x48 'NtGdiDdFlipToGDISurface', # 0x49 'NtGdiDdGetAvailDriverMemory', # 0x4a 'NtGdiDdGetBltStatus', # 0x4b 'NtGdiDdGetDC', # 0x4c 'NtGdiDdGetDriverInfo', # 0x4d 'NtGdiDdGetDxHandle', # 0x4e 'NtGdiDdGetFlipStatus', # 0x4f 'NtGdiDdGetInternalMoCompInfo', # 0x50 'NtGdiDdGetMoCompBuffInfo', # 0x51 'NtGdiDdGetMoCompGuids', # 0x52 'NtGdiDdGetMoCompFormats', # 0x53 'NtGdiDdGetScanLine', # 0x54 'NtGdiDdLock', # 0x55 'NtGdiDdLockD3D', # 0x56 'NtGdiDdQueryDirectDrawObject', # 0x57 'NtGdiDdQueryMoCompStatus', # 0x58 'NtGdiDdReenableDirectDrawObject', # 0x59 'NtGdiDdReleaseDC', # 0x5a 'NtGdiDdRenderMoComp', # 0x5b 'NtGdiDdResetVisrgn', # 0x5c 'NtGdiDdSetColorKey', # 0x5d 'NtGdiDdSetExclusiveMode', # 0x5e 'NtGdiDdSetGammaRamp', # 0x5f 'NtGdiDdCreateSurfaceEx', # 0x60 'NtGdiDdSetOverlayPosition', # 0x61 'NtGdiDdUnattachSurface', # 0x62 'NtGdiDdUnlock', # 0x63 'NtGdiDdUnlockD3D', # 0x64 'NtGdiDdUpdateOverlay', # 0x65 'NtGdiDdWaitForVerticalBlank', # 0x66 'NtGdiDvpCanCreateVideoPort', # 0x67 'NtGdiDvpColorControl', # 0x68 'NtGdiDvpCreateVideoPort', # 0x69 'NtGdiDvpDestroyVideoPort', # 0x6a 'NtGdiDvpFlipVideoPort', # 0x6b 'NtGdiDvpGetVideoPortBandwidth', # 0x6c 'NtGdiDvpGetVideoPortField', # 0x6d 'NtGdiDvpGetVideoPortFlipStatus', # 0x6e 'NtGdiDvpGetVideoPortInputFormats', # 0x6f 'NtGdiDvpGetVideoPortLine', # 0x70 'NtGdiDvpGetVideoPortOutputFormats', # 0x71 'NtGdiDvpGetVideoPortConnectInfo', # 0x72 'NtGdiDvpGetVideoSignalStatus', # 0x73 'NtGdiDvpUpdateVideoPort', # 0x74 'NtGdiDvpWaitForVideoPortSync', # 0x75 'NtGdiDvpAcquireNotification', # 0x76 'NtGdiDvpReleaseNotification', # 0x77 'NtGdiDxgGenericThunk', # 0x78 'NtGdiDeleteClientObj', # 0x79 'NtGdiDeleteColorSpace', # 0x7a 'NtGdiDeleteColorTransform', # 0x7b 'NtGdiDeleteObjectApp', # 0x7c 'NtGdiDescribePixelFormat', # 0x7d 'NtGdiDestroyOPMProtectedOutput', # 0x7e 'NtGdiGetPerBandInfo', # 0x7f 'NtGdiDoBanding', # 0x80 'NtGdiDoPalette', # 0x81 'NtGdiDrawEscape', # 0x82 'NtGdiEllipse', # 0x83 'NtGdiEnableEudc', # 0x84 'NtGdiEndDoc', # 0x85 'NtGdiEndPage', # 0x86 'NtGdiEndPath', # 0x87 'NtGdiEnumFontChunk', # 0x88 'NtGdiEnumFontClose', # 0x89 'NtGdiEnumFontOpen', # 0x8a 'NtGdiEnumObjects', # 0x8b 'NtGdiEqualRgn', # 0x8c 'NtGdiEudcLoadUnloadLink', # 0x8d 'NtGdiExcludeClipRect', # 0x8e 'NtGdiExtCreatePen', # 0x8f 'NtGdiExtCreateRegion', # 0x90 'NtGdiExtEscape', # 0x91 'NtGdiExtFloodFill', # 0x92 'NtGdiExtGetObjectW', # 0x93 'NtGdiExtSelectClipRgn', # 0x94 'NtGdiExtTextOutW', # 0x95 'NtGdiFillPath', # 0x96 'NtGdiFillRgn', # 0x97 'NtGdiFlattenPath', # 0x98 'NtGdiFlush', # 0x99 'NtGdiForceUFIMapping', # 0x9a 'NtGdiFrameRgn', # 0x9b 'NtGdiFullscreenControl', # 0x9c 'NtGdiGetAndSetDCDword', # 0x9d 'NtGdiGetAppClipBox', # 0x9e 'NtGdiGetBitmapBits', # 0x9f 'NtGdiGetBitmapDimension', # 0xa0 'NtGdiGetBoundsRect', # 0xa1 'NtGdiGetCertificate', # 0xa2 'NtGdiGetCertificateSize', # 0xa3 'NtGdiGetCharABCWidthsW', # 0xa4 'NtGdiGetCharacterPlacementW', # 0xa5 'NtGdiGetCharSet', # 0xa6 'NtGdiGetCharWidthW', # 0xa7 'NtGdiGetCharWidthInfo', # 0xa8 'NtGdiGetColorAdjustment', # 0xa9 'NtGdiGetColorSpaceforBitmap', # 0xaa 'NtGdiGetCOPPCompatibleOPMInformation', # 0xab 'NtGdiGetDCDword', # 0xac 'NtGdiGetDCforBitmap', # 0xad 'NtGdiGetDCObject', # 0xae 'NtGdiGetDCPoint', # 0xaf 'NtGdiGetDeviceCaps', # 0xb0 'NtGdiGetDeviceGammaRamp', # 0xb1 'NtGdiGetDeviceCapsAll', # 0xb2 'NtGdiGetDIBitsInternal', # 0xb3 'NtGdiGetETM', # 0xb4 'NtGdiGetEudcTimeStampEx', # 0xb5 'NtGdiGetFontData', # 0xb6 'NtGdiGetFontResourceInfoInternalW', # 0xb7 'NtGdiGetGlyphIndicesW', # 0xb8 'NtGdiGetGlyphIndicesWInternal', # 0xb9 'NtGdiGetGlyphOutline', # 0xba 'NtGdiGetOPMInformation', # 0xbb 'NtGdiGetKerningPairs', # 0xbc 'NtGdiGetLinkedUFIs', # 0xbd 'NtGdiGetMiterLimit', # 0xbe 'NtGdiGetMonitorID', # 0xbf 'NtGdiGetNearestColor', # 0xc0 'NtGdiGetNearestPaletteIndex', # 0xc1 'NtGdiGetObjectBitmapHandle', # 0xc2 'NtGdiGetOPMRandomNumber', # 0xc3 'NtGdiGetOutlineTextMetricsInternalW', # 0xc4 'NtGdiGetPath', # 0xc5 'NtGdiGetPixel', # 0xc6 'NtGdiGetRandomRgn', # 0xc7 'NtGdiGetRasterizerCaps', # 0xc8 'NtGdiGetRealizationInfo', # 0xc9 'NtGdiGetRegionData', # 0xca 'NtGdiGetRgnBox', # 0xcb 'NtGdiGetServerMetaFileBits', # 0xcc 'NtGdiGetSpoolMessage', # 0xcd 'NtGdiGetStats', # 0xce 'NtGdiGetStockObject', # 0xcf 'NtGdiGetStringBitmapW', # 0xd0 'NtGdiGetSuggestedOPMProtectedOutputArraySize', # 0xd1 'NtGdiGetSystemPaletteUse', # 0xd2 'NtGdiGetTextCharsetInfo', # 0xd3 'NtGdiGetTextExtent', # 0xd4 'NtGdiGetTextExtentExW', # 0xd5 'NtGdiGetTextFaceW', # 0xd6 'NtGdiGetTextMetricsW', # 0xd7 'NtGdiGetTransform', # 0xd8 'NtGdiGetUFI', # 0xd9 'NtGdiGetEmbUFI', # 0xda 'NtGdiGetUFIPathname', # 0xdb 'NtGdiGetEmbedFonts', # 0xdc 'NtGdiChangeGhostFont', # 0xdd 'NtGdiAddEmbFontToDC', # 0xde 'NtGdiGetFontUnicodeRanges', # 0xdf 'NtGdiGetWidthTable', # 0xe0 'NtGdiGradientFill', # 0xe1 'NtGdiHfontCreate', # 0xe2 'NtGdiIcmBrushInfo', # 0xe3 'NtGdiInit', # 0xe4 'NtGdiInitSpool', # 0xe5 'NtGdiIntersectClipRect', # 0xe6 'NtGdiInvertRgn', # 0xe7 'NtGdiLineTo', # 0xe8 'NtGdiMakeFontDir', # 0xe9 'NtGdiMakeInfoDC', # 0xea 'NtGdiMaskBlt', # 0xeb 'NtGdiModifyWorldTransform', # 0xec 'NtGdiMonoBitmap', # 0xed 'NtGdiMoveTo', # 0xee 'NtGdiOffsetClipRgn', # 0xef 'NtGdiOffsetRgn', # 0xf0 'NtGdiOpenDCW', # 0xf1 'NtGdiPatBlt', # 0xf2 'NtGdiPolyPatBlt', # 0xf3 'NtGdiPathToRegion', # 0xf4 'NtGdiPlgBlt', # 0xf5 'NtGdiPolyDraw', # 0xf6 'NtGdiPolyPolyDraw', # 0xf7 'NtGdiPolyTextOutW', # 0xf8 'NtGdiPtInRegion', # 0xf9 'NtGdiPtVisible', # 0xfa 'NtGdiQueryFonts', # 0xfb 'NtGdiQueryFontAssocInfo', # 0xfc 'NtGdiRectangle', # 0xfd 'NtGdiRectInRegion', # 0xfe 'NtGdiRectVisible', # 0xff 'NtGdiRemoveFontResourceW', # 0x100 'NtGdiRemoveFontMemResourceEx', # 0x101 'NtGdiResetDC', # 0x102 'NtGdiResizePalette', # 0x103 'NtGdiRestoreDC', # 0x104 'NtGdiRoundRect', # 0x105 'NtGdiSaveDC', # 0x106 'NtGdiScaleViewportExtEx', # 0x107 'NtGdiScaleWindowExtEx', # 0x108 'NtGdiSelectBitmap', # 0x109 'NtGdiSelectBrush', # 0x10a 'NtGdiSelectClipPath', # 0x10b 'NtGdiSelectFont', # 0x10c 'NtGdiSelectPen', # 0x10d 'NtGdiSetBitmapAttributes', # 0x10e 'NtGdiSetBitmapBits', # 0x10f 'NtGdiSetBitmapDimension', # 0x110 'NtGdiSetBoundsRect', # 0x111 'NtGdiSetBrushAttributes', # 0x112 'NtGdiSetBrushOrg', # 0x113 'NtGdiSetColorAdjustment', # 0x114 'NtGdiSetColorSpace', # 0x115 'NtGdiSetDeviceGammaRamp', # 0x116 'NtGdiSetDIBitsToDeviceInternal', # 0x117 'NtGdiSetFontEnumeration', # 0x118 'NtGdiSetFontXform', # 0x119 'NtGdiSetIcmMode', # 0x11a 'NtGdiSetLinkedUFIs', # 0x11b 'NtGdiSetMagicColors', # 0x11c 'NtGdiSetMetaRgn', # 0x11d 'NtGdiSetMiterLimit', # 0x11e 'NtGdiGetDeviceWidth', # 0x11f 'NtGdiMirrorWindowOrg', # 0x120 'NtGdiSetLayout', # 0x121 'NtGdiSetOPMSigningKeyAndSequenceNumbers', # 0x122 'NtGdiSetPixel', # 0x123 'NtGdiSetPixelFormat', # 0x124 'NtGdiSetRectRgn', # 0x125 'NtGdiSetSystemPaletteUse', # 0x126 'NtGdiSetTextJustification', # 0x127 'NtGdiSetupPublicCFONT', # 0x128 'NtGdiSetVirtualResolution', # 0x129 'NtGdiSetSizeDevice', # 0x12a 'NtGdiStartDoc', # 0x12b 'NtGdiStartPage', # 0x12c 'NtGdiStretchBlt', # 0x12d 'NtGdiStretchDIBitsInternal', # 0x12e 'NtGdiStrokeAndFillPath', # 0x12f 'NtGdiStrokePath', # 0x130 'NtGdiSwapBuffers', # 0x131 'NtGdiTransformPoints', # 0x132 'NtGdiTransparentBlt', # 0x133 'NtGdiUnloadPrinterDriver', # 0x134 'NtGdiUnmapMemFont', # 0x135 'NtGdiUnrealizeObject', # 0x136 'NtGdiUpdateColors', # 0x137 'NtGdiWidenPath', # 0x138 'NtUserActivateKeyboardLayout', # 0x139 'NtUserAddClipboardFormatListener', # 0x13a 'NtUserAlterWindowStyle', # 0x13b 'NtUserAssociateInputContext', # 0x13c 'NtUserAttachThreadInput', # 0x13d 'NtUserBeginPaint', # 0x13e 'NtUserBitBltSysBmp', # 0x13f 'NtUserBlockInput', # 0x140 'NtUserBuildHimcList', # 0x141 'NtUserBuildHwndList', # 0x142 'NtUserBuildNameList', # 0x143 'NtUserBuildPropList', # 0x144 'NtUserCallHwnd', # 0x145 'NtUserCallHwndLock', # 0x146 'NtUserCallHwndOpt', # 0x147 'NtUserCallHwndParam', # 0x148 'NtUserCallHwndParamLock', # 0x149 'NtUserCallMsgFilter', # 0x14a 'NtUserCallNextHookEx', # 0x14b 'NtUserCallNoParam', # 0x14c 'NtUserCallOneParam', # 0x14d 'NtUserCallTwoParam', # 0x14e 'NtUserChangeClipboardChain', # 0x14f 'NtUserChangeDisplaySettings', # 0x150 'NtUserCheckAccessForIntegrityLevel', # 0x151 'NtUserCheckDesktopByThreadId', # 0x152 'NtUserCheckWindowThreadDesktop', # 0x153 'NtUserCheckImeHotKey', # 0x154 'NtUserCheckMenuItem', # 0x155 'NtUserChildWindowFromPointEx', # 0x156 'NtUserClipCursor', # 0x157 'NtUserCloseClipboard', # 0x158 'NtUserCloseDesktop', # 0x159 'NtUserCloseWindowStation', # 0x15a 'NtUserConsoleControl', # 0x15b 'NtUserConvertMemHandle', # 0x15c 'NtUserCopyAcceleratorTable', # 0x15d 'NtUserCountClipboardFormats', # 0x15e 'NtUserCreateAcceleratorTable', # 0x15f 'NtUserCreateCaret', # 0x160 'NtUserCreateDesktopEx', # 0x161 'NtUserCreateInputContext', # 0x162 'NtUserCreateLocalMemHandle', # 0x163 'NtUserCreateWindowEx', # 0x164 'NtUserCreateWindowStation', # 0x165 'NtUserDdeInitialize', # 0x166 'NtUserDeferWindowPos', # 0x167 'NtUserDefSetText', # 0x168 'NtUserDeleteMenu', # 0x169 'NtUserDestroyAcceleratorTable', # 0x16a 'NtUserDestroyCursor', # 0x16b 'NtUserDestroyInputContext', # 0x16c 'NtUserDestroyMenu', # 0x16d 'NtUserDestroyWindow', # 0x16e 'NtUserDisableThreadIme', # 0x16f 'NtUserDispatchMessage', # 0x170 'NtUserDoSoundConnect', # 0x171 'NtUserDoSoundDisconnect', # 0x172 'NtUserDragDetect', # 0x173 'NtUserDragObject', # 0x174 'NtUserDrawAnimatedRects', # 0x175 'NtUserDrawCaption', # 0x176 'NtUserDrawCaptionTemp', # 0x177 'NtUserDrawIconEx', # 0x178 'NtUserDrawMenuBarTemp', # 0x179 'NtUserEmptyClipboard', # 0x17a 'NtUserEnableMenuItem', # 0x17b 'NtUserEnableScrollBar', # 0x17c 'NtUserEndDeferWindowPosEx', # 0x17d 'NtUserEndMenu', # 0x17e 'NtUserEndPaint', # 0x17f 'NtUserEnumDisplayDevices', # 0x180 'NtUserEnumDisplayMonitors', # 0x181 'NtUserEnumDisplaySettings', # 0x182 'NtUserEvent', # 0x183 'NtUserExcludeUpdateRgn', # 0x184 'NtUserFillWindow', # 0x185 'NtUserFindExistingCursorIcon', # 0x186 'NtUserFindWindowEx', # 0x187 'NtUserFlashWindowEx', # 0x188 'NtUserFrostCrashedWindow', # 0x189 'NtUserGetAltTabInfo', # 0x18a 'NtUserGetAncestor', # 0x18b 'NtUserGetAppImeLevel', # 0x18c 'NtUserGetAsyncKeyState', # 0x18d 'NtUserGetAtomName', # 0x18e 'NtUserGetCaretBlinkTime', # 0x18f 'NtUserGetCaretPos', # 0x190 'NtUserGetClassInfoEx', # 0x191 'NtUserGetClassName', # 0x192 'NtUserGetClipboardData', # 0x193 'NtUserGetClipboardFormatName', # 0x194 'NtUserGetClipboardOwner', # 0x195 'NtUserGetClipboardSequenceNumber', # 0x196 'NtUserGetClipboardViewer', # 0x197 'NtUserGetClipCursor', # 0x198 'NtUserGetComboBoxInfo', # 0x199 'NtUserGetControlBrush', # 0x19a 'NtUserGetControlColor', # 0x19b 'NtUserGetCPD', # 0x19c 'NtUserGetCursorFrameInfo', # 0x19d 'NtUserGetCursorInfo', # 0x19e 'NtUserGetDC', # 0x19f 'NtUserGetDCEx', # 0x1a0 'NtUserGetDoubleClickTime', # 0x1a1 'NtUserGetForegroundWindow', # 0x1a2 'NtUserGetGuiResources', # 0x1a3 'NtUserGetGUIThreadInfo', # 0x1a4 'NtUserGetIconInfo', # 0x1a5 'NtUserGetIconSize', # 0x1a6 'NtUserGetImeHotKey', # 0x1a7 'NtUserGetImeInfoEx', # 0x1a8 'NtUserGetInternalWindowPos', # 0x1a9 'NtUserGetKeyboardLayoutList', # 0x1aa 'NtUserGetKeyboardLayoutName', # 0x1ab 'NtUserGetKeyboardState', # 0x1ac 'NtUserGetKeyNameText', # 0x1ad 'NtUserGetKeyState', # 0x1ae 'NtUserGetListBoxInfo', # 0x1af 'NtUserGetMenuBarInfo', # 0x1b0 'NtUserGetMenuIndex', # 0x1b1 'NtUserGetMenuItemRect', # 0x1b2 'NtUserGetMessage', # 0x1b3 'NtUserGetMouseMovePointsEx', # 0x1b4 'NtUserGetObjectInformation', # 0x1b5 'NtUserGetOpenClipboardWindow', # 0x1b6 'NtUserGetPriorityClipboardFormat', # 0x1b7 'NtUserGetProcessWindowStation', # 0x1b8 'NtUserGetRawInputBuffer', # 0x1b9 'NtUserGetRawInputData', # 0x1ba 'NtUserGetRawInputDeviceInfo', # 0x1bb 'NtUserGetRawInputDeviceList', # 0x1bc 'NtUserGetRegisteredRawInputDevices', # 0x1bd 'NtUserGetScrollBarInfo', # 0x1be 'NtUserGetSystemMenu', # 0x1bf 'NtUserGetThreadDesktop', # 0x1c0 'NtUserGetThreadState', # 0x1c1 'NtUserGetTitleBarInfo', # 0x1c2 'NtUserGetUpdatedClipboardFormats', # 0x1c3 'NtUserGetUpdateRect', # 0x1c4 'NtUserGetUpdateRgn', # 0x1c5 'NtUserGetWindowDC', # 0x1c6 'NtUserGetWindowPlacement', # 0x1c7 'NtUserGetWOWClass', # 0x1c8 'NtUserGhostWindowFromHungWindow', # 0x1c9 'NtUserHardErrorControl', # 0x1ca 'NtUserHideCaret', # 0x1cb 'NtUserHiliteMenuItem', # 0x1cc 'NtUserHungWindowFromGhostWindow', # 0x1cd 'NtUserImpersonateDdeClientWindow', # 0x1ce 'NtUserInitialize', # 0x1cf 'NtUserInitializeClientPfnArrays', # 0x1d0 'NtUserInitTask', # 0x1d1 'NtUserInternalGetWindowText', # 0x1d2 'NtUserInternalGetWindowIcon', # 0x1d3 'NtUserInvalidateRect', # 0x1d4 'NtUserInvalidateRgn', # 0x1d5 'NtUserIsClipboardFormatAvailable', # 0x1d6 'NtUserKillTimer', # 0x1d7 'NtUserLoadKeyboardLayoutEx', # 0x1d8 'NtUserLockWindowStation', # 0x1d9 'NtUserLockWindowUpdate', # 0x1da 'NtUserLockWorkStation', # 0x1db 'NtUserLogicalToPhysicalPoint', # 0x1dc 'NtUserMapVirtualKeyEx', # 0x1dd 'NtUserMenuItemFromPoint', # 0x1de 'NtUserMessageCall', # 0x1df 'NtUserMinMaximize', # 0x1e0 'NtUserMNDragLeave', # 0x1e1 'NtUserMNDragOver', # 0x1e2 'NtUserModifyUserStartupInfoFlags', # 0x1e3 'NtUserMoveWindow', # 0x1e4 'NtUserNotifyIMEStatus', # 0x1e5 'NtUserNotifyProcessCreate', # 0x1e6 'NtUserNotifyWinEvent', # 0x1e7 'NtUserOpenClipboard', # 0x1e8 'NtUserOpenDesktop', # 0x1e9 'NtUserOpenInputDesktop', # 0x1ea 'NtUserOpenThreadDesktop', # 0x1eb 'NtUserOpenWindowStation', # 0x1ec 'NtUserPaintDesktop', # 0x1ed 'NtUserPaintMonitor', # 0x1ee 'NtUserPeekMessage', # 0x1ef 'NtUserPhysicalToLogicalPoint', # 0x1f0 'NtUserPostMessage', # 0x1f1 'NtUserPostThreadMessage', # 0x1f2 'NtUserPrintWindow', # 0x1f3 'NtUserProcessConnect', # 0x1f4 'NtUserQueryInformationThread', # 0x1f5 'NtUserQueryInputContext', # 0x1f6 'NtUserQuerySendMessage', # 0x1f7 'NtUserQueryWindow', # 0x1f8 'NtUserRealChildWindowFromPoint', # 0x1f9 'NtUserRealInternalGetMessage', # 0x1fa 'NtUserRealWaitMessageEx', # 0x1fb 'NtUserRedrawWindow', # 0x1fc 'NtUserRegisterClassExWOW', # 0x1fd 'NtUserRegisterErrorReportingDialog', # 0x1fe 'NtUserRegisterUserApiHook', # 0x1ff 'NtUserRegisterHotKey', # 0x200 'NtUserRegisterRawInputDevices', # 0x201 'NtUserRegisterTasklist', # 0x202 'NtUserRegisterWindowMessage', # 0x203 'NtUserRemoveClipboardFormatListener', # 0x204 'NtUserRemoveMenu', # 0x205 'NtUserRemoveProp', # 0x206 'NtUserResolveDesktop', # 0x207 'NtUserResolveDesktopForWOW', # 0x208 'NtUserSBGetParms', # 0x209 'NtUserScrollDC', # 0x20a 'NtUserScrollWindowEx', # 0x20b 'NtUserSelectPalette', # 0x20c 'NtUserSendInput', # 0x20d 'NtUserSetActiveWindow', # 0x20e 'NtUserSetAppImeLevel', # 0x20f 'NtUserSetCapture', # 0x210 'NtUserSetClassLong', # 0x211 'NtUserSetClassWord', # 0x212 'NtUserSetClipboardData', # 0x213 'NtUserSetClipboardViewer', # 0x214 'NtUserSetConsoleReserveKeys', # 0x215 'NtUserSetCursor', # 0x216 'NtUserSetCursorContents', # 0x217 'NtUserSetCursorIconData', # 0x218 'NtUserSetFocus', # 0x219 'NtUserSetImeHotKey', # 0x21a 'NtUserSetImeInfoEx', # 0x21b 'NtUserSetImeOwnerWindow', # 0x21c 'NtUserSetInformationProcess', # 0x21d 'NtUserSetInformationThread', # 0x21e 'NtUserSetInternalWindowPos', # 0x21f 'NtUserSetKeyboardState', # 0x220 'NtUserSetMenu', # 0x221 'NtUserSetMenuContextHelpId', # 0x222 'NtUserSetMenuDefaultItem', # 0x223 'NtUserSetMenuFlagRtoL', # 0x224 'NtUserSetObjectInformation', # 0x225 'NtUserSetParent', # 0x226 'NtUserSetProcessWindowStation', # 0x227 'NtUserGetProp', # 0x228 'NtUserSetProp', # 0x229 'NtUserSetScrollInfo', # 0x22a 'NtUserSetShellWindowEx', # 0x22b 'NtUserSetSysColors', # 0x22c 'NtUserSetSystemCursor', # 0x22d 'NtUserSetSystemMenu', # 0x22e 'NtUserSetSystemTimer', # 0x22f 'NtUserSetThreadDesktop', # 0x230 'NtUserSetThreadLayoutHandles', # 0x231 'NtUserSetThreadState', # 0x232 'NtUserSetTimer', # 0x233 'NtUserSetProcessDPIAware', # 0x234 'NtUserSetWindowFNID', # 0x235 'NtUserSetWindowLong', # 0x236 'NtUserSetWindowPlacement', # 0x237 'NtUserSetWindowPos', # 0x238 'NtUserSetWindowRgn', # 0x239 'NtUserGetWindowRgnEx', # 0x23a 'NtUserSetWindowRgnEx', # 0x23b 'NtUserSetWindowsHookAW', # 0x23c 'NtUserSetWindowsHookEx', # 0x23d 'NtUserSetWindowStationUser', # 0x23e 'NtUserSetWindowWord', # 0x23f 'NtUserSetWinEventHook', # 0x240 'NtUserShowCaret', # 0x241 'NtUserShowScrollBar', # 0x242 'NtUserShowWindow', # 0x243 'NtUserShowWindowAsync', # 0x244 'NtUserSoundSentry', # 0x245 'NtUserSwitchDesktop', # 0x246 'NtUserSystemParametersInfo', # 0x247 'NtUserTestForInteractiveUser', # 0x248 'NtUserThunkedMenuInfo', # 0x249 'NtUserThunkedMenuItemInfo', # 0x24a 'NtUserToUnicodeEx', # 0x24b 'NtUserTrackMouseEvent', # 0x24c 'NtUserTrackPopupMenuEx', # 0x24d 'NtUserCalcMenuBar', # 0x24e 'NtUserPaintMenuBar', # 0x24f 'NtUserTranslateAccelerator', # 0x250 'NtUserTranslateMessage', # 0x251 'NtUserUnhookWindowsHookEx', # 0x252 'NtUserUnhookWinEvent', # 0x253 'NtUserUnloadKeyboardLayout', # 0x254 'NtUserUnlockWindowStation', # 0x255 'NtUserUnregisterClass', # 0x256 'NtUserUnregisterUserApiHook', # 0x257 'NtUserUnregisterHotKey', # 0x258 'NtUserUpdateInputContext', # 0x259 'NtUserUpdateInstance', # 0x25a 'NtUserUpdateLayeredWindow', # 0x25b 'NtUserGetLayeredWindowAttributes', # 0x25c 'NtUserSetLayeredWindowAttributes', # 0x25d 'NtUserUpdatePerUserSystemParameters', # 0x25e 'NtUserUserHandleGrantAccess', # 0x25f 'NtUserValidateHandleSecure', # 0x260 'NtUserValidateRect', # 0x261 'NtUserValidateTimerCallback', # 0x262 'NtUserVkKeyScanEx', # 0x263 'NtUserWaitForInputIdle', # 0x264 'NtUserWaitForMsgAndEvent', # 0x265 'NtUserWaitMessage', # 0x266 'NtUserWin32PoolAllocationStats', # 0x267 'NtUserWindowFromPhysicalPoint', # 0x268 'NtUserWindowFromPoint', # 0x269 'NtUserYieldTask', # 0x26a 'NtUserRemoteConnect', # 0x26b 'NtUserRemoteRedrawRectangle', # 0x26c 'NtUserRemoteRedrawScreen', # 0x26d 'NtUserRemoteStopScreenUpdates', # 0x26e 'NtUserCtxDisplayIOCtl', # 0x26f 'NtUserRegisterSessionPort', # 0x270 'NtUserUnregisterSessionPort', # 0x271 'NtUserUpdateWindowTransform', # 0x272 'NtUserDwmStartRedirection', # 0x273 'NtUserDwmStopRedirection', # 0x274 'NtUserDwmHintDxUpdate', # 0x275 'NtUserDwmGetDxRgn', # 0x276 'NtUserGetWindowMinimizeRect', # 0x277 'NtGdiEngAssociateSurface', # 0x278 'NtGdiEngCreateBitmap', # 0x279 'NtGdiEngCreateDeviceSurface', # 0x27a 'NtGdiEngCreateDeviceBitmap', # 0x27b 'NtGdiEngCreatePalette', # 0x27c 'NtGdiEngComputeGlyphSet', # 0x27d 'NtGdiEngCopyBits', # 0x27e 'NtGdiEngDeletePalette', # 0x27f 'NtGdiEngDeleteSurface', # 0x280 'NtGdiEngEraseSurface', # 0x281 'NtGdiEngUnlockSurface', # 0x282 'NtGdiEngLockSurface', # 0x283 'NtGdiEngBitBlt', # 0x284 'NtGdiEngStretchBlt', # 0x285 'NtGdiEngPlgBlt', # 0x286 'NtGdiEngMarkBandingSurface', # 0x287 'NtGdiEngStrokePath', # 0x288 'NtGdiEngFillPath', # 0x289 'NtGdiEngStrokeAndFillPath', # 0x28a 'NtGdiEngPaint', # 0x28b 'NtGdiEngLineTo', # 0x28c 'NtGdiEngAlphaBlend', # 0x28d 'NtGdiEngGradientFill', # 0x28e 'NtGdiEngTransparentBlt', # 0x28f 'NtGdiEngTextOut', # 0x290 'NtGdiEngStretchBltROP', # 0x291 'NtGdiXLATEOBJ_cGetPalette', # 0x292 'NtGdiXLATEOBJ_iXlate', # 0x293 'NtGdiXLATEOBJ_hGetColorTransform', # 0x294 'NtGdiCLIPOBJ_bEnum', # 0x295 'NtGdiCLIPOBJ_cEnumStart', # 0x296 'NtGdiCLIPOBJ_ppoGetPath', # 0x297 'NtGdiEngDeletePath', # 0x298 'NtGdiEngCreateClip', # 0x299 'NtGdiEngDeleteClip', # 0x29a 'NtGdiBRUSHOBJ_ulGetBrushColor', # 0x29b 'NtGdiBRUSHOBJ_pvAllocRbrush', # 0x29c 'NtGdiBRUSHOBJ_pvGetRbrush', # 0x29d 'NtGdiBRUSHOBJ_hGetColorTransform', # 0x29e 'NtGdiXFORMOBJ_bApplyXform', # 0x29f 'NtGdiXFORMOBJ_iGetXform', # 0x2a0 'NtGdiFONTOBJ_vGetInfo', # 0x2a1 'NtGdiFONTOBJ_pxoGetXform', # 0x2a2 'NtGdiFONTOBJ_cGetGlyphs', # 0x2a3 'NtGdiFONTOBJ_pifi', # 0x2a4 'NtGdiFONTOBJ_pfdg', # 0x2a5 'NtGdiFONTOBJ_pQueryGlyphAttrs', # 0x2a6 'NtGdiFONTOBJ_pvTrueTypeFontFile', # 0x2a7 'NtGdiFONTOBJ_cGetAllGlyphHandles', # 0x2a8 'NtGdiSTROBJ_bEnum', # 0x2a9 'NtGdiSTROBJ_bEnumPositionsOnly', # 0x2aa 'NtGdiSTROBJ_bGetAdvanceWidths', # 0x2ab 'NtGdiSTROBJ_vEnumStart', # 0x2ac 'NtGdiSTROBJ_dwGetCodePage', # 0x2ad 'NtGdiPATHOBJ_vGetBounds', # 0x2ae 'NtGdiPATHOBJ_bEnum', # 0x2af 'NtGdiPATHOBJ_vEnumStart', # 0x2b0 'NtGdiPATHOBJ_vEnumStartClipLines', # 0x2b1 'NtGdiPATHOBJ_bEnumClipLines', # 0x2b2 'NtGdiGetDhpdev', # 0x2b3 'NtGdiEngCheckAbort', # 0x2b4 'NtGdiHT_Get8BPPFormatPalette', # 0x2b5 'NtGdiHT_Get8BPPMaskPalette', # 0x2b6 'NtGdiUpdateTransform', # 0x2b7 'NtGdiSetPUMPDOBJ', # 0x2b8 'NtGdiBRUSHOBJ_DeleteRbrush', # 0x2b9 'NtGdiUMPDEngFreeUserMem', # 0x2ba 'NtGdiDrawStream', # 0x2bb 'NtGdiDwmGetDirtyRgn', # 0x2bc 'NtGdiDwmGetSurfaceData', # 0x2bd 'NtGdiDdDDICreateAllocation', # 0x2be 'NtGdiDdDDIQueryResourceInfo', # 0x2bf 'NtGdiDdDDIOpenResource', # 0x2c0 'NtGdiDdDDIDestroyAllocation', # 0x2c1 'NtGdiDdDDISetAllocationPriority', # 0x2c2 'NtGdiDdDDIQueryAllocationResidency', # 0x2c3 'NtGdiDdDDICreateDevice', # 0x2c4 'NtGdiDdDDIDestroyDevice', # 0x2c5 'NtGdiDdDDICreateContext', # 0x2c6 'NtGdiDdDDIDestroyContext', # 0x2c7 'NtGdiDdDDICreateSynchronizationObject', # 0x2c8 'NtGdiDdDDIDestroySynchronizationObject', # 0x2c9 'NtGdiDdDDIWaitForSynchronizationObject', # 0x2ca 'NtGdiDdDDISignalSynchronizationObject', # 0x2cb 'NtGdiDdDDIGetRuntimeData', # 0x2cc 'NtGdiDdDDIQueryAdapterInfo', # 0x2cd 'NtGdiDdDDILock', # 0x2ce 'NtGdiDdDDIUnlock', # 0x2cf 'NtGdiDdDDIGetDisplayModeList', # 0x2d0 'NtGdiDdDDISetDisplayMode', # 0x2d1 'NtGdiDdDDIGetMultisampleMethodList', # 0x2d2 'NtGdiDdDDIPresent', # 0x2d3 'NtGdiDdDDIRender', # 0x2d4 'NtGdiDdDDIOpenAdapterFromDeviceName', # 0x2d5 'NtGdiDdDDIOpenAdapterFromHdc', # 0x2d6 'NtGdiDdDDICloseAdapter', # 0x2d7 'NtGdiDdDDIGetSharedPrimaryHandle', # 0x2d8 'NtGdiDdDDIEscape', # 0x2d9 'NtGdiDdDDIQueryStatistics', # 0x2da 'NtGdiDdDDISetVidPnSourceOwner', # 0x2db 'NtGdiDdDDIGetPresentHistory', # 0x2dc 'NtGdiDdDDICreateOverlay', # 0x2dd 'NtGdiDdDDIUpdateOverlay', # 0x2de 'NtGdiDdDDIFlipOverlay', # 0x2df 'NtGdiDdDDIDestroyOverlay', # 0x2e0 'NtGdiDdDDIWaitForVerticalBlankEvent', # 0x2e1 'NtGdiDdDDISetGammaRamp', # 0x2e2 'NtGdiDdDDIGetDeviceState', # 0x2e3 'NtGdiDdDDICreateDCFromMemory', # 0x2e4 'NtGdiDdDDIDestroyDCFromMemory', # 0x2e5 'NtGdiDdDDISetContextSchedulingPriority', # 0x2e6 'NtGdiDdDDIGetContextSchedulingPriority', # 0x2e7 'NtGdiDdDDISetProcessSchedulingPriorityClass', # 0x2e8 'NtGdiDdDDIGetProcessSchedulingPriorityClass', # 0x2e9 'NtGdiDdDDIReleaseProcessVidPnSourceOwners', # 0x2ea 'NtGdiDdDDIGetScanLine', # 0x2eb 'NtGdiDdDDISetQueuedLimit', # 0x2ec 'NtGdiDdDDIPollDisplayChildren', # 0x2ed 'NtGdiDdDDIInvalidateActiveVidPn', # 0x2ee 'NtGdiDdDDICheckOcclusion', # 0x2ef 'NtGdiDdDDIWaitForIdle', # 0x2f0 'NtGdiDdDDICheckMonitorPowerState', # 0x2f1 'NtGdiDdDDICheckExclusiveOwnership', # 0x2f2 'NtGdiDdDDISetDisplayPrivateDriverFormat', # 0x2f3 'NtGdiDdDDISharedPrimaryLockNotification', # 0x2f4 'NtGdiDdDDISharedPrimaryUnLockNotification', # 0x2f5 'DxgStubEnableDirectDrawRedirection', # 0x2f6 'DxgStubDeleteDirectDrawObject', # 0x2f7 'NtGdiGetNumberOfPhysicalMonitors', # 0x2f8 'NtGdiGetPhysicalMonitors', # 0x2f9 'NtGdiGetPhysicalMonitorDescription', # 0x2fa 'NtGdiDestroyPhysicalMonitor', # 0x2fb 'NtGdiDDCCIGetVCPFeature', # 0x2fc 'NtGdiDDCCISetVCPFeature', # 0x2fd 'NtGdiDDCCISaveCurrentSettings', # 0x2fe 'NtGdiDDCCIGetCapabilitiesStringLength', # 0x2ff 'NtGdiDDCCIGetCapabilitiesString', # 0x300 'NtGdiDDCCIGetTimingReport', # 0x301 'NtUserSetMirrorRendering', # 0x302 'NtUserShowSystemCursor', # 0x303 ], ] volatility-2.3.1/volatility/plugins/overlays/__init__.py0000644000175000017500000000000011602715531023436 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/overlays/native_types.py0000644000175000017500000000150611717771601024434 0ustar mikemike00000000000000import copy ## The following is a conversion of basic C99 types to python struct ## format strings. NOTE: since volatility is analysing images which ## are not necessarily the same bit size as the currently running ## platform you may not use platform specific format specifiers here ## like l or L - you must use i or I. x86_native_types = { 'int' : [4, 'H'], 'short' : [2, ' # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re,copy import sys, os import zipfile import struct import time import volatility.plugins as plugins import volatility.debug as debug import volatility.obj as obj import volatility.plugins.overlays.basic as basic import volatility.addrspace as addrspace import volatility.scan as scan import volatility.plugins.addrspaces.amd64 as amd64 import volatility.plugins.addrspaces.intel as intel import volatility.plugins.overlays.native_types as native_types import volatility.utils as utils import volatility.plugins.mac.common as common x64_native_types = copy.deepcopy(native_types.x64_native_types) x64_native_types['long'] = [8, ' 0xffffff8000000000: ret = ret - 0xffffff8000000000 return ret ## Based off volafox's method for finding vm_kernel_shift through loGlo & hardcoded Catfish def _get_dtb_m_lion(self): tbl = self.obj_vm.profile.sys_map["kernel"] config = self.obj_vm.get_config() if config.SHIFT: shift_address = config.SHIFT else: scanner = catfishScan(needles = ["Catfish \x00\x00"]) for catfish_offset in scanner.scan(self.obj_vm): shift_address = catfish_offset - (tbl["_lowGlo"][0][0] % 0xFFFFFF80) break self.obj_vm.profile.shift_address = shift_address bootpml4 = (tbl["_BootPML4"][0][0] % 0xFFFFFF80) + shift_address boot_pml4_dtb = amd64.AMD64PagedMemory(self.obj_vm, config, dtb = bootpml4) idlepml4_addr = (tbl['_IdlePML4'][0][0]) + shift_address idlepml4_ptr = obj.Object("unsigned int", offset = idlepml4_addr, vm = boot_pml4_dtb) return idlepml4_ptr.v() def generate_suggestions(self): profile = self.obj_vm.profile bootpml = profile.get_symbol("_BootPML4") if bootpml: ret = self._get_dtb_m_lion() else: ret = self._get_dtb_pre_m_lion() yield ret class VolatilityMacIntelValidAS(obj.VolatilityMagic): """An object to check that an address space is a valid Mac Intel Paged space""" def _set_profile_metadata(self, version): start = version[len("Darwin Kernel Version "):] idx = start.find(":") (major, minor, _) = [int(x) for x in start[:idx].split(".")] setattr(self.obj_vm.profile, '_md_major', major) setattr(self.obj_vm.profile, '_md_minor', minor) def generate_suggestions(self): version_addr = self.obj_vm.profile.get_symbol("_version") string = self.obj_vm.read(version_addr, 60) if string.startswith("Darwin"): self._set_profile_metadata(string) yield True else: yield False class vnode(obj.CType): def _do_calc_path(self, ret, vnodeobj, vname): if vnodeobj == None: return if vname: ret.append(vname) if vnodeobj.v_flag.v() & 0x000001 != 0 and vnodeobj.v_mount.v() != 0: if vnodeobj.v_mount.mnt_vnodecovered.v() != 0: self._do_calc_path(ret, vnodeobj.v_mount.mnt_vnodecovered, vnodeobj.v_mount.mnt_vnodecovered.v_name) else: self._do_calc_path(ret, vnodeobj.v_parent, vnodeobj.v_parent.v_name) def full_path(self): if self.v_flag.v() & 0x000001 != 0 and self.v_mount.v() != 0 and self.v_mount.mnt_flag.v() & 0x00004000 != 0: ret = "/" else: elements = [] files = [] self._do_calc_path(elements, self, self.v_name) elements.reverse() for e in elements: files.append(str(e.dereference())) ret = "/".join(files) if ret: ret = "/" + ret return ret class proc(obj.CType): @property def p_gid(self): cred = self.p_ucred if not cred.is_valid(): return "-" if hasattr(cred, "cr_posix"): ret = cred.cr_posix.cr_groups[0] else: ret = cred.cr_groups[0] return ret @property def p_uid(self): cred = self.p_ucred if not cred.is_valid(): return "-" if hasattr(cred, "cr_posix"): ret = cred.cr_posix.cr_uid else: ret = cred.cr_uid return ret def get_process_address_space(self): cr3 = self.task.map.pmap.pm_cr3 map_val = str(self.task.map.pmap.pm_task_map or '') # if the machine is 64 bit capable is_64bit_cap = common.is_64bit_capable(self.obj_vm) if map_val == "TASK_MAP_32BIT" and is_64bit_cap: # A 32 bit process on a 64 bit system, requires 64 bit paging # Catch exceptions when trying to get a process AS for kernel_task # which isn't really even a process. It needs to use the default cr3 try: proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) except IOError: proc_as = self.obj_vm elif map_val == "TASK_MAP_32BIT": # A 32 bit process on a 32 bit system need # bypass b/c no sharing of address space proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) elif (map_val == "TASK_MAP_64BIT_SHARED" and self.obj_vm.profile.metadata.get('memory_model', '32bit') == "32bit"): # A 64 bit process running on a 32 bit system proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]: # A 64 bit process on a 64 bit system cr3 &= 0xFFFFFFE0 proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) else: proc_as = obj.NoneObject("Cannot get process AS for pm_task_map: {0}".format(map_val)) return proc_as def start_time(self): nsecs_per = 1000000 start_time = self.p_start start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per) # convert the integer as little endian. we catch struct.error # here because if the process has exited (i.e. detected with mac_dead_procs) # then the timestamp may not be valid. start_secs could be negative # or higher than can fit in a 32-bit "I" integer field. try: data = struct.pack(" 0: arg = obj.Object("String", offset = argsstart, vm = proc_as, length = 256) if not arg: break # Initial address of the next string argsstart += len(str(arg)) + 1 # Very first one is aligned in some crack ass way if len(args) == 0: while (proc_as.read(argsstart, 1) == "\x00" and argsstart < self.user_stack): argsstart += 1 args.append(arg) else: # Only add this string if its not a duplicate of the first if str(arg) != str(args[0]): args.append(arg) argc -= 1 return " ".join([str(s) for s in args]) class rtentry(obj.CType): def get_time(self): if not hasattr(self, "base_calendartime"): return "N/A" data = struct.pack(" addr and name not in want_lower: pass else: sys_map[module][name] = [(addr, "sym type?")] else: sys_map[module][name] = [(addr, "sym type?")] elif line.find("Symbol table for") != -1: if line.find("i386") != -1: arch = "32bit" else: arch = "64bit" if arch == "": return None return arch, sys_map def MacProfileFactory(profpkg): vtypesvar = {} sysmapvar = {} memmodel, arch = "32bit", "x86" profilename = os.path.splitext(os.path.basename(profpkg.filename))[0] for f in profpkg.filelist: if 'symbol.dsymutil' in f.filename.lower(): memmodel, sysmap = parse_dsymutil(profpkg.read(f.filename), "kernel") if memmodel == "64bit": arch = "x64" sysmapvar.update(sysmap) debug.debug("{2}: Found system file {0} with {1} symbols".format(f.filename, len(sysmapvar.keys()), profilename)) elif f.filename.endswith(".vtypes"): v = exec_vtypes(profpkg.read(f.filename)) vtypesvar.update(v) if not sysmapvar or not vtypesvar: # Might be worth throwing an exception here? return None class AbstractMacProfile(obj.Profile): __doc__ = "A Profile for Mac " + profilename + " " + arch _md_os = "mac" _md_memory_model = memmodel native_mapping = {'32bit': native_types.x86_native_types, '64bit': x64_native_types} def __init__(self, *args, **kwargs): self.sys_map = {} self.shift_address = 0 obj.Profile.__init__(self, *args, **kwargs) def clear(self): """Clear out the system map, and everything else""" self.sys_map = {} obj.Profile.clear(self) def reset(self): """Reset the vtypes, sysmap and apply modifications, then compile""" self.clear() self.load_vtypes() self.load_sysmap() self.load_modifications() self.compile() def load_vtypes(self): """Loads up the vtypes data""" ntvar = self.metadata.get('memory_model', '32bit') self.native_types = copy.deepcopy(self.native_mapping.get(ntvar)) self.vtypes.update(vtypesvar) def load_sysmap(self): """Loads up the system map data""" self.sys_map.update(sysmapvar) # Returns a list of (name, addr) def get_all_symbols(self, module = "kernel"): """ Gets all the symbol tuples for the given module """ ret = [] symtable = self.sys_map if module in symtable: mod = symtable[module] for (name, addrs) in mod.items(): addr = addrs[0][0] if self.shift_address and addr: addr = addr + self.shift_address ret.append([name, addr]) else: debug.info("All symbols requested for non-existent module %s" % module) return ret def get_all_addresses(self, module = "kernel"): """ Gets all the symbol addresses for the given module """ # returns a hash table for quick looks # the main use of this function is to see if an address is known ret = {} symbols = self.get_all_symbols(module) for (_name, addr) in symbols: ret[addr] = 1 return ret def get_symbol_by_address(self, module, sym_address): ret = "" symtable = self.sys_map mod = symtable[module] for (name, addrs) in mod.items(): for (addr, addr_type) in addrs: if sym_address == addr or sym_address == self.shift_address + addr: ret = name break return ret def get_all_symbol_names(self, module = "kernel"): symtable = self.sys_map if module in symtable: ret = symtable[module].keys() else: debug.error("get_all_symbol_names called on non-existent module") return ret def get_next_symbol_address(self, sym_name, module = "kernel"): """ This is used to find the address of the next symbol in the profile For some data structures, we cannot determine their size automaticlaly so this can be used to figure it out on the fly """ high_addr = 0xffffffffffffffff table_addr = self.get_symbol(sym_name, module = module) addrs = self.get_all_addresses(module = module) for addr in addrs.keys(): if table_addr < addr < high_addr: high_addr = addr return high_addr def get_symbol(self, sym_name, nm_type = "", module = "kernel"): """Gets a symbol out of the profile sym_name -> name of the symbol nm_tyes -> types as defined by 'nm' (man nm for examples) module -> which module to get the symbol from, default is kernel, otherwise can be any name seen in 'lsmod' This fixes a few issues from the old static hash table method: 1) Conflicting symbols can be handled, if a symbol is found to conflict on any profile, then the plugin will need to provide the nm_type to differentiate, otherwise the plugin will be errored out 2) Can handle symbols gathered from modules on disk as well from the static kernel symtable is stored as a hash table of: symtable[module][sym_name] = [(symbol address, symbol type), (symbol addres, symbol type), ...] The function has overly verbose error checking on purpose... """ symtable = self.sys_map ret = None # check if the module is there... if module in symtable: mod = symtable[module] # check if the requested symbol is in the module if sym_name in mod: sym_list = mod[sym_name] # if a symbol has multiple definitions, then the plugin needs to specify the type if len(sym_list) > 1: if nm_type == "": debug.error("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module)) else: for (addr, stype) in sym_list: if stype == nm_type: ret = addr break if ret == None: debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module)) else: # get the address of the symbol ret = sym_list[0][0] else: debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module)) else: debug.info("Requested module {0:s} not found in symbol table\n".format(module)) if self.shift_address and ret: ret = ret + self.shift_address return ret cls = AbstractMacProfile cls.__name__ = 'Mac' + profilename.replace('.', '_') + arch return cls ################################ # Track down the zip files # Push them through the factory # Check whether ProfileModifications will work new_classes = [] for path in set(plugins.__path__): for path, _, files in os.walk(path): for fn in files: if zipfile.is_zipfile(os.path.join(path, fn)): new_classes.append(MacProfileFactory(zipfile.ZipFile(os.path.join(path, fn)))) class MacOverlay(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.merge_overlay(mac_overlay) class MacObjectClasses(obj.ProfileModification): conditions = {'os': lambda x: x == 'mac'} before = ['BasicObjectClasses'] def modification(self, profile): profile.object_classes.update({ 'VolatilityDTB': VolatilityDTB, 'VolatilityMacIntelValidAS' : VolatilityMacIntelValidAS, 'proc' : proc, 'vnode' : vnode, 'socket' : socket, 'zone' : zone, 'OSString' : OSString, 'OSString_class' : OSString, 'sysctl_oid' : sysctl_oid, 'IpAddress': basic.IpAddress, 'Ipv6Address': basic.Ipv6Address, 'sockaddr' : sockaddr, 'sockaddr_dl' : sockaddr_dl, 'vm_map_entry' : vm_map_entry, 'rtentry' : rtentry, 'queue_entry' : queue_entry, }) mac_overlay = { 'VOLATILITY_MAGIC': [None, { 'DTB' : [ 0x0, ['VolatilityDTB', dict(configname = "DTB")]], 'IA32ValidAS' : [ 0x0, ['VolatilityMacIntelValidAS']], 'AMD64ValidAS' : [ 0x0, ['VolatilityMacIntelValidAS']], }], 'session' : [ None, { 's_login' : [ None , ['String', dict(length = 256)]], }], 'kfs_event' : [ None, { 'str' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'zone' : [ None, { 'zone_name': [ None, ['pointer', ['String', dict(length = 256)]]], }], 'mac_policy_conf' : [ None, { 'mpc_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'proc' : [ None, { 'p_comm' : [ None, ['String', dict(length = 17)]], 'task' : [ None, ['pointer', ['task']]], }], 'ifnet' : [ None, { 'if_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'vnode' : [ None, { 'v_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'boot_args' : [ None, { 'CommandLine' : [ None, ['String', dict(length = 1024)]], }], 'vfsstatfs' : [ None, { 'f_fstypename' : [ None, ['String', dict(length = 16)]], 'f_mntonname' : [ None, ['String', dict(length = 1024)]], 'f_mntfromname' : [ None, ['String', dict(length = 1024)]], }], 'kmod_info' : [ None, { 'name' : [ None, ['String', dict(length = 64)]], 'version' : [ None, ['String', dict(length = 64)]], }], 'ipf_filter' : [ None, { 'name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'sysctl_oid' : [ None, { 'oid_name' : [ None, ['pointer', ['String', dict(length = 256)]]], }], 'sockaddr_un': [ None, { 'sun_path' : [ None, ['String', dict(length = 104)]], }], 'in_addr' : [ None, { 's_addr' : [ None, ['IpAddress']], }], 'in6_addr' : [ None, { '__u6_addr' : [ None, ['Ipv6Address']], }], 'inpcb' : [ None, { 'inp_lport' : [ None, ['unsigned be short']], 'inp_fport' : [ None, ['unsigned be short']], }], } volatility-2.3.1/volatility/plugins/overlays/mac/__init__.py0000644000175000017500000000000012040474417024200 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/mftparser.py0000644000175000017500000007226312232063457022065 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (C) 2011 Jamie Levy (Gleeda) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ # Information for this script taken heavily from File System Forensic Analysis by Brian Carrier import volatility.plugins.common as common import volatility.scan as scan import volatility.utils as utils import volatility.addrspace as addrspace import volatility.obj as obj import struct import binascii ATTRIBUTE_TYPE_ID = { 0x10:"STANDARD_INFORMATION", 0x20:"ATTRIBUTE_LIST", 0x30:"FILE_NAME", 0x40:"OBJECT_ID", 0x50:"SECURITY_DESCRIPTOR", 0x60:"VOLUME_NAME", 0x70:"VOLUME_INFORMATION", 0x80:"DATA", 0x90:"INDEX_ROOT", 0xa0:"INDEX_ALLOCATION", 0xb0:"BITMAP", 0xc0:"REPARSE_POINT", 0xd0:"EA_INFORMATION", #Extended Attribute 0xe0:"EA", 0xf0:"PROPERTY_SET", 0x100:"LOGGED_UTILITY_STREAM", } VERBOSE_STANDARD_INFO_FLAGS = { 0x1:"Read Only", 0x2:"Hidden", 0x4:"System", 0x20:"Archive", 0x40:"Device", 0x80:"Normal", 0x100:"Temporary", 0x200:"Sparse File", 0x400:"Reparse Point", 0x800:"Compressed", 0x1000:"Offline", 0x2000:"Content not indexed", 0x4000:"Encrypted", 0x10000000:"Directory", 0x20000000:"Index view", } # this method taken from mftscan by tecamac in issue 309: # http://code.google.com/p/volatility/issues/detail?id=309 # I like that it's more readable than the long version I had above :-) SHORT_STANDARD_INFO_FLAGS = { 0x1:"r", 0x2:"h", 0x4:"s", 0x20:"a", 0x40:"d", 0x80:"n", 0x100:"t", 0x200:"S", 0x400:"r", 0x800:"c", 0x1000:"o", 0x2000:"I", 0x4000:"e", 0x10000000:"D", 0x20000000:"i", } FILE_NAME_NAMESPACE = { 0x0:"POSIX", # Case sensitive, allows all Unicode chars except '/' and NULL 0x1:"Win32", # Case insensitive, allows most Unicide except specials ('/', '\', ';', '>', '<', '?') 0x2:"DOS", # Case insensitive, upper case, no special chars, name is 8 or fewer chars in name and 3 or less extension 0x3:"Win32 & DOS", # Used when original name fits in DOS namespace and 2 names are not needed } MFT_FLAGS = { 0x1:"In Use", 0x2:"Directory", # if flag & 0x0002 == 0 this is a regular file } INDEX_ENTRY_FLAGS = { 0x1:"Child Node Exists", 0x2:"Last entry in list", } MFT_PATHS_FULL = {} class MFT_FILE_RECORD(obj.CType): def remove_unprintable(self, str): return ''.join([c for c in str if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) def add_path(self, fileinfo): cur = MFT_PATHS_FULL.get(int(self.RecordNumber), None) if cur == None or cur["filename"].find("~") != -1 and fileinfo.is_valid(): temp = {} temp["ParentDirectory"] = fileinfo.ParentDirectory temp["filename"] = self.remove_unprintable(fileinfo.get_name()) MFT_PATHS_FULL[int(self.RecordNumber)] = temp def get_full_path(self, fileinfo): parent = "" parent_id = fileinfo.ParentDirectory & 0xffffff path = self.remove_unprintable(fileinfo.get_name()) or "(Null)" if int(self.RecordNumber) == 5 or int(self.RecordNumber) == 0: return path while parent != {}: parent = MFT_PATHS_FULL.get(int(parent_id), {}) if parent == {} or parent["filename"] == "" or int(parent_id) == 0 or int(parent_id) == 5: return path path = parent["filename"] + "\\" + path parent_id = parent["ParentDirectory"] & 0xffffff return path def get_mft_type(self): thetype = "In Use & " if self.Flags & 0x1 == 0x1 else "" if int(self.Flags) & 0x2: thetype += "Directory" elif int(self.Flags) & 0x2 == 0: thetype += "File" return thetype.rstrip(" & ") class RESIDENT_ATTRIBUTE(obj.CType): def process_attr_list(self, bufferas, mft_entry, attributes = [], check = False): start = 0 end = self.obj_offset + self.ContentSize while start < end: item = obj.Object("ATTRIBUTE_LIST", vm = bufferas, offset = self.AttributeList.obj_offset + start) if item == None: return try: thetype = ATTRIBUTE_TYPE_ID.get(int(item.Type), None) if thetype == None: return elif item.Length > 0x20 and thetype in ["STANDARD_INFORMATION", "FILE_NAME"]: theitem = obj.Object(thetype, vm = bufferas, offset = item.AttributeID.obj_offset) if thetype == "STANDARD_INFORMATION" and (not check or theitem.is_valid()): attributes.append(("STANDARD_INFORMATION (AL)", theitem)) elif thetype == "FILE_NAME" and (not check or theitem.is_valid()): mft_entry.add_path(theitem) attributes.append(("FILE_NAME (AL)", theitem)) except struct.error: return if item.Length == 0: return start += item.Length class STANDARD_INFORMATION(obj.CType): # XXX need a better check than this # we return valid if we have _any_ timestamp other than Null def is_valid(self): return obj.CType.is_valid(self) and (self.ModifiedTime.v() != 0 or self.MFTAlteredTime.v() != 0 or \ self.FileAccessedTime.v() != 0 or self.CreationTime.v() != 0) def get_type_short(self): if self.Flags == None: return "?" type = "" for i, j in sorted(SHORT_STANDARD_INFO_FLAGS.items()): if i & self.Flags == i: type += j else: type += "-" return type def get_type(self): if self.Flags == None: return "Unknown Type" type = None for i in VERBOSE_STANDARD_INFO_FLAGS: if (i & self.Flags) == i: if type == None: type = VERBOSE_STANDARD_INFO_FLAGS[i] else: type += " & " + VERBOSE_STANDARD_INFO_FLAGS[i] if type == None: type = "Unknown Type " return type def get_header(self): return [("Creation", "30"), ("Modified", "30"), ("MFT Altered", "30"), ("Access Date", "30"), ("Type", ""), ] def __str__(self): return "{0:20} {1:30} {2:30} {3:30} {4}".format(str(self.CreationTime), str(self.ModifiedTime), str(self.MFTAlteredTime), str(self.FileAccessedTime), self.get_type()) def body(self, path, record_num, size, offset): if path == "": # if the path is null we just try to get the filename # from our dictionary and print the body file output record = MFT_PATHS_FULL.get(int(record_num), {}) if record != {}: # we include with the found filename a note that this may be a # non-base entry. the analyst can investigate these types of records # on his/her own by comparing record numbers in output or examining the # given physical offset in memory for example path = record["filename"] + " (Possible non-base entry, extra $SI or invalid $FN)" return "[MFT STD_INFO] {0} (Offset: 0x{1:x})|{2}|{3}|0|0|{4}|{5}|{6}|{7}|{8}".format( path, offset, record_num, self.get_type_short(), size, self.FileAccessedTime.v(), self.ModifiedTime.v(), self.MFTAlteredTime.v(), self.CreationTime.v()) class FILE_NAME(STANDARD_INFORMATION): def remove_unprintable(self, str): return ''.join([c for c in str if (ord(c) > 31 or ord(c) == 9) and ord(c) <= 126]) # XXX need a better check than this # we return valid if we have _any_ timestamp other than Null # filename must also be a non-empty string def is_valid(self): return obj.CType.is_valid(self) and (self.ModifiedTime.v() != 0 or self.MFTAlteredTime.v() != 0 or \ self.FileAccessedTime.v() != 0 or self.CreationTime.v() != 0) and \ self.remove_unprintable(self.get_name()) != "" def get_name(self): if self.NameLength == None or self.NameLength == 0: return "" return "{0}".format(str(self.Name).replace("\x00", "")) def get_header(self): return [("Creation", "30"), ("Modified", "30"), ("MFT Altered", "30"), ("Access Date", "30"), ("Name/Path", ""), ] def __str__(self): return "{0:20} {1:30} {2:30} {3:30} {4}".format(str(self.CreationTime), str(self.ModifiedTime), str(self.MFTAlteredTime), str(self.FileAccessedTime), self.remove_unprintable(self.get_name())) def get_full(self, full): return "{0:20} {1:30} {2:30} {3:30} {4}".format(str(self.CreationTime), str(self.ModifiedTime), str(self.MFTAlteredTime), str(self.FileAccessedTime), self.remove_unprintable(full)) def body(self, path, record_num, size, offset): return "[MFT FILE_NAME] {0} (Offset: 0x{1:x})|{2}|{3}|0|0|{4}|{5}|{6}|{7}|{8}".format( path, offset, record_num, self.get_type_short(), size, self.FileAccessedTime.v(), self.ModifiedTime.v(), self.MFTAlteredTime.v(), self.CreationTime.v()) class OBJECT_ID(obj.CType): # Modified from analyzeMFT.py: def FmtObjectID(self, item): record = "" for i in item: record += str(i) return "{0}-{1}-{2}-{3}-{4}".format(binascii.hexlify(record[0:4]), binascii.hexlify(record[4:6]), binascii.hexlify(record[6:8]), binascii.hexlify(record[8:10]), binascii.hexlify(record[10:16])) def __str__(self): string = "Object ID: {0}\n".format(self.FmtObjectID(self.ObjectID)) string += "Birth Volume ID: {0}\n".format(self.FmtObjectID(self.BirthVolumeID)) string += "Birth Object ID: {0}\n".format(self.FmtObjectID(self.BirthObjectID)) string += "Birth Domain ID: {0}\n".format(self.FmtObjectID(self.BirthDomainID)) return string # Using structures defined in File System Forensic Analysis pg 353+ MFT_types = { 'MFT_FILE_RECORD': [ 0x400, { 'Signature': [ 0x0, ['unsigned int']], 'FixupArrayOffset': [ 0x4, ['unsigned short']], 'NumFixupEntries': [ 0x6, ['unsigned short']], 'LSN': [ 0x8, ['unsigned long long']], 'SequenceValue': [ 0x10, ['unsigned short']], 'LinkCount': [ 0x12, ['unsigned short']], 'FirstAttributeOffset': [0x14, ['unsigned short']], 'Flags': [0x16, ['unsigned short']], 'EntryUsedSize': [0x18, ['int']], 'EntryAllocatedSize': [0x1c, ['unsigned int']], 'FileRefBaseRecord': [0x20, ['unsigned long long']], 'NextAttributeID': [0x28, ['unsigned short']], 'RecordNumber': [0x2c, ['unsigned long']], 'FixupArray': lambda x: obj.Object("Array", offset = x.obj_offset + x.FixupArrayOffset, count = x.NumFixupEntries, vm = x.obj_vm, target = obj.Curry(obj.Object, "unsigned short")), 'ResidentAttributes': lambda x : obj.Object("RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), 'NonResidentAttributes': lambda x : obj.Object("NON_RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), }], 'ATTRIBUTE_HEADER': [ 0x10, { 'Type': [0x0, ['int']], 'Length': [0x4, ['int']], 'NonResidentFlag': [0x8, ['unsigned char']], 'NameLength': [0x9, ['unsigned char']], 'NameOffset': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned short']], 'AttributeID': [0xe, ['unsigned short']], }], 'RESIDENT_ATTRIBUTE': [0x16, { 'Header': [0x0, ['ATTRIBUTE_HEADER']], 'ContentSize': [0x10, ['unsigned int']], #relative to the beginning of the attribute 'ContentOffset': [0x14, ['unsigned short']], 'STDInfo': lambda x : obj.Object("STANDARD_INFORMATION", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'FileName': lambda x : obj.Object("FILE_NAME", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'ObjectID': lambda x : obj.Object("OBJECT_ID", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), 'AttributeList':lambda x : obj.Object("ATTRIBUTE_LIST", offset = x.obj_offset + x.ContentOffset, vm = x.obj_vm), }], 'NON_RESIDENT_ATTRIBUTE': [0x40, { 'Header': [0x0, ['ATTRIBUTE_HEADER']], 'StartingVCN': [0x10, ['unsigned long long']], 'EndingVCN': [0x18, ['unsigned long long']], 'RunListOffset': [0x20, ['unsigned short']], 'CompressionUnitSize': [0x22, ['unsigned short']], 'Unused': [0x24, ['int']], 'AllocatedAttributeSize': [0x28, ['unsigned long long']], 'ActualAttributeSize': [0x30, ['unsigned long long']], 'InitializedAttributeSize': [0x38, ['unsigned long long']], }], 'EA_INFORMATION': [None, { 'EaPackedLength': [0x0, ['int']], 'EaCount': [0x4, ['int']], 'EaUnpackedLength': [0x8, ['long']], }], 'EA': [None, { 'NextEntryOffset': [0x0, ['unsigned long long']], 'Flags': [0x8, ['unsigned char']], 'EaNameLength': [0x9, ['unsigned char']], 'EaValueLength': [0xa, ['unsigned short']], 'EaName': [0xc, ['String', dict(length = lambda x: x.EaNameLength)]], 'EaValue': lambda x: obj.Object("Array", offset = x.obj_offset + len(x.EaName), count = x.EaValueLength, vm = x.obj_vm, target = obj.Curry(obj.Object, "unsigned char")), }], 'STANDARD_INFORMATION': [0x48, { 'CreationTime': [0x0, ['WinTimeStamp', dict(is_utc = True)]], 'ModifiedTime': [0x8, ['WinTimeStamp', dict(is_utc = True)]], 'MFTAlteredTime': [0x10, ['WinTimeStamp', dict(is_utc = True)]], 'FileAccessedTime': [0x18, ['WinTimeStamp', dict(is_utc = True)]], 'Flags': [0x20, ['int']], 'MaxVersionNumber': [0x24, ['unsigned int']], 'VersionNumber': [0x28, ['unsigned int']], 'ClassID': [0x2c, ['unsigned int']], 'OwnerID': [0x30, ['unsigned int']], 'SecurityID': [0x34, ['unsigned int']], 'QuotaCharged': [0x38, ['unsigned long long']], 'USN': [0x40, ['unsigned long long']], 'NextAttribute': [0x48, ['RESIDENT_ATTRIBUTE']], }], 'FILE_NAME': [None, { 'ParentDirectory': [0x0, ['unsigned long long']], 'CreationTime': [0x8, ['WinTimeStamp', dict(is_utc = True)]], 'ModifiedTime': [0x10, ['WinTimeStamp', dict(is_utc = True)]], 'MFTAlteredTime': [0x18, ['WinTimeStamp', dict(is_utc = True)]], 'FileAccessedTime': [0x20, ['WinTimeStamp', dict(is_utc = True)]], 'AllocatedFileSize': [0x28, ['unsigned long long']], 'RealFileSize': [0x30, ['unsigned long long']], 'Flags': [0x38, ['unsigned int']], 'ReparseValue': [0x3c, ['unsigned int']], 'NameLength': [0x40, ['unsigned char']], 'Namespace': [0x41, ['unsigned char']], 'Name': [0x42, ['NullString', dict(length = lambda x: x.NameLength * 2)]], }], 'ATTRIBUTE_LIST': [0x19, { 'Type': [0x0, ['unsigned int']], 'Length': [0x4, ['unsigned short']], 'NameLength': [0x6, ['unsigned char']], 'NameOffset': [0x7, ['unsigned char']], 'StartingVCN': [0x8, ['unigned long long']], 'FileReferenceLocation': [0x10, ['unsigned long long']], 'AttributeID': [0x18, ['unsigned char']], }], 'OBJECT_ID': [0x40, { 'ObjectID': [0x0, ['array', 0x10, ['char']]], 'BirthVolumeID': [0x10, ['array', 0x10, ['char']]], 'BirthObjectID': [0x20, ['array', 0x10, ['char']]], 'BirthDomainID': [0x30, ['array', 0x10, ['char']]], }], 'REPARSE_POINT': [0x10, { 'TypeFlags': [0x0, ['unsigned int']], 'DataSize': [0x4, ['unsigned short']], 'Unused': [0x6, ['unsigned short']], 'NameOffset': [0x8, ['unsigned short']], 'NameLength': [0xa, ['unsigned short']], 'PrintNameOffset': [0xc, ['unsigned short']], 'PrintNameLength': [0xe, ['unsigned short']], }], 'INDEX_ROOT': [None, { 'Type': [0x0, ['unsigned int']], 'SortingRule': [0x4, ['unsigned int']], 'IndexSizeBytes': [0x8, ['unsigned int']], 'IndexSizeClusters': [0xc, ['unsigned char']], 'Unused': [0xd, ['array', 0x3, ['unsigned char']]], 'NodeHeader': [0x10, ['NODE_HEADER']], }], 'INDEX_ALLOCATION': [None, { 'Signature': [0x0, ['unsigned int']], #INDX though not essential 'FixupArrayOffset': [0x4, ['unsigned short']], 'NumFixupEntries': [ 0x6, ['unsigned short']], 'LSN': [ 0x8, ['unsigned long long']], 'VCN': [0x10, ['unsigned long long']], 'NodeHeader': [0x18, ['NODE_HEADER']], }], 'NODE_HEADER': [0x10, { 'IndexEntryListOffset': [0x0, ['unsigned int']], 'EndUsedIndexOffset': [0x4, ['unsigned int']], 'EndAllocatedIndexOffset': [0x8, ['unsigned int']], 'Flags': [0xc, ['unsigned int']], }], # Index entries 'GENERIC_INDEX_ENTRY': [None, { 'Undefined': [0x0, ['unsigned long long']], 'EntryLength': [0x8, ['unsigned short']], 'ContentLength': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned int']], 'Content': [0x10, ['array', lambda x : x.ContentLength , ['unsigned char']]], # last 8 bytes are VCN of child node, which is only here if flag is set... not sure how to code that yet }], 'DIRECTORY_INDEX_ENTRY': [None, { 'MFTFileReference': [0x0, ['unsigned long long']], 'EntryLength': [0x8, ['unsigned short']], 'FileNameAttrLength': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned int']], 'FileNameAttr': [0x16, ['FILE_NAME']], # last 8 bytes are VCN of child node, which is only here if flag is set... not sure how to code that yet }], } class MFTTYPES(obj.ProfileModification): before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows'} def modification(self, profile): profile.object_classes.update({ 'MFT_FILE_RECORD':MFT_FILE_RECORD, 'FILE_NAME':FILE_NAME, 'STANDARD_INFORMATION':STANDARD_INFORMATION, 'OBJECT_ID':OBJECT_ID, 'RESIDENT_ATTRIBUTE':RESIDENT_ATTRIBUTE, }) profile.vtypes.update(MFT_types) class MFTScanner(scan.BaseScanner): checks = [ ] def __init__(self, needles = None): self.needles = needles self.checks = [ ("MultiStringFinderCheck", {'needles':needles})] scan.BaseScanner.__init__(self) def scan(self, address_space, offset = 0, maxlen = None): for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen): yield offset class MFTParser(common.AbstractWindowsCommand): """ Scans for and parses potential MFT entries """ def __init__(self, config, *args, **kwargs): common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) config.add_option('CHECK', short_option = 'C', default = False, help = 'Only print entries w/o null timestamps', action = "store_true") config.add_option("ENTRYSIZE", short_option = "E", default = 1024, help = "MFT Entry Size", action = "store", type = "int") def calculate(self): address_space = utils.load_as(self._config, astype = 'physical') scanner = MFTScanner(needles = ['FILE', 'BAAD']) mft_entries = [] print "Scanning for MFT entries and building directory, this can take a while" for offset in scanner.scan(address_space): mft_buff = address_space.read(offset, self._config.ENTRYSIZE) bufferas = addrspace.BufferAddressSpace(self._config, data = mft_buff) mft_entry = obj.Object('MFT_FILE_RECORD', vm = bufferas, offset = 0) next_attr = mft_entry.ResidentAttributes end = mft_buff.find("\xff\xff\xff\xff") if end == -1: end = self._config.ENTRYSIZE attributes = [] while next_attr != None and next_attr.obj_offset <= end: try: attr = ATTRIBUTE_TYPE_ID.get(int(next_attr.Header.Type), None) except struct.error: next_attr = None attr = None continue if attr == None: next_attr = None elif attr == "STANDARD_INFORMATION": if next_attr.STDInfo.is_valid() or not self._config.CHECK: attributes.append((attr, next_attr.STDInfo)) next_off = next_attr.STDInfo.obj_offset + next_attr.ContentSize if next_off == next_attr.STDInfo.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == 'FILE_NAME': mft_entry.add_path(next_attr.FileName) if next_attr.FileName.is_valid() or not self._config.CHECK: attributes.append((attr, next_attr.FileName)) next_off = next_attr.FileName.obj_offset + next_attr.ContentSize if next_off == next_attr.FileName.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "OBJECT_ID": if next_attr.Header.NonResidentFlag == 1: attributes.append((attr, "Non-Resident")) next_attr = None continue else: attributes.append((attr, next_attr.ObjectID)) next_off = next_attr.ObjectID.obj_offset + next_attr.ContentSize if next_off == next_attr.ObjectID.obj_offset: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "DATA": start = next_attr.obj_offset + next_attr.ContentOffset theend = min(start + next_attr.ContentSize, end) if next_attr.Header.NonResidentFlag == 1: thedata = "Non-Resident" else: try: contents = mft_buff[start:theend] except TypeError: next_attr = None continue thedata = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(contents)]) if len(thedata) == 0: thedata = "(Empty)" attributes.append((attr, thedata)) next_off = theend if next_off == start: next_attr = None continue next_attr = self.advance_one(next_off, mft_buff, end) elif attr == "ATTRIBUTE_LIST": if next_attr.Header.NonResidentFlag == 1: attributes.append((attr, "Non-Resident")) next_attr = None continue next_attr.process_attr_list(bufferas, mft_entry, attributes, self._config.CHECK) next_attr = None else: next_attr = None mft_entries.append((offset, mft_entry, attributes)) return mft_entries def advance_one(self, next_off, mft_buff, end): item = None attr = None cursor = 0 while attr == None and cursor <= end: bufferas = addrspace.BufferAddressSpace(self._config, data = mft_buff) item = obj.Object('RESIDENT_ATTRIBUTE', vm = bufferas, offset = next_off + cursor) try: attr = ATTRIBUTE_TYPE_ID.get(int(item.Header.Type), None) except struct.error: return item cursor += 1 return item def render_body(self, outfd, data): # Some notes: every base MFT entry should have one $SI and at lease one $FN # Usually $SI occurs before $FN # We'll make an effort to get the filename from $FN for $SI # If there is only one $SI with no $FN we dump whatever information it has for offset, mft_entry, attributes in data: si = None full = "" for a, i in attributes: if a.startswith("STANDARD_INFORMATION"): if full != "": # if we are here, we've hit one $FN attribute for this entry already and have the full name # so we can dump this $SI outfd.write("0|{0}\n".format(i.body(full, mft_entry.RecordNumber, int(mft_entry.EntryUsedSize), offset))) elif si != None: # if we are here then we have more than one $SI attribute for this entry # since we don't want to lose its info, we'll just dump it for now # we won't have full path, but we'll have a filename most likely outfd.write("0|{0}\n".format(i.body("", mft_entry.RecordNumber, int(mft_entry.EntryUsedSize), offset))) elif si == None: # this is the usual case and we'll save the $SI to process after we get the full path from the $FN si = i elif a.startswith("FILE_NAME"): if hasattr(i, "ParentDirectory"): full = mft_entry.get_full_path(i) outfd.write("0|{0}\n".format(i.body(full, mft_entry.RecordNumber, int(mft_entry.EntryUsedSize), offset))) if si != None: outfd.write("0|{0}\n".format(si.body(full, mft_entry.RecordNumber, int(mft_entry.EntryUsedSize), offset))) si = None if si != None: # here we have a lone $SI in an MFT entry with no valid $FN. This is most likely a non-base entry outfd.write("0|{0}\n".format(si.body("", mft_entry.RecordNumber, int(mft_entry.EntryUsedSize), offset))) def render_text(self, outfd, data): border = "*" * 75 for offset, mft_entry, attributes in data: if len(attributes) == 0: continue outfd.write(border + "\n") outfd.write("MFT entry found at offset 0x{0:x}\n".format(offset)) outfd.write("Attribute: {0}\n".format(mft_entry.get_mft_type())) outfd.write("Record Number: {0}\n".format(mft_entry.RecordNumber)) outfd.write("Link count: {0}\n".format(mft_entry.LinkCount)) outfd.write("\n") for a, i in attributes: if i == None: outfd.write("${0}: malformed entry\n".format(a)) continue if a.startswith("STANDARD_INFORMATION"): outfd.write("\n${0}\n".format(a)) self.table_header(outfd, i.get_header()) outfd.write("{0}\n".format(str(i))) elif a.startswith("FILE_NAME"): outfd.write("\n${0}\n".format(a)) if hasattr(i, "ParentDirectory"): full = mft_entry.get_full_path(i) self.table_header(outfd, i.get_header()) outfd.write("{0}\n".format(i.get_full(full))) else: outfd.write("{0}\n".format(str(i))) elif a == "DATA": outfd.write("\n$DATA\n") outfd.write("{0}\n".format(str(i))) elif a == "OBJECT_ID": outfd.write("\n$OBJECT_ID\n") outfd.write(str(i)) outfd.write("\n" + border + "\n") volatility-2.3.1/volatility/plugins/fileparam.py0000644000175000017500000000354312227253532022014 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.conf as conf import urllib import sys import os ## This is required to ensure that LOCATION is defined here import volatility.debug as debug import volatility.addrspace as addrspace #pylint: disable-msg=W0611 config = conf.ConfObject() def set_location(_option, _opt_str, value, parser): """Sets the location variable in the parser to the filename in question""" if not os.path.exists(os.path.abspath(value)): debug.error("The requested file doesn't exist") if parser.values.location == None: slashes = "//" # Windows pathname2url decides to convert C:\blah to ///C:/blah # So to keep the URLs correct, we only add file: rather than file:// if sys.platform.startswith('win'): slashes = "" parser.values.location = "file:" + slashes + urllib.pathname2url(os.path.abspath(value)) config.add_option("FILENAME", default = None, action = "callback", callback = set_location, type = 'str', short_option = 'f', nargs = 1, help = "Filename to use when opening an image") volatility-2.3.1/volatility/plugins/ssdt.py0000644000175000017500000002476612227253532021043 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ from operator import itemgetter import volatility.obj as obj import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.common as common import volatility.utils as utils import volatility.plugins.malware.apihooks as apihooks import volatility.debug as debug #pylint: disable-msg=W0611 from volatility.cache import CacheDecorator #pylint: disable-msg=C0111 def find_tables(start_addr, vm): """ This function finds the RVAs to KeServiceDescriptorTable and KeServiceDescriptorTableShadow in the NT module. @param start_addr: virtual address of KeAddSystemServiceTable @param vm: kernel address space We're looking for two instructions like this: //if (KeServiceDescriptorTable[i].Base) 4B 83 BC 1A 40 88 2A 00 00 cmp qword ptr [r10+r11+2A8840h], 0 //if (KeServiceDescriptorTableShadow[i].Base) 4B 83 BC 1A 80 88 2A 00 00 cmp qword ptr [r10+r11+2A8880h], 0 In the example, 2A8840h is the RVA of KeServiceDescriptorTable and 2A8880h is the RVA of KeServiceDescriptorTableShadow. The exported KeAddSystemServiceTable is a very small function (about 120 bytes at the most) and the two instructions appear very early, which reduces the possibility of false positives. If distorm3 is installed, we use it to decompose instructions in x64 format. If distorm3 is not available, we use Volatility's object model as a very simple and generic instruction parser. """ service_tables = [] try: import distorm3 use_distorm = True except ImportError: use_distorm = False function_size = 120 if use_distorm: data = vm.zread(start_addr, function_size) for op in distorm3.DecomposeGenerator(start_addr, data, distorm3.Decode64Bits): # Stop decomposing if we reach the function end if op.flowControl == 'FC_RET': break # Looking for a 9-byte CMP instruction whose first operand # has a 32-bit displacement and second operand is zero if op.mnemonic == 'CMP' and op.size == 9 and op.operands[0].dispSize == 32 and op.operands[0].value == 0: # The displacement is the RVA we want service_tables.append(op.operands[0].disp) else: vm.profile.add_types({ '_INSTRUCTION' : [ 9, { 'opcode' : [ 0, ['String', dict(length = 4)]], 'disp' : [ 4, ['int']], 'value' : [ 8, ['unsigned char']], }]}) # The variations assume (which happens to be correct on all OS) # that volatile registers are used in the CMP QWORD instruction. # All combinations of volatile registers (rax, rcx, rdx, r8-r11) # will result in one of the variations in this list. ops_list = [ "\x4B\x83\xBC", # r10, r11 "\x48\x83\xBC", # rax, rcx "\x4A\x83\xBC", # rax, r8 ] for i in range(function_size): op = obj.Object("_INSTRUCTION", offset = start_addr + i, vm = vm) if op.value == 0: for s in ops_list: if op.opcode.v().startswith(s): service_tables.append(op.disp) return service_tables class SSDT(common.AbstractWindowsCommand): "Display SSDT entries" # Declare meta information associated with this plugin meta_info = { 'author': 'Brendan Dolan-Gavitt', 'copyright': 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', 'contact': 'bdolangavitt@wesleyan.edu', 'license': 'GNU General Public License 2.0', 'url': 'http://moyix.blogspot.com/', 'os': 'WIN_32_XP_SP2', 'version': '1.0'} @CacheDecorator("tests/ssdt") def calculate(self): addr_space = utils.load_as(self._config) ## Get a sorted list of module addresses mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) ssdts = set() if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit': # Gather up all SSDTs referenced by threads print "[x86] Gathering all referenced SSDTs from KTHREADs..." for proc in tasks.pslist(addr_space): for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"): ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE') ssdts.add(ssdt_obj) else: print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..." # The NT module always loads first ntos = list(modules.lsmod(addr_space))[0] func_rva = ntos.getprocaddress("KeAddSystemServiceTable") if func_rva == None: raise StopIteration("Cannot locate KeAddSystemServiceTable") KeAddSystemServiceTable = ntos.DllBase + func_rva for table_rva in find_tables(KeAddSystemServiceTable, addr_space): ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space) ssdts.add(ssdt_obj) # Get a list of *unique* SSDT entries. Typically we see only two. tables = set() for ssdt_obj in ssdts: for i, desc in enumerate(ssdt_obj.Descriptors): # Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit # should be greater than 0 but not unbelievably high if desc.is_valid() and desc.ServiceLimit > 0 and desc.ServiceLimit < 0xFFFF and desc.KiServiceTable > 0x80000000: tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v())) print "Finding appropriate address space for tables..." tables_with_vm = [] procs = list(tasks.pslist(addr_space)) for idx, table, n in tables: vm = tasks.find_space(addr_space, procs, table) if vm: tables_with_vm.append((idx, table, n, vm)) else: debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table)) for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)): yield idx, table, n, vm, mods, mod_addrs def render_text(self, outfd, data): addr_space = utils.load_as(self._config) syscalls = addr_space.profile.syscalls bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' # Print out the entries for each table for idx, table, n, vm, mods, mod_addrs in data: outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n)) for i in range(n): if bits32: # These are absolute function addresses in kernel memory. syscall_addr = obj.Object('address', table + (i * 4), vm).v() else: # These must be signed long for x64 because they are RVAs relative # to the base of the table and can be negative. offset = obj.Object('long', table + (i * 4), vm).v() # The offset is the top 20 bits of the 32 bit number. syscall_addr = table + (offset >> 4) try: syscall_name = syscalls[idx][i] except IndexError: syscall_name = "UNKNOWN" syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr)) if syscall_mod: syscall_modname = syscall_mod.BaseDllName else: syscall_modname = "UNKNOWN" outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i, syscall_addr, syscall_name, syscall_modname)) ## check for inline hooks if in --verbose mode, we're analyzing ## an x86 model system and the sycall_mod is available if (self._config.VERBOSE and addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and syscall_mod is not None): ## leverage this static method from apihooks ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm, mem_start = syscall_mod.DllBase, mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage) ## could not analyze the memory if ret == None: continue (hooked, data, dest_addr) = ret ## the function isn't hooked if not hooked: continue ## we found a hook, try to resolve the hooker. no mask required because ## we currently only work on x86 anyway hook_mod = tasks.find_module(mods, mod_addrs, dest_addr) if hook_mod: hook_name = hook_mod.BaseDllName else: hook_name = "UNKNOWN" ## report it now outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name)) volatility-2.3.1/volatility/plugins/userassist.py0000644000175000017500000003763712227253532022274 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Jamie Levy (gleeda) @license: GNU General Public License 2.0 @contact: jamie.levy@gmail.com @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.plugins.registry.printkey as printkey import volatility.win32.hive as hivemod import volatility.win32.rawreg as rawreg import volatility.addrspace as addrspace import volatility.obj as obj import volatility.debug as debug import volatility.utils as utils import volatility.plugins.registry.hivelist as hivelist import datetime # for Windows 7 userassist info check out Didier Stevens' article # from Into the Boxes issue 0x0: # http://intotheboxes.wordpress.com/2010/01/01/into-the-boxes-issue-0x0/ ua_win7_vtypes = { '_VOLUSER_ASSIST_TYPES' : [ 0x48, { 'Count': [0x04, ['unsigned int']], 'FocusCount': [0x08, ['unsigned int']], 'FocusTime': [0x0C, ['unsigned int']], 'LastUpdated' : [0x3C, ['WinTimeStamp', dict(is_utc = True)]] } ], } ua_vtypes = { '_VOLUSER_ASSIST_TYPES' : [ 0x10, { 'ID': [0x0, ['unsigned int']], 'CountStartingAtFive': [0x04, ['unsigned int']], 'LastUpdated' : [0x08, ['WinTimeStamp', dict(is_utc = True)]] } ], } class UserAssistVTypes(obj.ProfileModification): before = ['WindowsOverlay'] conditions = {'os': lambda x : x == 'windows'} def modification(self, profile): profile.vtypes.update(ua_vtypes) class UserAssistWin7VTypes(obj.ProfileModification): before = ['UserAssistVTypes'] conditions = {'os': lambda x : x == 'windows', 'major': lambda x : x == 6, 'minor': lambda x : x == 1} def modification(self, profile): profile.vtypes.update(ua_win7_vtypes) # taken from http://msdn.microsoft.com/en-us/library/dd378457%28v=vs.85%29.aspx folder_guids = { "{de61d971-5ebc-4f02-a3a9-6c82895e5c04}":"Add or Remove Programs (Control Panel)", "{724EF170-A42D-4FEF-9F26-B60E846FBA4F}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", "{a305ce99-f527-492b-8b1a-7e76fa98d6e4}":"Installed Updates", "{9E52AB10-F80D-49DF-ACB8-4330F5687855}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Burn\\Burn", "{df7266ac-9274-4867-8d55-3bd661de872d}":"Programs and Features", "{D0384E7D-BAC3-4797-8F14-CBA229B392B5}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", "{C1BAE2D0-10DF-4334-BEDD-7AA20B227A9D}":"%ALLUSERSPROFILE%\\OEM Links", "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs", "{A4115719-D62E-491D-AA7C-E74B8BE3B067}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu", "{82A5EA35-D9CD-47C5-9629-E15D2F714E6E}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", "{B94237E7-57AC-4347-9151-B08C6C32D1F7}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Templates", "{0AC0837C-BBF8-452A-850D-79D08E667CA7}":"(My) Computer", "{4bfefb45-347d-4006-a5be-ac0cb0567192}":"Conflicts", "{6F0CD92B-2E97-45D1-88FF-B0D186B8DEDD}":"Network Connections", "{56784854-C6CB-462b-8169-88E350ACB882}":"%USERPROFILE%\\Contacts", "{82A74AEB-AEB4-465C-A014-D097EE346D63}":"Control Panel", "{2B0F765D-C0E9-4171-908E-08A611B84FF6}":"%APPDATA%\\Microsoft\\Windows\\Cookies", "{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}":"Desktop", "{5CE4A5E9-E4EB-479D-B89F-130C02886155}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\DeviceMetadataStore", "{7B0DB17D-9CD2-4A93-9733-46CC89022E7C}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Documents.library-ms", "{374DE290-123F-4565-9164-39C4925E467B}":"%USERPROFILE%\\Downloads", "{1777F761-68AD-4D8A-87BD-30B759FA33DD}":"%USERPROFILE%\\Favorites", "{FD228CB7-AE11-4AE3-864C-16F3910AB8FE}":"%windir%\\Fonts", "{CAC52C1A-B53D-4edc-92D7-6B2E8AC19434}":"Games", "{054FAE61-4DD8-4787-80B6-090220C4B700}":"GameExplorer", "{D9DC8A3B-B784-432E-A781-5A1130A75963}":"%LOCALAPPDATA%\\Microsoft\\Windows\\History", "{52528A6B-B9E3-4ADD-B60D-588C2DBA842D}":"Homegroup", "{BCB5256F-79F6-4CEE-B725-DC34E402FD46}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", "{352481E8-33BE-4251-BA85-6007CAEDCF9D}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Temporary Internet Files", "{4D9F7874-4E0C-4904-967B-40B0D20C3E4B}":"The Internet", "{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}":"%APPDATA%\\Microsoft\\Windows\\Libraries", "{bfb9d5e0-c6a9-404c-b2b2-ae6db6af4968}":"%USERPROFILE%\\Links", "{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}":"%LOCALAPPDATA% (%USERPROFILE%\\AppData\\Local)", "{A520A1A4-1780-4FF6-BD18-167343C5AF16}":"%USERPROFILE%\\AppData\\LocalLow", "{2A00375E-224C-49DE-B8D1-440DF7EF3DDC}":"%windir%\\resources\\0409 (code page)", "{4BD8D571-6D19-48D3-BE97-422220080E43}":"%USERPROFILE%\\Music", "{2112AB0A-C86A-4FFE-A368-0DE96E47012E}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Music.library-ms", "{C5ABBF53-E17F-4121-8900-86626FC2C973}":"%APPDATA%\\Microsoft\\Windows\\Network Shortcuts", "{D20BEEC4-5CA8-4905-AE3B-BF251EA09B53}":"Network", "{2C36C0AA-5812-4b87-BFD0-4CD0DFB19B39}":"%LOCALAPPDATA%\\Microsoft\\Windows Photo Gallery\\Original Images", "{69D2CF90-FC33-4FB7-9A0C-EBB0F0FCB43C}":"%USERPROFILE%\\Pictures\\Slide Shows", "{A990AE9F-A03B-4E80-94BC-9912D7504104}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Pictures.library-ms", "{33E28130-4E1E-4676-835A-98395C3BC3BB}":"%USERPROFILE%\\Pictures", "{DE92C1C7-837F-4F69-A3BB-86E631204A23}":"%USERPROFILE%\\Music\\Playlists", "{76FC4E2D-D6AD-4519-A663-37BD56068185}":"Printers", "{9274BD8D-CFD1-41C3-B35E-B13F55A758F4}":"%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts", "{5E6C858F-0E22-4760-9AFE-EA3317B67173}":"%USERPROFILE% (%SystemDrive%\\Users\\%USERNAME%)", "{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}":"%ALLUSERSPROFILE% (%ProgramData%, %SystemDrive%\\ProgramData)", "{905e63b6-c1bf-494e-b29c-65b732d3d21a}":"%ProgramFiles%", "{6D809377-6AF0-444b-8957-A3773F02200E}":"%ProgramFiles%", "{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}":"%ProgramFiles%", "{F7F1ED05-9F6D-47A2-AAAE-29D317C6F066}":"%ProgramFiles%\\Common Files", "{6365D5A7-0F0D-45E5-87F6-0DA56B6A4F7D}":"%ProgramFiles%\\Common Files", "{DE974D24-D9C6-4D3E-BF91-F4455120B917}":"%ProgramFiles%\\Common Files", "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs", "{DFDF76A2-C82A-4D63-906A-5644AC457385}":"%PUBLIC% (%SystemDrive%\\Users\\Public)", "{C4AA340D-F20F-4863-AFEF-F87EF2E6BA25}":"%PUBLIC%\\Desktop", "{ED4824AF-DCE4-45A8-81E2-FC7965083634}":"%PUBLIC%\\Documents", "{3D644C9B-1FB8-4f30-9B45-F670235F79C0}":"%PUBLIC%\\Downloads", "{DEBF2536-E1A8-4c59-B6A2-414586476AEA}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\GameExplorer", "{48DAF80B-E6CF-4F4E-B800-0E69D84EE384}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Libraries", "{3214FAB5-9757-4298-BB61-92A9DEAA44FF}":"%PUBLIC%\\Music", "{B6EBFB86-6907-413C-9AF7-4FC2ABF07CC5}":"%PUBLIC%\\Pictures", "{E555AB60-153B-4D17-9F04-A5FE99FC15EC}":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\Ringtones", "{2400183A-6185-49FB-A2D8-4A392A602BA3}":"%PUBLIC%\\Videos", "{52a4f021-7b75-48a9-9f6b-4b87a210bc8f}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch", "{AE50C081-EBD2-438A-8655-8A092E34987A}":"%APPDATA%\\Microsoft\\Windows\\Recent", "{1A6FDBA2-F42D-4358-A798-B74D745926C5}":"%PUBLIC%\\RecordedTV.library-ms", "{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}":"Recycle Bin", "{8AD10C31-2ADB-4296-A8F7-E4701232C972}":"%windir%\\Resources", "{C870044B-F49E-4126-A9C3-B52A1FF411E8}":"%LOCALAPPDATA%\\Microsoft\\Windows\\Ringtones", "{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}":"%APPDATA% (%USERPROFILE%\\AppData\\Roaming)", "{B250C668-F57D-4EE1-A63C-290EE7D1AA1F}":"%PUBLIC%\\Music\\Sample Music", "{C4900540-2379-4C75-844B-64E6FAF8716B}":"%PUBLIC%\\Pictures\\Sample Pictures", "{15CA69B3-30EE-49C1-ACE1-6B5EC372AFB5}":"%PUBLIC%\\Music\\Sample Playlists", "{859EAD94-2E85-48AD-A71A-0969CB56A6CD}":"%PUBLIC%\\Videos\\Sample Videos", "{4C5C32FF-BB9D-43b0-B5B4-2D72E54EAAA4}":"%USERPROFILE%\\Saved Games", "{7d1d3a04-debb-4115-95cf-2f29da2920da}":"%USERPROFILE%\\Searches", "{ee32e446-31ca-4aba-814f-a5ebd2fd6d5e}":"Offline Files", "{98ec0e18-2098-4d44-8644-66979315a281}":"Microsoft Office Outlook", "{190337d1-b8ca-4121-a639-6d472d16972a}":"Search Results", "{8983036C-27C0-404B-8F08-102D10DCFD74}":"%APPDATA%\\Microsoft\\Windows\\SendTo", "{7B396E54-9EC5-4300-BE0A-2482EBAE1A26}":"%ProgramFiles%\\Windows Sidebar\\Gadgets", "{A75D362E-50FC-4fb7-AC2C-A8BEAA314493}":"%LOCALAPPDATA%\\Microsoft\\Windows Sidebar\\Gadgets", "{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}":"%APPDATA%\\Microsoft\\Windows\\Start Menu", "{B97D20BB-F46A-4C97-BA10-5E3608430854}":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp", "{43668BF8-C14E-49B2-97C9-747784D784B7}":"Sync Center", "{289a9a43-be44-4057-a41b-587a76d7e7f9}":"Sync Results", "{0F214138-B1D3-4a90-BBA9-27CBC0C5389A}":"Sync Setup", "{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}":"%windir%\\system32", "{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}":"%windir%\\system32", "{A63293E8-664E-48DB-A079-DF759E0509F7}":"%APPDATA%\\Microsoft\\Windows\\Templates", "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}":"%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", "{0762D272-C50A-4BB0-A382-697DCD729B80}":"%SystemDrive%\\Users", "{5CD7AEE2-2219-4A67-B85D-6C9CE15660CB}":"%LOCALAPPDATA%\\Programs", "{BCBD3057-CA5C-4622-B42D-BC56DB0AE516}":"%LOCALAPPDATA%\\Programs\\Common", "{f3ce0f7c-4901-4acc-8648-d5d44b04ef8f}":"The user's full name", "{A302545D-DEFF-464b-ABE8-61C8648D939B}":"Libraries", "{18989B1D-99B5-455B-841C-AB7C74E4DDFC}":"%USERPROFILE%\\Videos", "{491E922F-5643-4AF4-A7EB-4E7A138D8174}":"%APPDATA%\\Microsoft\\Windows\\Libraries\\Videos.library-ms", "{F38BF404-1D43-42F2-9305-67DE0B28FC23}":"%windir%", } class UserAssist(printkey.PrintKey, hivelist.HiveList): "Print userassist registry keys and information" def __init__(self, config, *args, **kwargs): printkey.PrintKey.__init__(self, config, *args, **kwargs) hivelist.HiveList.__init__(self, config, *args, **kwargs) config.add_option('HIVE-OFFSET', short_option = 'o', help = 'Hive offset (virtual)', type = 'int') def calculate(self): addr_space = utils.load_as(self._config) win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1 if not self._config.HIVE_OFFSET: hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)] else: hive_offsets = [("User Specified", self._config.HIVE_OFFSET)] for name, hoff in set(hive_offsets): h = hivemod.HiveAddressSpace(addr_space, self._config, hoff) root = rawreg.get_root(h) if not root: if self._config.HIVE_OFFSET: debug.error("Unable to find root key. Is the hive offset correct?") else: skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\" if win7: uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) else: uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count" yield win7, name, rawreg.open_key(root, uakey.split('\\')) def parse_data(self, dat_raw): bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw) uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas) if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None: return None output = "" if hasattr(uadata, "ID"): output = "\n{0:15} {1}".format("ID:", uadata.ID) if hasattr(uadata, "Count"): output += "\n{0:15} {1}".format("Count:", uadata.Count) else: output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5) if hasattr(uadata, "FocusCount"): seconds = (uadata.FocusTime + 500) / 1000.0 time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time) output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated) return output def render_text(self, outfd, data): keyfound = False for win7, reg, key in data: if key: keyfound = True outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg)) outfd.write("Key name: {0}\n".format(key.Name)) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for s in rawreg.subkeys(key): if s.Name == None: outfd.write(" Unknown subkey: " + s.Name.reason + "\n") else: outfd.write(" {0}\n".format(s.Name)) outfd.write("\n") outfd.write("Values:\n") for v in rawreg.values(key): tp, dat = rawreg.value_data(v) subname = v.Name if tp == 'REG_BINARY': dat_raw = dat dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)]) try: subname = subname.encode('rot_13') except UnicodeDecodeError: pass if win7: guid = subname.split("\\")[0] if guid in folder_guids: subname = subname.replace(guid, folder_guids[guid]) d = self.parse_data(dat_raw) if d != None: dat = d + dat else: dat = "\n" + dat #these types shouldn't be encountered, but are just left here in case: if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') outfd.write("\n{0:13} {1:15} : {2}\n".format(tp, subname, dat)) if not keyfound: outfd.write("The requested key could not be found in the hive(s) searched\n") volatility-2.3.1/volatility/plugins/mac/0000755000175000017500000000000012234427260020234 5ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/mac/netstat.py0000644000175000017500000000440012227253532022267 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.lsof as lsof class mac_netstat(lsof.mac_lsof): """ Lists active per-process network connections """ def render_text(self, outfd, data): self.table_header(outfd, [("Proto", "6"), ("Local IP", "20"), ("Local Port", "6"), ("Remote IP", "20"), ("Remote Port", "6"), ("State", "10"), ("Process", "24")]) for proc, i, fd, _path in data: if str(fd.f_fglob.fg_type or '') == 'DTYPE_SOCKET': socket = fd.f_fglob.fg_data.dereference_as("socket") family = socket.family if family == 1: upcb = socket.so_pcb.dereference_as("unpcb") path = upcb.unp_addr.sun_path outfd.write("UNIX {0}\n".format(path)) elif family in [2, 30]: proto = socket.protocol state = socket.state (lip, lport, rip, rport) = socket.get_connection_info() self.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid)) volatility-2.3.1/volatility/plugins/mac/psxview.py0000644000175000017500000001016412227253532022316 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # Copyright (c) 2010, 2011, 2012 Michael Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.pslist as pslist import volatility.plugins.mac.pid_hash_table as pid_hash_table import volatility.plugins.mac.pgrp_hash_table as pgrp_hash_table import volatility.plugins.mac.session_hash_table as session_hash_table import volatility.plugins.mac.pstasks as pstasks class mac_psxview(common.AbstractMacCommand): "Find hidden processes with various process listings" def _get_pslist(self): return [p.v() for p in pslist.mac_pslist(self._config).calculate()] def _get_parent_pointers(self): return [p.p_pptr.v() for p in pslist.mac_pslist(self._config).calculate()] def _get_pid_hash_table(self): return [p.v() for p in pid_hash_table.mac_pid_hash_table(self._config).calculate()] def _get_pgrp_hash_table(self): return [p.v() for p in pgrp_hash_table.mac_pgrp_hash_table(self._config).calculate()] def _get_session_hash_table(self): return [s.s_leader.v() for s in session_hash_table.mac_list_sessions(self._config).calculate() if s.s_leader.is_valid()] def _get_procs_from_tasks(self): return [p.v() for p in pstasks.mac_tasks(self._config).calculate()] def calculate(self): common.set_plugin_members(self) ps_sources = {} ps_sources['pslist'] = self._get_pslist() ps_sources['parents'] = self._get_parent_pointers() ps_sources['pid_hash'] = self._get_pid_hash_table() ps_sources['pgrp_hash_table'] = self._get_pgrp_hash_table() ps_sources['session_hash_table'] = self._get_session_hash_table() ps_sources['procs_from_tasks'] = self._get_procs_from_tasks() # Build a list of offsets from all sources seen_offsets = [] for source in ps_sources: tasks = ps_sources[source] for offset in tasks: if offset not in seen_offsets: seen_offsets.append(offset) yield offset, obj.Object("proc", offset = offset, vm = self.addr_space), ps_sources def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('Name', '<20'), ('PID', '>6'), ('pslist', '5'), ('parents', '5'), ('pid_hash', '5'), ('pgrp_hash_table', '5'), ('session leaders', '5'), ('task processes', '5'), ]) for offset, process, ps_sources in data: self.table_row(outfd, offset, process.p_comm, str(process.p_pid), str(ps_sources['pslist'].__contains__(offset)), str(ps_sources['parents'].__contains__(offset)), str(ps_sources['pid_hash'].__contains__(offset)), str(ps_sources['pgrp_hash_table'].__contains__(offset)), str(ps_sources['session_hash_table'].__contains__(offset)), str(ps_sources['procs_from_tasks'].__contains__(offset)), ) volatility-2.3.1/volatility/plugins/mac/proc_maps.py0000644000175000017500000000364512227253532022602 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common class mac_proc_maps(pstasks.mac_tasks): """ Gets memory maps of processes """ def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks.calculate(self) for proc in procs: for map in proc.get_proc_maps(): yield proc, map def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Start", "#018x"), ("End", "#018x"), ("Perms", "9"), ("Map Name", "")]) for (proc, map) in data: self.table_row(outfd, str(proc.p_pid), proc.p_comm, map.links.start, map.links.end, map.get_perms(), map.get_path()) volatility-2.3.1/volatility/plugins/mac/ifconfig.py0000644000175000017500000000433412227253532022377 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_ifconfig(common.AbstractMacCommand): """ Lists network interface information for all devices """ def calculate(self): common.set_plugin_members(self) list_head_addr = self.addr_space.profile.get_symbol("_dlil_ifnet_head") list_head_ptr = obj.Object("Pointer", offset = list_head_addr, vm = self.addr_space) ifnet = list_head_ptr.dereference_as("ifnet") while ifnet: name = ifnet.if_name.dereference() unit = ifnet.if_unit ifaddr = ifnet.if_addrhead.tqh_first ips = [] while ifaddr: ip = ifaddr.ifa_addr.get_address() if ip: ips.append(ip) ifaddr = ifaddr.ifa_link.tqe_next yield (name, unit, ips) ifnet = ifnet.if_link.tqe_next def render_text(self, outfd, data): self.table_header(outfd, [("Interface", "10"), ("Address", "")]) for (name, unit, ips) in data: if ips: for ip in ips: self.table_row(outfd, "{0}{1}".format(name, unit), ip) else: # an interface with no IPs self.table_row(outfd, "{0}{1}".format(name, unit), "") volatility-2.3.1/volatility/plugins/mac/common.py0000644000175000017500000000701712227253532022104 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.commands as commands import volatility.utils as utils import volatility.obj as obj def set_plugin_members(obj_ref): obj_ref.addr_space = utils.load_as(obj_ref._config) class AbstractMacCommand(commands.Command): def __init__(self, *args, **kwargs): self.addr_space = None commands.Command.__init__(self, *args, **kwargs) @property def profile(self): if self.addr_space: return self.addr_space.profile return None def execute(self, *args, **kwargs): commands.Command.execute(self, *args, **kwargs) @staticmethod def register_options(config): config.add_option("SHIFT", type = 'int', default = 0, help = "Mac KASLR shift address") @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def is_known_address(handler, kernel_symbol_addresses, kmods): # see if this handler is in a known location good = 0 handler = handler.v() if handler in kernel_symbol_addresses: good = 1 else: # see if the address fits in any of the known modules for (start, end, name) in kmods: if start <= handler <= end: good = 1 break return good def is_64bit_capable(addr_space): """Test if the AS is capable of doing 64-bits. @returns True if 64-bit capable. """ x86_64_flag_addr = addr_space.profile.get_symbol("_x86_64_flag") x86_64_flag = obj.Object("int", offset = x86_64_flag_addr, vm = addr_space) return x86_64_flag == 1 def get_kernel_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod # all the known addresses in the kernel # TODO -- make more stringent and get only symbols from .text kernel_symbol_addresses = obj_ref.profile.get_all_addresses() # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate()] return (kernel_symbol_addresses, kmods) ## FIXME: remove this function after all references from plugins are removed def get_string(addr, addr_space, maxlen = 256): name = addr_space.read(addr, maxlen) ret = "" for n in name: if ord(n) == 0: break ret = ret + n return ret # account for c++ symbol name mangling def get_cpp_sym(name, profile): for (cppname, addr) in profile.get_all_symbols(): if cppname.find(name) != -1: return addr return None volatility-2.3.1/volatility/plugins/mac/check_sysctl.py0000644000175000017500000000733612227253532023276 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common # based on sysctl_sysctl_debug_dump_node class mac_check_sysctl(common.AbstractMacCommand): """ Checks for unknown sysctl handlers """ def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = "" elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) sysctl_children_addr = self.addr_space.profile.get_symbol("_sysctl__children") sysctl_list = obj.Object("sysctl_oid_list", offset = sysctl_children_addr, vm = self.addr_space) for (sysctl, name, val) in self._process_sysctl_list(sysctl_list): if val == "INVALID -1": continue is_known = common.is_known_address(sysctl.oid_handler, kernel_symbol_addresses, kmods) if is_known: status = "OK" else: status = "UNKNOWN" yield (sysctl, name, val, is_known, status) def render_text(self, outfd, data): self.table_header(outfd, [("Name", "30"), ("Number", "8"), ("Perms", "6"), ("Handler", "[addrpad]"), ("Status", "10"), ("Value", "")]) for (sysctl, name, val, is_known, status) in data: self.table_row(outfd, name, sysctl.oid_number, sysctl.get_perms(), sysctl.oid_handler, status, val) volatility-2.3.1/volatility/plugins/mac/trustedbsd.py0000644000175000017500000000551712227253532023002 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import sys import volatility.obj as obj import volatility.plugins.mac.common as common from lsmod import mac_lsmod as mac_lsmod class mac_trustedbsd(mac_lsmod): """ Lists malicious trustedbsd policies """ def get_members(self): h = self.profile.types['mac_policy_ops'] return h.keywords["members"] def calculate(self): common.set_plugin_members(self) # get all the members of 'mac_policy_ops' so that we can check them (they are all function ptrs) ops_members = self.get_members() # get the symbols need to check for if rootkit or not (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) list_addr = self.addr_space.profile.get_symbol("_mac_policy_list") plist = obj.Object("mac_policy_list", offset = list_addr, vm = self.addr_space) parray = obj.Object('Array', offset = plist.entries, vm = self.addr_space, targetType = 'mac_policy_list_element', count = plist.maxindex + 1) for ent in parray: # I don't know how this can happen, but the kernel makes this check all over the place # the policy is useful without any ops so a rootkit can't abuse this if ent.mpc == None: continue name = ent.mpc.mpc_name.dereference() ops = obj.Object("mac_policy_ops", offset = ent.mpc.mpc_ops, vm = self.addr_space) # walk each member of the struct for check in ops_members: ptr = ops.__getattr__(check) if ptr != 0: good = common.is_known_address(ptr, kernel_symbol_addresses, kmods) yield (good, check, name, ptr) def render_text(self, outfd, data): self.table_header(outfd, [("Check", "40"), ("Name", "20"), ("Pointer", "[addrpad]")]) for (good, check, name, ptr) in data: if not good: self.table_row(outfd, check, name, ptr) volatility-2.3.1/volatility/plugins/mac/__init__.py0000644000175000017500000000000012040474417022334 0ustar mikemike00000000000000volatility-2.3.1/volatility/plugins/mac/dmesg.py0000644000175000017500000000373512227253532021716 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_dmesg(common.AbstractMacCommand): """ Prints the kernel debug buffer """ def calculate(self): common.set_plugin_members(self) msgbuf_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_msgbufp"), vm = self.addr_space) msgbufp = msgbuf_ptr.dereference_as("msgbuf") bufx = msgbufp.msg_bufx size = msgbufp.msg_size bufc = self.addr_space.read(msgbufp.msg_bufc, size) if bufc[bufx] == 0 and bufc[0] != 0: ## FIXME: can we do this without get_string? buf = common.get_string(bufc, self.addr_space) else: if bufx > size: bufx = 0 # older messages buf = bufc[bufx:bufx + size] buf = buf + bufc[0:bufx] # strip leading NULLs while ord(buf[0]) == 0x00: buf = buf[1:] yield buf def render_text(self, outfd, data): for buf in data: outfd.write("{0}\n".format(buf)) volatility-2.3.1/volatility/plugins/mac/mac_volshell.py0000644000175000017500000000620612227253532023263 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.volshell as volshell import volatility.obj as obj class mac_volshell(volshell.volshell): """Shell in the memory image""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def getpidlist(self): return pstasks.mac_tasks(self._config).calculate() def ps(self, procs = None): print "{0:16} {1:6} {2:8}".format("Name", "PID", "Offset") for proc in procs or self.getpidlist(): print "{0:16} {1:<6} {2:#08x}".format(proc.p_comm, proc.p_pid, proc.obj_offset) def context_display(self): dtb = self.proc.task.dereference_as("task").map.pmap.pm_cr3 print "Current context: process {0}, pid={1} DTB={2:#x}".format(self.proc.p_comm, self.proc.p_pid, dtb) def set_context(self, offset = None, pid = None, name = None): if pid is not None: offsets = [] for p in self.getpidlist(): if p.p_pid.v() == pid: offsets.append(p) if not offsets: print "Unable to find process matching pid {0}".format(pid) return elif len(offsets) > 1: print "Multiple processes match {0}, please specify by offset".format(pid) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif name is not None: offsets = [] for p in self.getpidlist(): if p.p_comm.find(name) >= 0: offsets.append(p) if not offsets: print "Unable to find process matching name {0}".format(name) return elif len(offsets) > 1: print "Multiple processes match name {0}, please specify by PID or offset".format(name) print "Matching processes:" self.ps(offsets) return else: offset = offsets[0].v() elif offset is None: print "Must provide one of: offset, name, or pid as a argument." return self.proc = obj.Object("proc", offset = offset, vm = self.addrspace) self.context_display() volatility-2.3.1/volatility/plugins/mac/dead_procs.py0000644000175000017500000000303612227253532022714 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.list_zones as list_zones import volatility.plugins.mac.pslist as pslist class mac_dead_procs(pslist.mac_pslist): """ Prints terminated/de-allocated processes """ def calculate(self): common.set_plugin_members(self) zones = list_zones.mac_list_zones(self._config).calculate() for zone in zones: name = str(zone.zone_name.dereference()) if name == "proc": procs = zone.get_free_elements("proc") for proc in procs: yield proc volatility-2.3.1/volatility/plugins/mac/ip_filters.py0000644000175000017500000000565512227253532022762 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod class mac_ip_filters(lsmod.mac_lsmod): """ Reports any hooked IP filters """ def check_filter(self, context, fname, ptr, kernel_symbol_addresses, kmods): if ptr == None: return # change the last paramter to 1 to get messages about which good modules hooks were found in good = common.is_known_address(ptr, kernel_symbol_addresses, kmods) return (good, context, fname, ptr) def calculate(self): common.set_plugin_members(self) # get the symbols need to check for if rootkit or not (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) list_addrs = [self.addr_space.profile.get_symbol("_ipv4_filters"), self.addr_space.profile.get_symbol("_ipv6_filters")] for list_addr in list_addrs: plist = obj.Object("ipfilter_list", offset = list_addr, vm = self.addr_space) # type 'ipfilter' cur = plist.tqh_first while cur: filter = cur.ipf_filter name = filter.name.dereference() yield self.check_filter("INPUT", name, filter.ipf_input, kernel_symbol_addresses, kmods) yield self.check_filter("OUTPUT", name, filter.ipf_output, kernel_symbol_addresses, kmods) yield self.check_filter("DETACH", name, filter.ipf_detach, kernel_symbol_addresses, kmods) cur = cur.ipf_link.tqe_next def render_text(self, outfd, data): self.table_header(outfd, [("Context", "10"), ("Filter", "16"), ("Pointer", "[addrpad]"), ("Status", "")]) for (good, context, fname, ptr) in data: if good == 0: status = "UNKNOWN" else: status = "OK" self.table_row(outfd, context, fname, ptr, status) volatility-2.3.1/volatility/plugins/mac/psaux.py0000644000175000017500000000347712227253532021762 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pstasks as pstasks class mac_psaux(pstasks.mac_tasks): """ Prints processes with arguments in user land (**argv) """ def render_text(self, outfd, data): self.table_header(outfd, [("Pid", "8"), ("Name", "20"), ("Bits", "16"), ("Stack", "#018x"), ("Length", "8"), ("Argc", "8"), ("Arguments", "")]) for proc in data: self.table_row(outfd, proc.p_pid, proc.p_comm, str(proc.task.map.pmap.pm_task_map or '')[9:], proc.user_stack, proc.p_argslen, proc.p_argc, proc.get_arguments()) volatility-2.3.1/volatility/plugins/mac/mount.py0000644000175000017500000000342512227253532021755 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_mount(common.AbstractMacCommand): """ Prints mounted device information """ def calculate(self): common.set_plugin_members(self) mountlist_addr = self.addr_space.profile.get_symbol("_mountlist") mount = obj.Object("mount", offset = mountlist_addr, vm = self.addr_space) mount = mount.mnt_list.tqe_next while mount: yield mount mount = mount.mnt_list.tqe_next def render_text(self, outfd, data): self.table_header(outfd, [("Device", "30"), ("Mount Point", "60"), ("Type", "")]) for mount in data: self.table_row(outfd, mount.mnt_vfsstat.f_mntonname, mount.mnt_vfsstat.f_mntfromname, mount.mnt_vfsstat.f_fstypename) volatility-2.3.1/volatility/plugins/mac/pstasks.py0000644000175000017500000000367712227253532022314 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pslist as pslist import volatility.plugins.mac.common as common class mac_tasks(pslist.mac_pslist): """ List Active Tasks """ def __init__(self, config, *args, **kwargs): pslist.mac_pslist.__init__(self, config, *args, **kwargs) def calculate(self): common.set_plugin_members(self) pidlist = None try: if self._config.PID: pidlist = [int(p) for p in self._config.PID.split(',')] except: pass tasksaddr = self.addr_space.profile.get_symbol("_tasks") queue_entry = obj.Object("queue_entry", offset = tasksaddr, vm = self.addr_space) seen = [tasksaddr] for task in queue_entry.walk_list(list_head = tasksaddr): if (task.bsd_info and task.obj_offset not in seen): proc = task.bsd_info.dereference_as("proc") if not pidlist or proc.p_pid in pidlist: yield proc seen.append(task.obj_offset) volatility-2.3.1/volatility/plugins/mac/check_syscall_table.py0000644000175000017500000000422612227253532024571 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import common class mac_check_syscalls(common.AbstractMacCommand): """ Checks to see if system call table entries are hooked """ def calculate(self): common.set_plugin_members(self) sym_addrs = self.profile.get_all_addresses() table_addr = self.addr_space.profile.get_symbol("_sysent") nsysent = obj.Object("int", offset = self.addr_space.profile.get_symbol("_nsysent"), vm = self.addr_space) sysents = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = nsysent, targetType = "sysent") for (i, sysent) in enumerate(sysents): ent_addr = sysent.sy_call.v() hooked = ent_addr not in sym_addrs if hooked == False: sym_name = self.profile.get_symbol_by_address("kernel", ent_addr) else: sym_name = "HOOKED" yield (table_addr, "SyscallTable", i, ent_addr, hooked, sym_name) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "15"), ("Index", "6"), ("Address", "[addrpad]"), ("Symbol", "<30")]) for (_, table_name, i, call_addr, hooked, sym_name) in data: self.table_row(outfd, table_name, i, call_addr, sym_name) volatility-2.3.1/volatility/plugins/mac/mac_yarascan.py0000644000175000017500000000772212227253532023240 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.malware.malfind as malfind import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common import volatility.utils as utils import volatility.debug as debug import volatility.obj as obj try: import yara has_yara = True except ImportError: has_yara = False class MapYaraScanner(malfind.BaseYaraScanner): """A scanner over all memory regions of a process.""" def __init__(self, task = None, **kwargs): """Scan the process address space through the VMAs. Args: task: The task_struct object for this task. """ self.task = task malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs) def scan(self, offset = 0, maxlen = None): for map in self.task.get_proc_maps(): for match in malfind.BaseYaraScanner.scan(self, map.links.start, map.links.end - map.links.start): yield match class mac_yarascan(malfind.YaraScan): """Scan memory for yara signatures""" @staticmethod def is_valid_profile(profile): return profile.metadata.get('os', 'Unknown').lower() == 'mac' def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64)) def render_text(self, outfd, data): for task, address, hit, buf in data: if task: outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format( task.p_comm, task.p_pid, hit.rule, address)) else: outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address)) outfd.write("".join(["{0:#018x} {1:<48} {2}\n".format( address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) volatility-2.3.1/volatility/plugins/mac/pslist.py0000644000175000017500000000663212227253532022134 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.debug as debug class mac_pslist(common.AbstractMacCommand): """ List Running Processes """ def __init__(self, config, *args, **kwargs): common.AbstractMacCommand.__init__(self, config, *args, **kwargs) self._config.add_option('PID', short_option = 'p', default = None, help = 'Operate on these Process IDs (comma-separated)', action = 'store', type = 'str') def calculate(self): common.set_plugin_members(self) pidlist = None try: if self._config.PID: pidlist = [int(p) for p in self._config.PID.split(',')] except: pass p = self.addr_space.profile.get_symbol("_allproc") procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space) proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space) seen = [] while proc.is_valid(): if proc.obj_offset in seen: debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)") break else: seen.append(proc.obj_offset) if not pidlist or proc.p_pid in pidlist: yield proc proc = proc.p_list.le_next.dereference() def render_text(self, outfd, data): self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "20"), ("Pid", "8"), ("Uid", "8"), ("Gid", "8"), ("PGID", "8"), ("Bits", "12"), ("DTB", "#018x"), ("Start Time", "")]) for proc in data: if not proc.is_valid() or len(proc.p_comm) == 0: continue # Strip the "TASK_MAP_" prefix from the enumeration bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:] self.table_row(outfd, proc.v(), proc.p_comm, str(proc.p_pid), str(proc.p_uid), str(proc.p_gid), str(proc.p_pgrpid), bit_string, proc.task.dereference_as("task").map.pmap.pm_cr3, proc.start_time()) volatility-2.3.1/volatility/plugins/mac/session_hash_table.py0000644000175000017500000000446712227253532024457 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common class mac_list_sessions(pslist.mac_pslist): """ Enumerates sessions """ def calculate(self): common.set_plugin_members(self) shash_addr = self.addr_space.profile.get_symbol("_sesshash") shash = obj.Object("unsigned long", offset = shash_addr, vm = self.addr_space) shashtbl_addr = self.addr_space.profile.get_symbol("_sesshashtbl") shashtbl_ptr = obj.Object("Pointer", offset = shashtbl_addr, vm = self.addr_space) shash_array = obj.Object(theType = "Array", targetType = "sesshashhead", count = shash + 1, vm = self.addr_space, offset = shashtbl_ptr) for sess in shash_array: s = sess.lh_first while s: yield s s = s.s_hash.le_next def render_text(self, outfd, data): self.table_header(outfd, [("Leader (Pid)", "8"), ("Leader (Name)", "20"), ("Login Name", "25")]) for sess in data: if sess.s_leader: pid = sess.s_leader.p_pid pname = sess.s_leader.p_comm else: pid = -1 pname = "" self.table_row(outfd, pid, pname, sess.s_login) volatility-2.3.1/volatility/plugins/mac/lsof.py0000644000175000017500000000500012227253532021545 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.pstasks as pstasks import volatility.plugins.mac.common as common class mac_lsof(pstasks.mac_tasks): """ Lists per-process opened files """ def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f: ## FIXME after 2.3 replace this explicit int field with the following line: ## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE': ## Its not needed for profiles generated with convert.py after r3290 fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm = self.addr_space) if fg_type == 1: # VNODE vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "" yield proc, i, f, path def render_text(self, outfd, data): self.table_header(outfd, [("PID","8"), ("File Descriptor", "6"), ("File Path", ""), ]) for proc, i, f, path in data: if path: self.table_row(outfd, proc.p_pid, i, path) volatility-2.3.1/volatility/plugins/mac/pstree.py0000644000175000017500000000360712227253532022117 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pstasks as pstasks class mac_pstree(pstasks.mac_tasks): """ Show parent/child relationship of processes """ def render_text(self, outfd, data): self.procs_hash = {} self.procs_seen = {} outfd.write("{0:20s} {1:15s} {2:15s}\n".format("Name", "Pid", "Uid")) for proc in data: self.procs_hash[proc.p_pid] = proc for pid in sorted(self.procs_hash.keys()): proc = self.procs_hash[pid] self._recurse_task(outfd, proc, 0) def _recurse_task(self, outfd, proc, level): if proc.p_pid in self.procs_seen: return proc_name = "." * level + proc.p_comm outfd.write("{0:20s} {1:15s} {2:15s}\n".format(proc_name, str(proc.p_pid), str(proc.p_uid))) self.procs_seen[proc.p_pid] = 1 proc = proc.p_children.lh_first while proc.is_valid(): self._recurse_task(outfd, proc, level + 1) proc = proc.p_sibling.le_next volatility-2.3.1/volatility/plugins/mac/print_boot_cmdline.py0000644000175000017500000000307112227253532024462 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_print_boot_cmdline(common.AbstractMacCommand): """ Prints kernel boot arguments """ def calculate(self): common.set_plugin_members(self) pe_state_addr = self.addr_space.profile.get_symbol("_PE_state") pe_state = obj.Object("PE_state", offset = pe_state_addr, vm = self.addr_space) bootargs = pe_state.bootArgs.dereference_as("boot_args") yield bootargs.CommandLine def render_text(self, outfd, data): self.table_header(outfd, [("Command Line", "")]) for cmdline in data: self.table_row(outfd, cmdline) volatility-2.3.1/volatility/plugins/mac/dump_map.py0000644000175000017500000000514512227253532022416 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import os import volatility.obj as obj import volatility.debug as debug import volatility.plugins.mac.proc_maps as proc_maps class mac_dump_maps(proc_maps.mac_proc_maps): """ Dumps memory ranges of processes """ def __init__(self, config, *args, **kwargs): proc_maps.mac_proc_maps.__init__(self, config, *args, **kwargs) self._config.add_option('MAP_ADDRESS', short_option = 's', default = None, help = 'Filter by starting address of map', action = 'store', type = 'long') self._config.add_option('OUTPUTFILE', short_option = 'O', default = None, help = 'Output File', action = 'store', type = 'str') def render_text(self, outfd, data): if not self._config.OUTPUTFILE: debug.error("Please specify an OUTPUTFILE") elif os.path.exists(self._config.OUTPUTFILE): debug.error("Cowardly refusing to overwrite an existing file") outfile = open(self._config.OUTPUTFILE, "wb+") map_address = self._config.MAP_ADDRESS size = 0 for proc, map in data: if not map_address or map_address == map.links.start: for page in self._read_addr_range(proc, map.links.start, map.links.end): size += len(page) outfile.write(page) outfile.close() outfd.write("Wrote {0} bytes\n".format(size)) def _read_addr_range(self, proc, start, end): pagesize = 4096 # set the as with our new dtb so we can read from userland proc_as = proc.get_process_address_space() while start < end: page = proc_as.zread(start, pagesize) yield page start = start + pagesize volatility-2.3.1/volatility/plugins/mac/route.py0000644000175000017500000000664612227253532021761 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import datetime import volatility.obj as obj import volatility.plugins.mac.common as common class mac_route(common.AbstractMacCommand): """ Prints the routing table """ def _get_table(self, tbl): rnh = tbl #obj.Object("radix_node", offset=tbl.v(), vm=self.addr_space) rn = rnh.rnh_treetop while rn.is_valid() and rn.rn_bit >= 0: rn = rn.rn_u.rn_node.rn_L rnhash = {} while rn.is_valid(): base = rn if rn in rnhash: break rnhash[rn] = 1 while rn.is_valid() and rn.rn_parent.rn_u.rn_node.rn_R == rn and rn.rn_flags & 2 == 0: rn = rn.rn_parent rn = rn.rn_parent.rn_u.rn_node.rn_R while rn.is_valid() and rn.rn_bit >= 0: rn = rn.rn_u.rn_node.rn_L nextptr = rn while base.v() != 0: rn = base base = rn.rn_u.rn_leaf.rn_Dupedkey if rn.rn_flags & 2 == 0: rt = obj.Object("rtentry", offset = rn, vm = self.addr_space) yield rt rn = nextptr if rn.rn_flags & 2 != 0: break def calculate(self): common.set_plugin_members(self) tables_addr = self.addr_space.profile.get_symbol("_rt_tables") ## FIXME: if we only use ents[2] why do we need to instantiate 32? ents = obj.Object('Array', offset = tables_addr, vm = self.addr_space, targetType = 'Pointer', count = 32) ipv4table = obj.Object("radix_node_head", offset = ents[2], vm = self.addr_space) rts = self._get_table(ipv4table) for rt in rts: yield rt def render_text(self, outfd, data): self.table_header(outfd, [("Source IP", "24"), ("Dest. IP", "24"), ("Name", "^10"), ("Sent", "^18"), ("Recv", "^18"), ("Time", "^30"), ("Exp.", "^10"), ("Delta", "")]) for rt in data: self.table_row(outfd, rt.source_ip, rt.dest_ip, rt.name, rt.sent, rt.rx, rt.get_time(), rt.rt_expire, rt.delta) volatility-2.3.1/volatility/plugins/mac/arp.py0000644000175000017500000000265112227253532021375 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.route as route class mac_arp(route.mac_route): """ Prints the arp table """ def calculate(self): common.set_plugin_members(self) arp_addr = self.addr_space.profile.get_symbol("_llinfo_arp") ptr = obj.Object("Pointer", offset = arp_addr, vm = self.addr_space) ent = ptr.dereference_as("llinfo_arp") while ent: yield ent.la_rt ent = ent.la_le.le_next volatility-2.3.1/volatility/plugins/mac/machine_info.py0000644000175000017500000000357212227253532023235 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_machine_info(common.AbstractMacCommand): """ Prints machine information about the sample """ def calculate(self): common.set_plugin_members(self) machine_info = obj.Object("machine_info", offset = self.addr_space.profile.get_symbol("_machine_info"), vm = self.addr_space) yield machine_info def render_text(self, outfd, data): for machine_info in data: info = (("Major Version:", machine_info.major_version), ("Minor Version:", machine_info.minor_version), ("Memory Size:", machine_info.max_mem), ("Max CPUs:", machine_info.max_cpus), ("Physical CPUs:", machine_info.physical_cpu), ("Logical CPUs:", machine_info.logical_cpu), ) for i in info: outfd.write("{0:15} {1}\n".format(i[0], i[1])) volatility-2.3.1/volatility/plugins/mac/check_trap_table.py0000644000175000017500000000702112227253532024061 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_check_trap_table(common.AbstractMacCommand): """ Checks to see if mach trap table entries are hooked """ def _set_vtypes(self): x86_10_vtypes = { 'mach_trap' : [ 16, { 'mach_trap_function': [ 4, ['pointer', ['void']]] }]} x86_other_vtypes = { 'mach_trap' : [ 8, { 'mach_trap_function': [ 4, ['pointer', ['void']]] }]} x64_10_vtypes = { 'mach_trap' : [ 40, { 'mach_trap_function': [ 8, ['pointer', ['void']]] }]} x64_other_vtypes = { 'mach_trap' : [ 16, { 'mach_trap_function': [ 8, ['pointer', ['void']]] }]} arch = self.addr_space.profile.metadata.get('memory_model', '32bit') major = self.addr_space.profile.metadata.get('major', 0) if arch == "32bit": if major == 10: vtypes = x86_10_vtypes else: vtypes = x86_other_vtypes else: if major == 10: vtypes = x64_10_vtypes else: vtypes = x64_other_vtypes self.addr_space.profile.vtypes.update(vtypes) self.addr_space.profile.compile() def calculate(self): common.set_plugin_members(self) self._set_vtypes() sym_addrs = self.profile.get_all_addresses() table_addr = self.addr_space.profile.get_symbol("_mach_trap_table") ntraps = obj.Object("int", offset = self.addr_space.profile.get_symbol("_mach_trap_count"), vm = self.addr_space) traps = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = ntraps, targetType = "mach_trap") for (i, trap) in enumerate(traps): ent_addr = trap.mach_trap_function.v() if not ent_addr: continue hooked = ent_addr not in sym_addrs if hooked == False: sym_name = self.profile.get_symbol_by_address("kernel", ent_addr) else: sym_name = "HOOKED" yield (table_addr, "TrapTable", i, ent_addr, sym_name, hooked) def render_text(self, outfd, data): self.table_header(outfd, [("Table Name", "15"), ("Index", "6"), ("Address", "[addrpad]"), ("Symbol", "<50")]) for (_, table_name, i, call_addr, sym_name, _) in data: self.table_row(outfd, table_name, i, call_addr, sym_name) volatility-2.3.1/volatility/plugins/mac/pid_hash_table.py0000644000175000017500000000346612227253532023546 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common class mac_pid_hash_table(pslist.mac_pslist): """ Walks the pid hash table """ def calculate(self): common.set_plugin_members(self) pidhash_addr = self.addr_space.profile.get_symbol("_pidhash") pidhash = obj.Object("unsigned long", offset = pidhash_addr, vm = self.addr_space) pidhashtbl_addr = self.addr_space.profile.get_symbol("_pidhashtbl") pidhashtbl_ptr = obj.Object("Pointer", offset = pidhashtbl_addr, vm = self.addr_space) pidhash_array = obj.Object("Array", targetType = "pidhashhead", count = pidhash + 1, vm = self.addr_space, offset = pidhashtbl_ptr) for plist in pidhash_array: p = plist.lh_first while p: yield p p = p.p_hash.le_next volatility-2.3.1/volatility/plugins/mac/version.py0000644000175000017500000000255012227253532022276 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_version(common.AbstractMacCommand): """ Prints the Mac version """ def calculate(self): common.set_plugin_members(self) yield obj.Object("String", offset = self.addr_space.profile.get_symbol("_version"), vm = self.addr_space, length = 256) def render_text(self, outfd, data): for version in data: outfd.write("{0}\n".format(version)) volatility-2.3.1/volatility/plugins/mac/pgrp_hash_table.py0000644000175000017500000000370712227253532023740 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.pslist as pslist import volatility.obj as obj import volatility.plugins.mac.common as common class mac_pgrp_hash_table(pslist.mac_pslist): """ Walks the process group hash table """ def calculate(self): common.set_plugin_members(self) pgrphash_addr = self.addr_space.profile.get_symbol("_pgrphash") pgrphash = obj.Object("unsigned long", offset = pgrphash_addr, vm = self.addr_space) pgrphashtbl_addr = self.addr_space.profile.get_symbol("_pgrphashtbl") pgrphashtbl_ptr = obj.Object("Pointer", offset = pgrphashtbl_addr, vm = self.addr_space) pgrphash_array = obj.Object("Array", targetType = "pgrphashhead", count = pgrphash + 1, vm = self.addr_space, offset = pgrphashtbl_ptr) for plist in pgrphash_array: pgrp = plist.lh_first while pgrp: p = pgrp.pg_members.lh_first while p: yield p p = p.p_pglist.le_next pgrp = pgrp.pg_hash.le_next volatility-2.3.1/volatility/plugins/mac/find_aslr_shift.py0000644000175000017500000000277712227253532023762 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.plugins.mac.common as common import volatility.debug as debug class mac_find_aslr_shift(common.AbstractMacCommand): """ Find the ASLR shift value for 10.8+ images """ def calculate(self): common.set_plugin_members(self) yield self.profile.shift_address def render_text(self, outfd, data): self.table_header(outfd, [("Shift Value", "#018x")]) for shift_address in data: if shift_address == 0: debug.error("Shift addresses are only required on 10.8+ images") else: self.table_row(outfd, shift_address) volatility-2.3.1/volatility/plugins/mac/list_zones.py0000644000175000017500000000400012227253532022772 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_list_zones(common.AbstractMacCommand): """ Prints active zones """ def calculate(self): common.set_plugin_members(self) first_zone_addr = self.addr_space.profile.get_symbol("_first_zone") zone_ptr = obj.Object("Pointer", offset = first_zone_addr, vm = self.addr_space) zone = zone_ptr.dereference_as("zone") while zone: yield zone zone = zone.next_zone def render_text(self, outfd, data): self.table_header(outfd, [("Name", "30"), ("Active Count", ">10"), ("Free Count", ">10"), ("Element Size", ">10")]) for zone in data: name = zone.zone_name.dereference().replace(" ", ".") # sum_count was introduced in 10.8.x # do not want to overlay as 0 b/c we mess up subtraction if hasattr(zone, "sum_count"): sum_count = zone.sum_count - zone.count else: sum_count = "N/A" self.table_row(outfd, name, zone.count, sum_count, zone.elem_size) volatility-2.3.1/volatility/plugins/mac/notifiers.py0000644000175000017500000001075212227253532022616 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common import volatility.plugins.mac.lsmod as lsmod class mac_notifiers(lsmod.mac_lsmod): """ Detects rootkits that add hooks into I/O Kit (e.g. LogKext) """ def _struct_or_class(self, type_name): """Return the name of a structure or class. More recent versions of OSX define some types as classes instead of structures, so the naming is a little different. """ if self.addr_space.profile.vtypes.has_key(type_name): return type_name else: return type_name + "_class" def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile) p = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space) gnotifications = p.dereference_as(self._struct_or_class("OSDictionary")) ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = gnotifications.count) # walk the current set of notifications for ent in ents: if ent == None: continue key = str(ent.key.dereference_as(self._struct_or_class("OSString"))) # get the value valset = ent.value.dereference_as(self._struct_or_class("OSOrderedSet")) notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count) for ptr in notifiers_ptrs: notifier = ptr.dereference_as(self._struct_or_class("_IOServiceNotifier")) if notifier == None: continue matches = self.get_matching(notifier) # this is the function that handles whatever the notification is for # this should be only in the kernel or in one of the known IOKit # drivers for the specific kernel handler = notifier.handler good = common.is_known_address(handler, kernel_symbol_addresses, kmods) yield (good, key, notifier, matches) # returns the list of matching notifiers (serviceMatch) for a notifier as a string def get_matching(self, notifier): matches = [] ents = obj.Object('Array', offset = notifier.matching.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = notifier.matching.count) for ent in ents: if ent == None: continue match = ent.value.dereference_as(self._struct_or_class("OSString")) matches.append(str(match)) return ",".join(matches) def render_text(self, outfd, data): self.table_header(outfd, [("Status", "10"), ("Key", "30"), ("Handler", "[addrpad]"), ("Matches", "")]) for (good, key, notifier, matches) in data: if good == 0: status = "UNKNOWN" else: status = "OK" self.table_row(outfd, status, key, notifier.handler, matches) volatility-2.3.1/volatility/plugins/mac/lsmod.py0000644000175000017500000000371412227253532021732 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Andrew Case @license: GNU General Public License 2.0 @contact: atcuno@gmail.com @organization: """ import volatility.obj as obj import volatility.plugins.mac.common as common class mac_lsmod(common.AbstractMacCommand): """ Lists loaded kernel modules """ def calculate(self): common.set_plugin_members(self) p = self.addr_space.profile.get_symbol("_kmod") kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space) kmod = kmodaddr.dereference_as("kmod_info") while kmod.is_valid(): yield kmod kmod = kmod.next def render_text(self, outfd, data): self.table_header(outfd, [("Address", "[addrpad]"), ("Size", "[addr]"), ("Refs", "^8"), ("Version", "12"), ("Name", "")]) for kmod in data: self.table_row(outfd, kmod.address, kmod.m('size'), kmod.reference_count, kmod.version, kmod.name) volatility-2.3.1/volatility/plugins/netscan.py0000644000175000017500000002336712227253532021515 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Hale Ligh # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.utils as utils import volatility.plugins.common as common import volatility.scan as scan import volatility.obj as obj import volatility.cache as cache import volatility.debug as debug import socket import volatility.plugins.overlays.windows.tcpip_vtypes as tcpip_vtypes # Python's socket.AF_INET6 is 0x1e but Microsoft defines it # as a constant value of 0x17 in their source code. Thus we # need Microsoft's since that's what is found in memory. AF_INET = 2 AF_INET6 = 0x17 # String representations of INADDR_ANY and INADDR6_ANY inaddr_any = utils.inet_ntop(socket.AF_INET, '\0' * 4) inaddr6_any = utils.inet_ntop(socket.AF_INET6, '\0' * 16) #-------------------------------------------------------------------------------- # pool scanners #-------------------------------------------------------------------------------- class PoolScanUdpEndpoint(scan.PoolScanner): """PoolScanner for Udp Endpoints""" def object_offset(self, found, address_space): return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) checks = [ ('PoolTagCheck', dict(tag = "UdpA")), # Seen as 0xa8 on Vista SP0, 0xb0 on Vista SP2, and 0xb8 on 7 # Seen as 0x150 on Win7 SP0 x64 ('CheckPoolSize', dict(condition = lambda x: x >= 0xa8)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class PoolScanTcpListener(PoolScanUdpEndpoint): """PoolScanner for Tcp Listeners""" checks = [ ('PoolTagCheck', dict(tag = "TcpL")), # Seen as 0x120 on Win7 SP0 x64 ('CheckPoolSize', dict(condition = lambda x: x >= 0xa8)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class PoolScanTcpEndpoint(PoolScanUdpEndpoint): """PoolScanner for TCP Endpoints""" checks = [ ('PoolTagCheck', dict(tag = "TcpE")), # Seen as 0x1f0 on Vista SP0, 0x1f8 on Vista SP2 and 0x210 on 7 # Seen as 0x320 on Win7 SP0 x64 ('CheckPoolSize', dict(condition = lambda x: x >= 0x1f0)), ('CheckPoolType', dict(non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] #-------------------------------------------------------------------------------- # object classes #-------------------------------------------------------------------------------- class _TCP_LISTENER(obj.CType): """Class for objects found in TcpL pools""" @property def AddressFamily(self): return self.InetAF.dereference().AddressFamily @property def Owner(self): return self.m('Owner').dereference() def dual_stack_sockets(self): """Handle Windows dual-stack sockets""" # If this pointer is valid, the socket is bound to # a specific IP address. Otherwise, the socket is # listening on all IP addresses of the address family. local_addr = self.LocalAddr.dereference() # Note the remote address is always INADDR_ANY or # INADDR6_ANY for sockets. The moment a client # connects to the listener, a TCP_ENDPOINT is created # and that structure contains the remote address. if local_addr != None: inaddr = local_addr.pData.dereference().dereference() if self.AddressFamily == AF_INET: yield "v4", inaddr.addr4, inaddr_any else: yield "v6", inaddr.addr6, inaddr6_any else: yield "v4", inaddr_any, inaddr_any if self.AddressFamily == AF_INET6: yield "v6", inaddr6_any, inaddr6_any class _TCP_ENDPOINT(_TCP_LISTENER): """Class for objects found in TcpE pools""" def _ipv4_or_ipv6(self, in_addr): if self.AddressFamily == AF_INET: return in_addr.addr4 else: return in_addr.addr6 @property def LocalAddress(self): inaddr = self.AddrInfo.dereference().Local.\ pData.dereference().dereference() return self._ipv4_or_ipv6(inaddr) @property def RemoteAddress(self): inaddr = self.AddrInfo.dereference().\ Remote.dereference() return self._ipv4_or_ipv6(inaddr) class _UDP_ENDPOINT(_TCP_LISTENER): """Class for objects found in UdpA pools""" #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- class NetscanObjectClasses(obj.ProfileModification): """Network OCs for Vista, 2008, and 7 x86 and x64""" before = ['WindowsObjectClasses'] conditions = {'os': lambda x: x == 'windows', 'major': lambda x : x == 6, 'minor': lambda x : x >= 0} def modification(self, profile): profile.object_classes.update({ '_TCP_LISTENER': _TCP_LISTENER, '_TCP_ENDPOINT': _TCP_ENDPOINT, '_UDP_ENDPOINT': _UDP_ENDPOINT, }) #-------------------------------------------------------------------------------- # netscan plugin #-------------------------------------------------------------------------------- class Netscan(common.AbstractWindowsCommand): """Scan a Vista, 2008 or Windows 7 image for connections and sockets""" @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 6) @cache.CacheDecorator("tests/netscan") def calculate(self): # Virtual kernel space for dereferencing pointers kernel_space = utils.load_as(self._config) # Physical space for scanning flat_space = utils.load_as(self._config, astype = 'physical') if not self.is_valid_profile(kernel_space.profile): debug.error("This command does not support the selected profile.") # Scan for TCP listeners also known as sockets for offset in PoolScanTcpListener().scan(flat_space): tcpentry = obj.Object('_TCP_LISTENER', offset = offset, vm = flat_space, native_vm = kernel_space) # Only accept IPv4 or IPv6 if tcpentry.AddressFamily not in (AF_INET, AF_INET6): continue # For TcpL, the state is always listening and the remote port is zero for ver, laddr, raddr in tcpentry.dual_stack_sockets(): yield tcpentry, "TCP" + ver, laddr, tcpentry.Port, raddr, 0, "LISTENING" # Scan for TCP endpoints also known as connections for offset in PoolScanTcpEndpoint().scan(flat_space): tcpentry = obj.Object('_TCP_ENDPOINT', offset = offset, vm = flat_space, native_vm = kernel_space) if tcpentry.AddressFamily == AF_INET: proto = "TCPv4" elif tcpentry.AddressFamily == AF_INET6: proto = "TCPv6" else: continue # These are our sanity checks if (tcpentry.State.v() not in tcpip_vtypes.TCP_STATE_ENUM or (not tcpentry.LocalAddress and (not tcpentry.Owner or tcpentry.Owner.UniqueProcessId == 0 or tcpentry.Owner.UniqueProcessId > 65535))): continue yield tcpentry, proto, tcpentry.LocalAddress, tcpentry.LocalPort, \ tcpentry.RemoteAddress, tcpentry.RemotePort, tcpentry.State # Scan for UDP endpoints for offset in PoolScanUdpEndpoint().scan(flat_space): udpentry = obj.Object('_UDP_ENDPOINT', offset = offset, vm = flat_space, native_vm = kernel_space) # Only accept IPv4 or IPv6 if udpentry.AddressFamily not in (AF_INET, AF_INET6): continue # For UdpA, the state is always blank and the remote end is asterisks for ver, laddr, _ in udpentry.dual_stack_sockets(): yield udpentry, "UDP" + ver, laddr, udpentry.Port, "*", "*", "" def render_text(self, outfd, data): outfd.write("{0:<10} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( "Offset(P)", "Proto", "Local Address", "Foreign Address", "State", "Pid", "Owner", "Created")) for net_object, proto, laddr, lport, raddr, rport, state in data: lendpoint = "{0}:{1}".format(laddr, lport) rendpoint = "{0}:{1}".format(raddr, rport) outfd.write("{0:<#10x} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( net_object.obj_offset, proto, lendpoint, rendpoint, state, net_object.Owner.UniqueProcessId, net_object.Owner.ImageFileName, str(net_object.CreateTime or '') )) volatility-2.3.1/volatility/plugins/sockscan.py0000644000175000017500000001223512227253532021656 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast socket scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.scan as scan import volatility.plugins.common as common import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 import volatility.cache as cache import volatility.protos as protos class CheckSocketCreateTime(scan.ScannerCheck): """ Check that _ADDRESS_OBJECT.CreateTime makes sense """ def __init__(self, address_space, condition = lambda x: x, *args, **kwargs): scan.ScannerCheck.__init__(self, address_space, *args, **kwargs) self.condition = condition def check(self, offset): """ The offset parameter here is the start of PoolTag as yielded by BaseScanner.scan. Unlike other objects, _ADDRESS_OBJECT do not have an _OBJECT_HEADER or any optional headers. Thus to find the _ADDRESS_OBJECT from the PoolTag we just have to calculate the distance from PoolTag to the end of _POOL_HEADER. """ start_of_object = (self.address_space.profile.get_obj_size("_POOL_HEADER") - self.address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) address_obj = obj.Object('_ADDRESS_OBJECT', vm = self.address_space, offset = offset + start_of_object) return self.condition(address_obj.CreateTime.v()) class PoolScanSockFast(scan.PoolScanner): def object_offset(self, found, address_space): """ Return the offset of _ADDRESS_OBJECT """ return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) checks = [ ('PoolTagCheck', dict(tag = "TCPA")), ('CheckPoolSize', dict(condition = lambda x: x >= 0x15C)), ('CheckPoolType', dict(non_paged = True, free = True)), ## Valid sockets have time > 0 ('CheckSocketCreateTime', dict(condition = lambda x: x > 0)), ('CheckPoolIndex', dict(value = 0)) ] class SockScan(common.AbstractWindowsCommand): """ Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets) """ # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @staticmethod def is_valid_profile(profile): return (profile.metadata.get('os', 'unknown') == 'windows' and profile.metadata.get('major', 0) == 5) @cache.CacheDecorator("tests/sockscan") def calculate(self): ## Just grab the AS and scan it using our scanner address_space = utils.load_as(self._config, astype = 'physical') if not self.is_valid_profile(address_space.profile): debug.error("This command does not support the selected profile.") scanner = PoolScanSockFast() for offset in scanner.scan(address_space): yield obj.Object('_ADDRESS_OBJECT', vm = address_space, offset = offset) def render_text(self, outfd, data): self.table_header(outfd, [('Offset(P)', '[addrpad]'), ('PID', '>8'), ('Port', '>6'), ('Proto', '>6'), ('Protocol', '15'), ('Address', '15'), ('Create Time', '') ]) for sock_obj in data: self.table_row(outfd, sock_obj.obj_offset, sock_obj.Pid, sock_obj.LocalPort, sock_obj.Protocol, protos.protos.get(sock_obj.Protocol.v(), "-"), sock_obj.LocalIpAddress, sock_obj.CreateTime) volatility-2.3.1/volatility/plugins/hpakinfo.py0000644000175000017500000000361712227253532021655 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.crashinfo as crashinfo import volatility.debug as debug class HPAKInfo(crashinfo.CrashInfo): """Info on an HPAK file""" target_as = ['HPAKAddressSpace'] def render_text(self, outfd, data): header = data.get_header() for section in header.Sections(): outfd.write("Header: {0}\n".format(section.Header)) outfd.write("Length: {0:#x}\n".format(section.Length)) outfd.write("Offset: {0:#x}\n".format(section.Offset)) outfd.write("NextOffset: {0:#x}\n".format(section.NextSection)) outfd.write("Name: {0}\n".format(section.Name)) outfd.write("Compressed: {0}\n".format(section.Compressed)) outfd.write("\n") class HPAKExtract(HPAKInfo): """Extract physical memory from an HPAK file""" def render_text(self, outfd, data): if not self._config.OUTPUT_FILE: debug.error("You must supply --output-file") header = data.get_header() data.convert_to_raw(outfd) print "Done." volatility-2.3.1/volatility/plugins/modscan.py0000644000175000017500000001660512227253532021503 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the fast module scanning @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import common import volatility.plugins.filescan as filescan import volatility.scan as scan import volatility.utils as utils import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 class PoolScanModuleFast(scan.PoolScanner): def object_offset(self, found, address_space): return found + (address_space.profile.get_obj_size("_POOL_HEADER") - address_space.profile.get_obj_offset("_POOL_HEADER", "PoolTag")) checks = [ ('PoolTagCheck', dict(tag = 'MmLd')), ('CheckPoolSize', dict(condition = lambda x: x > 0x4c)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ] class ModScan(filescan.FileScan): """ Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects """ # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) def calculate(self): ## Here we scan the physical address space address_space = utils.load_as(self._config, astype = 'physical') ## We need the kernel_address_space later kernel_as = utils.load_as(self._config) scanner = PoolScanModuleFast() for offset in scanner.scan(address_space): ldr_entry = obj.Object('_LDR_DATA_TABLE_ENTRY', vm = address_space, offset = offset, native_vm = kernel_as) yield ldr_entry def render_text(self, outfd, data): self.table_header(outfd, [("Offset(P)", "[addrpad]"), ('Name', "20"), ('Base', "[addrpad]"), ('Size', "[addr]"), ('File', "") ]) for ldr_entry in data: self.table_row(outfd, ldr_entry.obj_offset, str(ldr_entry.BaseDllName or ''), ldr_entry.DllBase, ldr_entry.SizeOfImage, str(ldr_entry.FullDllName or '')) class CheckThreads(scan.ScannerCheck): """ Check sanity of _ETHREAD """ kernel = 0x80000000 def check(self, found): pool_base = found - self.address_space.profile.get_obj_offset( '_POOL_HEADER', 'PoolTag') pool_obj = obj.Object("_POOL_HEADER", vm = self.address_space, offset = pool_base) ## We work out the _ETHREAD from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() thread = obj.Object("_ETHREAD", vm = self.address_space, offset = pool_base + pool_obj.BlockSize * pool_alignment - common.pool_align(self.address_space, '_ETHREAD', pool_alignment)) #if (thread.Cid.UniqueProcess.v() != 0 and # thread.ThreadsProcess.v() <= self.kernel): # return False ## check the start address if thread.Cid.UniqueProcess.v() != 0 and thread.StartAddress == 0: return False ## Check the Semaphores if (thread.Tcb.SuspendSemaphore.Header.Size != 0x05 and thread.Tcb.SuspendSemaphore.Header.Type != 0x05): return False if (thread.KeyedWaitSemaphore.Header.Size != 0x05 and thread.KeyedWaitSemaphore.Header.Type != 0x05): return False return True class PoolScanThreadFast(scan.PoolScanner): """ Carve out thread objects using the pool tag """ def object_offset(self, found, address_space): """ This returns the offset of the object contained within this pool allocation. """ ## The offset of the object is determined by subtracting the offset ## of the PoolTag member to get the start of Pool Object pool_base = found - self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag') pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = pool_base) ## We work out the _ETHREAD from the end of the ## allocation (bottom up). pool_alignment = obj.VolMagic(address_space).PoolAlignment.v() object_base = (pool_base + pool_obj.BlockSize * pool_alignment - common.pool_align(address_space, '_ETHREAD', pool_alignment)) return object_base checks = [ ('PoolTagCheck', dict(tag = '\x54\x68\x72\xe5')), ('CheckPoolSize', dict(condition = lambda x: x >= 0x278)), ('CheckPoolType', dict(paged = True, non_paged = True, free = True)), ('CheckPoolIndex', dict(value = 0)), ('CheckThreads', {}), ] class ThrdScan(ModScan): """Scan physical memory for _ETHREAD objects""" def calculate(self): ## Here we scan the physical address space address_space = utils.load_as(self._config, astype = 'physical') kernel_as = utils.load_as(self._config) scanner = PoolScanThreadFast() for found in scanner.scan(address_space): thread = obj.Object('_ETHREAD', vm = address_space, native_vm = kernel_as, offset = found) yield thread def render_text(self, outfd, data): self.table_header(outfd, [("Offset(P)", "[addrpad]"), ("PID", ">6"), ("TID", ">6"), ("Start Address", "[addr]"), ("Create Time", "30"), ("Exit Time", "30"), ]) for thread in data: self.table_row(outfd, thread.obj_offset, thread.Cid.UniqueProcess, thread.Cid.UniqueThread, thread.StartAddress, thread.CreateTime or '', thread.ExitTime or '', ) volatility-2.3.1/volatility/scan.py0000644000175000017500000002166112227253532017320 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Derived from source in PyFlag developed by: # Copyright 2004: Commonwealth of Australia. # Michael Cohen # David Collett # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Special thanks to Michael Cohen for ideas and comments! # #pylint: disable-msg=C0111 """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ import volatility.debug as debug import volatility.registry as registry import volatility.addrspace as addrspace import volatility.constants as constants import volatility.conf as conf ########### Following is the new implementation of the scanning ########### framework. The old framework was based on PyFlag's ########### scanning framework which is probably too complex for this. class BaseScanner(object): """ A more thorough scanner which checks every byte """ checks = [] def __init__(self, window_size = 8): self.buffer = addrspace.BufferAddressSpace(conf.DummyConfig(), data = '\x00' * 1024) self.window_size = window_size self.constraints = [] self.error_count = 0 def check_addr(self, found): """ This calls all our constraints on the offset found and returns the number of contraints that matched. We shortcut the loop as soon as its obvious that there will not be sufficient matches to fit the criteria. This allows for an early exit and a speed boost. """ cnt = 0 for check in self.constraints: ## constraints can raise for an error try: val = check.check(found) except Exception: debug.b() val = False if not val: cnt = cnt + 1 if cnt > self.error_count: return False return True overlap = 20 def scan(self, address_space, offset = 0, maxlen = None): self.buffer.profile = address_space.profile current_offset = offset ## Build our constraints from the specified ScannerCheck ## classes: self.constraints = [] for class_name, args in self.checks: check = registry.get_plugin_classes(ScannerCheck)[class_name](self.buffer, **args) self.constraints.append(check) ## Which checks also have skippers? skippers = [ c for c in self.constraints if hasattr(c, "skip") ] for (range_start, range_size) in sorted(address_space.get_available_addresses()): # Jump to the next available point to scan from # self.base_offset jumps up to be at least range_start current_offset = max(range_start, current_offset) range_end = range_start + range_size # If we have a maximum length, we make sure it's less than the range_end if maxlen: range_end = min(range_end, offset + maxlen) while (current_offset < range_end): # We've now got range_start <= self.base_offset < range_end # Figure out how much data to read l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset) # Populate the buffer with data # We use zread to scan what we can because there are often invalid # pages in the DTB data = address_space.zread(current_offset, l) self.buffer.assign_buffer(data, current_offset) ## Run checks throughout this block of data i = 0 while i < l: if self.check_addr(i + current_offset): ## yield the offset to the start of the memory ## (after the pool tag) yield i + current_offset ## Where should we go next? By default we go 1 byte ## ahead, but if some of the checkers have skippers, ## we may actually go much farther. Checkers with ## skippers basically tell us that there is no way ## they can match anything before the skipped result, ## so there is no point in trying them on all the data ## in between. This optimization is useful to really ## speed things up. FIXME - currently skippers assume ## that the check must match, therefore we can skip ## the unmatchable region, but its possible that a ## scanner needs to match only some checkers. skip = 1 for s in skippers: skip = max(skip, s.skip(data, i)) i += skip current_offset += min(constants.SCAN_BLOCKSIZE, l) class DiscontigScanner(BaseScanner): def scan(self, address_space, offset = 0, maxlen = None): debug.warning("DiscontigScanner has been deprecated, all functionality is now contained in BaseScanner") for match in BaseScanner.scan(self, address_space, offset, maxlen): yield match class ScannerCheck(object): """ A scanner check is a special class which is invoked on an AS to check for a specific condition. The main method is def check(self, offset): This will return True if the condition is true or False otherwise. This class is the base class for all checks. """ def __init__(self, address_space, **_kwargs): self.address_space = address_space def object_offset(self, offset, address_space): return offset def check(self, _offset): return False ## If you want to speed up the scanning define this method - it ## will be used to skip the data which is obviously not going to ## match. You will need to return the number of bytes from offset ## to skip to. We take the maximum number of bytes to guarantee ## that all checks have a chance of passing. #def skip(self, data, offset): # return -1 class PoolScanner(BaseScanner): def object_offset(self, found, address_space): """ The name of this function "object_offset" can be misleading depending on how its used. Even before removing the preambles (r1324), it may not always return the offset of an object. Here are the rules: If you subclass PoolScanner and do not override this function, it will return the offset of _POOL_HEADER. If you do override this function, it should be used to calculate and return the offset of your desired object within the pool. Thus there are two different ways it can be done. Example 1. For an example of subclassing PoolScanner and not overriding this function, see filescan.PoolScanFile. In this case, the plugin (filescan.FileScan) treats the offset returned by this function as the start of _POOL_HEADER and then works out the object from the bottom up: for offset in PoolScanFile().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## ## Work out objects base here ## Example 2. For an example of subclassing PoolScanner and overriding this function, see filescan.PoolScanProcess. In this case, the "work" described above is done here (in the sublcassed object_offset). Thus in the plugin (filescan.PSScan) it can directly instantiate _EPROCESS from the offset we return. for offset in PoolScanProcess().scan(address_space): eprocess = obj.Object('_EPROCESS', vm = address_space, native_vm = kernel_as, offset = offset) """ ## Subtract the offset of the PoolTag member to get the start ## of _POOL_HEADER. This is done because PoolScanners search ## for the PoolTag. return found - self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag') def scan(self, address_space, offset = 0, maxlen = None): for i in BaseScanner.scan(self, address_space, offset, maxlen): yield self.object_offset(i, address_space) volatility-2.3.1/volatility/debug.py0000644000175000017500000000532112227253532017455 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ General debugging framework """ import pdb import sys import inspect import logging import volatility.conf config = volatility.conf.ConfObject() config.add_option("DEBUG", short_option = 'd', default = 0, cache_invalidator = False, action = 'count', help = "Debug volatility") # Largest debug value used + 1 MAX_DEBUG = 3 def setup(level = 0): """Sets up the global logging environment""" formatstr = "%(levelname)-8s: %(name)-20s: %(message)s" logging.basicConfig(format = formatstr) rootlogger = logging.getLogger('') rootlogger.setLevel(logging.DEBUG + 1 - level) for i in range(1, 9): logging.addLevelName(logging.DEBUG - i, "DEBUG" + str(i)) def debug(msg, level = 1): """Logs a message at the DEBUG level""" log(msg, logging.DEBUG + 1 - level) def info(msg): """Logs a message at the INFO level""" log(msg, logging.INFO) def warning(msg): """Logs a message at the WARNING level""" log(msg, logging.WARNING) def error(msg): log(msg, logging.ERROR) sys.exit(1) def critical(msg): log(msg, logging.CRITICAL) sys.exit(1) def log(msg, level): modname = "volatility.py" try: frm = inspect.currentframe() modname = "volatility.debug" while modname == "volatility.debug": frm = frm.f_back mod = inspect.getmodule(frm) modname = mod.__name__ except AttributeError: pass finally: del frm _log(msg, modname, level) def _log(msg, facility, loglevel): """Outputs a debugging message""" logger = logging.getLogger(facility) logger.log(loglevel, msg) def b(level = 1): """Enters the debugger at the call point""" if config.DEBUG >= level: pdb.set_trace() trace = b def post_mortem(level = 1): """Provides a command line interface to python after an exception's occurred""" if config.DEBUG >= level: pdb.post_mortem() volatility-2.3.1/volatility/__init__.py0000644000175000017500000000000111602715531020112 0ustar mikemike00000000000000 volatility-2.3.1/volatility/cache.py0000644000175000017500000005777312227253532017454 0ustar mikemike00000000000000# This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . """ This module implements the volatility caching subsystem. The volatility caching subsystem has the following design goals: 1) Ability to cache arbitrary objects - The allows complex objects to be cached for later retrieval. For example, objects may be as simple as constants for KPCR addresses, to entire x86 page translation tables, or even hibernation decompression datastructures. To achieve this we use the standard python pickle system. In many use cases, the cache needs to facilitate persistant memoising of functions and generators (more on that below). 2) Cached objects are stored by a hierarchical key namespace. Keys are specified in a URL notation. By default, relative URLs are interpreted relative to the memory image location (the value of the --location option). This scheme allows us to specify both global (per installation) and per image keys. For example given an image located in /tmp/foobar.img: - file:///tmp/foobar.img/kernel/debugging/KPCR refers to this image's KPCR location. - file:///tmp/foobar.img/address_spaces/memory_translation/pdpte refers to the cached page tables. - http://www.volatility.org/schema#configuration/renderer specifies the currently configured renderer (i.e. its a global setting). 3) Storage of the cache is abstracted and selectable via the --cache_engine configuration variable. This allows the separation from the concerete storage of the cache and the abstraction of the cache in a running process. Abstraction of Cache -------------------- Within the running volatiltiy framework the cache appears as an abstract tree with nodes inherited from the CacheNode class: class CacheNode(object): def __init__(self, name, parent, payload = None): ''' Creates a new Cache node under the parent. The new node will carry the specified payload ''' def __str__(self): ''' Produce a human readable version of the payload ''' def set_payload(self, payload): ''' Update the current payload with the new specified payload ''' def dump(self): ''' Dump the node to disk for later retrieval. This is normally called when the process has exited. ''' def get_payload(self): ''' retrieve this node's payload ''' In order to check the cache, plugins issue the Cache.Check() function: def Check(path, callback = None, cls = CacheNode): ''' Traverse the cache tree and retrieve the stored CacheNode. If there is no such stored CacheNode and callback is specified, attempt to create it using the cache_node_class with the payload returned from the callback. If callback is not specified we just return None. Decorators ---------- You can also use the cache decorator to cache the results of any function - this is probably the easiest way to apply caching to existing code. For example, suppose we want to cache the results of the psscan plugin: class PSScan(commands.Command): .... @cache("/scanners/psscan") def calculate(self): ..... This will automatically create the CacheNode at the specified tree location (note that since the URL is given as a relative URL it is based at the current value of the --location - that means it applies to the current memory image only). Note that since calculate() returns a generator, the decorator will also return a generator - It will not iterate over the calculate method unnecessarily, but will yield results immediately. This does not compromise performance in the case of a cache miss. Unfortunately this also means that if the generator is stopped prematurely, we are unable to cache the result set in the general case. This is the only caveat on caching generators. Storage classes --------------- The cache system discussed above can be thought of as an abstract construct in the process memory. To make it persistant on disk we have the storage class (which can be selected using the --cache_engine directive). The following cache engines are implemented: File Storage ============ This is the default cache engine. We simply maintain a directory structure which corresponds to the URL of the key after applying the appropriate filesystem safe escaping operation. Objects are stored in stand alone files using the pickle module. Zip Storage =========== This storage is essentially the same as the File storage above, except that the cache directory for each image file is maintained in a Zip file stored at the --cache_direcory directive with the same filename as the image and a .zip extension. Use cases --------- The following common use cases are discussed: 1) Dynamic address spaces. In some address spaces memory address mappings can not be cached since they change all the time. For example in the firewire address space, it is incorrect to cache any page translations or scanning results etc. This is easily achieved by having the firewire address space store a BlockingCacheNode() instance at critical tree nodes. These prevent new nodes from being inserted into the tree and force a cache miss whenever any keys are searched under these nodes. Note that this still allows the cache to store the locations of things which might not change, even for live memory analysis, such as KPCR locations. 2) History logging and audit logs. Currently volatility works by running the framework multiple times on the same plugin with different command line options. This can be audited using the caching system by storing the current command line in a specific location using a specific CacheNode. This implementation can be used to append new commandlines to the same key. Configuration options can also become sticky in this way and remember the same values they had previously. This avoid users having to append many command line arguements (i.e. having to specify --profile, --kpcr, --dtb on every command line). 3) Unit tests. Unit tests can be easily implemented using the caching subsystem as follows: - A test() method is added to each plugin. Usually this is actually the same as calculate(). - This method is decorated to be cached under the "/tests/pluginname" key (i.e. relative to the current image). The CacheNode implementation is TestCacheNode which implements a special update_payload() method. The TestCacheNode also ensures that cache miss always occurs (by implementing a get_payload() method which returns None). - The update_payload() method ensures that the old payload and the new payloads are the same (if they are generators we ensure each member is the same as well - using the __eq__ method). The overall result is that unit tests can be run on any image as normal. If the particular test was never run on the image, we just cache the result of the plugin. If on the other hand, the result was already run on this image, the old result is compared to the new result and if a discrepancy is detected, an exception is raised. This testing framework is easy to implement and automatically guards against regression bugs. Since we use the __eq__ method of arbitrary objects, its also not limited to testing text string matches. For example, the object framework defines two objects are being equal if they are of the same type and they point at the same address. Even if the textual representation of the object's printouts has changed between versions, as long as the same objects are found in both cases no regressions will be reported. 4) Reporting framework. By having a persistant caching framework we now have the concept of a volatility analysis session. In other words, each new execution of volatility adds new information to what we know about the image. This new information is stored in the cache tree. We can actually produce a full report from the cache tree by traversing all the CacheNodes and calling their __str__() methods. If caching is introduced via decorators, the CacheNode already knows about the render() method of the plugin and can automatically generate the output from the plugin (this is very fast as the calculate is received from the cache). We therefore can generate a full report of all the plugins very quickly automatically. By default CacheNodes have an empty __str__() methods, so things like pas2kas lookup tables are not reported. Specialised reporting functions can be made if needed by implementing __str__() functions as needed. """ import types import os import urlparse import volatility.conf as conf import volatility.obj as obj import volatility.debug as debug import volatility.exceptions as exceptions import cPickle as pickle config = conf.ConfObject() ## Where to stick the cache default_cache_location = os.path.join((os.environ.get("XDG_CACHE_HOME") or os.path.expanduser("~/.cache")), "volatility") config.add_option("CACHE-DIRECTORY", default = default_cache_location, cache_invalidator = False, help = "Directory where cache files are stored") class CacheContainsGenerator(exceptions.VolatilityException): """Exception raised when the cache contains a generator""" pass class InvalidCache(Exception): """Exception raised when the cache item is determined to be invalid.""" pass class CacheNode(object): """ Base class for Cache nodes """ def __init__(self, name, stem, storage = None, payload = None, invalidator = None): ''' Creates a new Cache node under the parent. The new node will carry the specified payload ''' self.name = name self.payload = payload self.storage = storage self.stem = stem # This object encapsulate the running environment. If the # environment during the time of unpickling differs from the # environment during the time of pickling we refuse to # unpickle this object, and the cache misses. We dont really # do anything with it, just have it serialised as well. self.invalidator = invalidator def __getitem__(self, item = ''): item_url = "{0}/{1}".format(self.stem, item) ## Try to load it from the storage manager try: result = self.storage.load(item_url) if result: return result except Exception, e: raise KeyError(e) ## Make a new empty Node instead on demand raise KeyError("item not found") def __str__(self): ''' Produce a human readable version of the payload. ''' return '' def _find_generators(self, item): """ A recursive function to flatten generators into lists """ try: result = [] # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._find_generators(i)] = self._find_generators(item[i]) return result # Since NoneObjects and strings are both iterable, treat them specially if isinstance(item, obj.NoneObject) or isinstance(item, str): return item if isinstance(item, types.GeneratorType): raise CacheContainsGenerator for x in iter(item): flat_x = self._find_generators(x) result.append(flat_x) return result except TypeError: return item def set_payload(self, payload): ''' Update the current payload with the new specified payload ''' try: self.payload = self._find_generators(payload) except CacheContainsGenerator: # This only works because None payload cached results are rerun self.payload = None def dump(self): ''' Dump the node to disk for later retrieval. This is normally called when the process has exited. ''' if self.payload: self.storage.dump(self.stem, self) def get_payload(self): """Retrieve this node's payload""" return self.payload class BlockingNode(CacheNode): """Node that fails on all cache attempts and no-ops on cache storage attempts""" def __init__(self, name, stem, **kwargs): CacheNode.__init__(self, name, stem, **kwargs) def __getitem__(self, item = ''): return BlockingNode(item, '/'.join((self.stem, item))) def dump(self): """Ensure nothing gets dumped""" pass def get_payload(self): """Do not set a payload for a blocked cache node""" pass class Invalidator(object): """ The Invalidator encapsulates program state to control invalidation of the cache. 1) This object registers callbacks using the add_condition() method. 2) Prior to serialising the cache object the callbacks are called returning a signature dict. 3) When unpickling the cached object, we call the invalidator to produce a signature dict again, and compare this to the pickled version. The purpose of the callbacks is to represent a signature of the current state of execution. If the signature changes, the cache is invalidated. """ def __init__(self): self.callbacks = {} def add_condition(self, key, callback): """Callback will be stored under key and should return a string. """ self.callbacks[key] = callback def __setstate__(self, state): ## We do not actually have any callbacks here - we must use ## the global cache invalidator. We cant really get away from ## having a global invalidator. for k, v in CACHE.invalidator.callbacks.items(): # TODO: Determine what happens if the state or current callbacks # contain a key that's not in the other if k in state and v() != state[k]: debug.debug("Invaliding cache... {0} (Running) != {1} (Stored) on key {2}".format(v(), state[k], k)) raise InvalidCache("Running environment inconsistant " "with pickled environment - " "invalidating cache.") def __getstate__(self): """When pickling ourselves we call our callbacks to provide a dict of strings (our state signature). This dict should reflect all of our running state at the moment. This will then be compared to the state signature when unpickling and if its different we invalidate the cache. """ result = {} for k, v in CACHE.invalidator.callbacks.items(): result[k] = v() debug.debug("Pickling State signature: {0}".format(result)) return result class CacheTree(object): """ An abstract structure which represents the cache tree """ def __init__(self, storage = None, cls = CacheNode, invalidator = None): self.storage = storage self.cls = cls self.invalidator = invalidator self.root = self.cls('', '', storage = storage, invalidator = invalidator) def __getitem__(self, path): """Pythonic interface to the cache""" return self.check(path, cls = self.cls) def invalidate_on(self, key, callback): self.invalidator.add_condition(key, callback) def check(self, path, callback = None, cls = CacheNode): """ Retrieves the node at the path specified """ # Abort if we haven't been given a location if not config.LOCATION: return None ## Normalise the path path = urlparse.urljoin(config.LOCATION + "/", path) elements = path.split("/") current = self.root for e in elements: try: current = current[e] except KeyError: if current.stem: next_stem = '/'.join((current.stem, e)) else: next_stem = e payload = None if callback is not None: payload = callback() node = cls(e, next_stem, storage = self.storage, payload = payload, invalidator = self.invalidator) current = node return current class CacheStorage(object): """ The base class for implementation storing the cache. """ ## Characters allowed in filenames (/'s are allowed since we're dealing with URLs only) printables = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_./" def encode(self, string): result = '' for x in string: if x in self.printables: result += x else: result += "%{0:02X}".format(ord(x)) return result def filename(self, url): if url.startswith(config.LOCATION): # Encode just the path part, since everything else is taken from relatively safe/already used data path = self.encode(url[len(config.LOCATION):]) else: raise exceptions.CacheRelativeURLException("Storing non relative URLs is not supported now ({0})".format(url)) # Join together the bits we need, and abspath it to ensure it's right for the OS it's on path = os.path.abspath(os.path.sep.join([config.CACHE_DIRECTORY, os.path.basename(config.LOCATION) + ".cache", path + '.pickle'])) return path def load(self, url): filename = self.filename(url) debug.debug("Loading from {0}".format(filename)) data = open(filename).read() debug.trace(level = 3) return pickle.loads(data) def dump(self, url, payload): # TODO: Ensure a better check for ieee1394/non-cachable address spaces than a bad URL try: filename = self.filename(url) except exceptions.CacheRelativeURLException: debug.debug("NOT Dumping url {0} - relative URLs are not yet supported".format(url)) return ## Check that the directory exists directory = os.path.dirname(filename) if not os.access(directory, os.R_OK | os.W_OK | os.X_OK): os.makedirs(directory) ## Ensure that the payload is flattened - i.e. all generators are converted to lists for pickling try: data = pickle.dumps(payload) debug.debug("Dumping filename {0}".format(filename)) fd = open(filename, 'w') fd.write(data) fd.close() except (pickle.PickleError, TypeError): # Do nothing if the pickle fails debug.debug("NOT Dumping filename {0} - contained a non-picklable class".format(filename)) ## This is the central cache object CACHE = CacheTree(CacheStorage(), BlockingNode, invalidator = Invalidator()) def enable_caching(_option, _opt_str, _value, _parser): """Turns off caching by replacing the tree with one that only takes BlockingNodes""" debug.debug("Enabling Caching") # Feels filthy using the global keyword, # but I can't figure another way to ensure that # the code gets called and overwrites the outer scope global CACHE CACHE = CacheTree(CacheStorage(), invalidator = Invalidator()) config.CACHE = True config.add_option("CACHE", default = False, action = 'callback', cache_invalidator = False, callback = enable_caching, help = "Use caching") class CacheDecorator(object): """ This decorator will memoise a function in the cache """ def __init__(self, path): """Wraps a function in a cache decorator. The results of the function will be cached and memoised. Further calls to the function will retrieve the result from the cache. Cached objects are stored with the specified path as a key. Args: path: Key for storage into the cache. If this is callable, it will be called with the function's args and is expected to return a string which will be used as a path. Returns: A decorator. Example: Suppose the calculate function is decorated: @CacheDecorator(lambda self: "tests/pslist/pid{0}/".format(self._config.PID)) def calculate(self): .... Note the use of the callback to finely tune the cache key depending on external variables. """ self.path = path self.node = None def generate(self, path, g): """ Special handling for generators. We pass each iteration back immediately, and keep it in a list. Note that if the generator is aborted, the cache is not dumped. """ payload = [] for x in g: payload.append(x) yield x self.dump(path, payload) def dump(self, path, payload): self.node = CACHE[path] self.node.set_payload(payload) self.node.dump() def _cachewrapper(self, f, s, *args, **kwargs): """Wrapper for caching function calls""" ## See if the path is callable: if callable(self.path): path = self.path(s, *args, **kwargs) else: path = self.path ## Check if the result can be retrieved self.node = CACHE[path] # If this test goes away, we need to change the set_payload exception check # to act on dump instead of just the payload if self.node: payload = self.node.get_payload() if payload: return payload result = f(s, *args, **kwargs) ## If the wrapped function is a generator we need to ## handle it especially if isinstance(result, types.GeneratorType): return self.generate(path, result) self.dump(path, result) return result def __call__(self, f): def wrapper(s, *args, **kwargs): if config.CACHE: return self._cachewrapper(f, s, *args, **kwargs) return f(s, *args, **kwargs) return wrapper class TestDecorator(CacheDecorator): """This decorator is just like a CacheDecorator, but will *always* cache fully""" def __call__(self, f): def wrapper(s, *args, **kwargs): return self._cachewrapper(f, s, *args, **kwargs) return wrapper class Testable(object): """ This is a mixin that makes a class response to the unit tests It must be inheritted *after* the command class """ def calculate(self): """Empty function used to allow mixin""" def _flatten(self, item): """Flattens an item, including all generators""" try: # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._flatten(i)] = self._flatten(item[i]) return result for x in iter(item): flat_x = self._flatten(x) return flat_x except TypeError: return item ## This forces the test to be memoised with a key name derived from the class name @TestDecorator(lambda self: "tests/unittests/{0}".format(self.__class__.__name__)) def test(self): ## This forces iteration over all keys - this is required in order ## to flatten the full list for the cache ## We must ensure config.CACHE is False here, otherwise the change isn't registered in this module config.CACHE = False return self._flatten(self.calculate()) volatility-2.3.1/volatility/conf.py0000755000175000017500000003563712227253532017334 0ustar mikemike00000000000000## This file was taken from PyFlag http://www.pyflag.net/ # Michael Cohen # David Collett # # ****************************************************** # Version: FLAG $Version: 0.87-pre1 Date: Thu Jun 12 00:48:38 EST 2008$ # ****************************************************** # # * This program is free software; you can redistribute it and/or # * modify it under the terms of the GNU General Public License # * as published by the Free Software Foundation; either version 2 # * of the License, or (at your option) any later version. # * # * This program is distributed in the hope that it will be useful, # * but WITHOUT ANY WARRANTY; without even the implied warranty of # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # * GNU General Public License for more details. # * # * You should have received a copy of the GNU General Public License # * along with this program; if not, write to the Free Software # * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # ****************************************************** #pylint: disable-msg=C0111 """ Configuration modules for pyflag. PyFlag is a complex package and requires a flexible configuration system. The following are the requirements of the configuration system: 1) Configuration must be available from a number of sources: - Autoconf must be able to set things like the python path (in case pyflag is installed to a different prefix) - Users must be able to configure the installed system for their specific requirements. - Unconfigured parameters must be resolved at run time through the GUI and saved. 2) Configuration must be able to apply to cases specifically. 3) Because pyflag is modular, configuration variables might be required for each module. This means that definitions and declarations of configuration variables must be distributed in each plugin. These goals are achieved by the use of multiple sources of configuration information: - The system wide configuration file is this file: conf.py. It is generated from the build system from conf.py.in by substituting autoconfigured variables into it. It contains the most basic settings related to the installation, e.g. which python interpreted is used, where the python modules are installed etc. In particular it refers to the location of the system configuration file (usually found in /usr/local/etc/pyflagrc, or in /etc/pyflagrc). - The sysconfig file contains things like where the upload directory is, where to store temporary files etc. These are mainly installation wide settings which are expected to be modified by the administrator. Note that if you want the GUI to manipulate this file it needs to be writable by the user running the GUI. - Finally a conf table in each case is used to provide a per case configuration """ import ConfigParser import optparse import os import sys default_config = "/etc/volatilityrc" class PyFlagOptionParser(optparse.OptionParser): final = False help_hooks = [] def _process_args(self, largs, rargs, values): try: return optparse.OptionParser._process_args(self, largs, rargs, values) except (optparse.BadOptionError, optparse.OptionValueError), err: if self.final: raise err def error(self, msg): ## We cant emit errors about missing parameters until we are ## sure that all modules have registered all their parameters if self.final: return optparse.OptionParser.error(self, msg) else: raise RuntimeError(msg) def print_help(self, file = sys.stdout): optparse.OptionParser.print_help(self, file) for cb in self.help_hooks: file.write(cb()) class ConfObject(object): """ This is a singleton class to manage the configuration. This means it can be instantiated many times, but each instance refers to the global configuration (which is set in class variables). NOTE: The class attributes have static dicts assigned to facilitate singleton behaviour. This means all future instances will have the same dicts. """ optparser = PyFlagOptionParser(add_help_option = False, version = False, ) initialised = False ## This is the globals dictionary which will be used for ## evaluating the configuration directives. g_dict = dict(__builtins__ = None) ## These are the options derived by reading any config files cnf_opts = {} ## Command line opts opts = {} args = None default_opts = {} docstrings = {} ## These are the actual options returned by the optparser: optparse_opts = None ## Filename where the configuration file is: _filename = None _filenames = [] ## These parameters can not be updated by the GUI (but will be ## propagated into new configuration files) readonly = {} ## Absolute parameters can only be set by the code or command ## lines, they can not be over ridden in the configuration ## file. This ensures that only configuration files dont mask new ## options (e.g. schema version) _absolute = {} ## A list of option names: options = [] ## Cache variants: There are configuration options which ## encapsulate the state of the running program. If any of these ## change all caches will be invalidated. cache_invalidators = {} def __init__(self): """ This is a singleton object kept in the class """ if not ConfObject.initialised: self.optparser.add_option("-h", "--help", action = "store_true", default = False, help = "list all available options and their default values. Default values may be set in the configuration file (" + default_config + ")") ConfObject.initialised = True def set_usage(self, usage = None, version = None): if usage: self.optparser.set_usage(usage) if version: self.optparser.version = version def add_file(self, filename, _type = 'init'): """ Adds a new file to parse """ self._filenames.append(filename) self.cnf_opts.clear() for f in self._filenames: try: conf_parser = ConfigParser.ConfigParser() conf_parser.read(f) for k, v in conf_parser.items('DEFAULT'): ## Absolute parameters are protected from ## configuration files: if k in self._absolute.keys(): continue try: v = eval(v, self.g_dict) except Exception, _e: pass ## update the configured options self.cnf_opts[k] = v except IOError: print "Unable to open {0}".format(f) ConfObject._filename = filename def print_help(self): return self.optparser.print_help() def add_help_hook(self, cb): """ Adds an epilog to the help message """ self.optparser.help_hooks.append(cb) def set_help_hook(self, cb): self.optparser.help_hooks = [cb] def parse_options(self, final = True): """ Parses the options from command line and any conf files currently added. The final parameter should be only called from main programs at the point where they are prepared for us to call exit if required; (For example when we detect the -h parameter). """ self.optparser.final = final ## Parse the command line options: try: (opts, args) = self.optparser.parse_args() self.opts.clear() ## Update our cmdline dict: for k in dir(opts): v = getattr(opts, k) if k in self.options and not v == None: self.opts[k] = v except UnboundLocalError: raise RuntimeError("Unknown option - use -h to see help") ## If error() was called we catch it here except RuntimeError: opts = {} ## This gives us as much as was parsed so far args = self.optparser.largs self.optparse_opts = opts self.args = args if final: ## Reparse the config file again: self.add_file(self._filename) try: ## Help can only be set on the command line if getattr(self.optparse_opts, "help"): ## Populate the metavars with the default values: for opt in self.optparser.option_list: try: opt.metavar = "{0}".format((getattr(self, opt.dest) or opt.dest.upper())) except Exception, _e: pass self.optparser.print_help() sys.exit(0) except AttributeError: pass ## Set the cache invalidators on the cache now: import volatility.cache as cache for k, v in self.cache_invalidators.items(): cache.CACHE.invalidate_on(k, v) def remove_option(self, option): """ Removes options both from the config file parser and the command line parser This should only by used on options *before* they have been read, otherwise things could get very confusing. """ option = option.lower() if option in self.cache_invalidators: del self.cache_invalidators[option] normalized_option = option.replace("-", "_") if normalized_option not in self.options: return self.options.remove(normalized_option) if normalized_option in self.readonly: del self.readonly[normalized_option] if normalized_option in self.default_opts: del self.default_opts[normalized_option] if normalized_option in self._absolute: del self._absolute[normalized_option] del self.docstrings[normalized_option] self.optparser.remove_option("--{0}".format(option)) try: self.parse_options(False) except AttributeError: pass def add_option(self, option, short_option = None, cache_invalidator = True, **args): """ Adds options both to the config file parser and the command line parser. Args: option: The long option name. short_option: An optional short option. cache_invalidator: If set, when this option changes all caches are invalidated. """ option = option.lower() if cache_invalidator: self.cache_invalidators[option] = lambda : self.get_value(option) normalized_option = option.replace("-", "_") if normalized_option in self.options: return self.options.append(normalized_option) ## If this is read only we store it in a special dict try: if args['readonly']: self.readonly[normalized_option] = args['default'] del args['readonly'] except KeyError: pass ## If there is a default specified, we update our defaults dict: try: default = args['default'] try: default = eval(default, self.g_dict) except: pass self.default_opts[normalized_option] = default del args['default'] except KeyError: pass try: self._absolute[normalized_option] = args['absolute'] del args['absolute'] except KeyError: pass self.docstrings[normalized_option] = args.get('help', None) if short_option: self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args) else: self.optparser.add_option("--{0}".format(option), **args) ## update the command line parser ## We have to do the try-catch for python 2.4 support of short ## arguments. It can be removed when python 2.5 is a requirement try: self.parse_options(False) except AttributeError: pass def update(self, key, value): """ This can be used by scripts to force a value of an option """ self.readonly[key.lower()] = value def get_value(self, key): return getattr(self, key.replace("-", "_")) def __getattr__(self, attr): ## If someone is looking for a configuration parameter but ## we have not parsed anything yet - do so now. if self.opts == None: self.parse_options(False) ## Maybe its a class method? try: return super(ConfObject, self).__getattribute__(attr) except AttributeError: pass ## Is it a ready only parameter (i.e. can not be overridden by ## the config file) try: return self.readonly[attr.lower()] except KeyError: pass ## Try to find the attribute in the command line options: try: return self.opts[attr.lower()] except KeyError: pass ## Has it already been parsed? try: tmp = getattr(self.optparser.values, attr.lower()) if tmp: return tmp except AttributeError: pass ## Was it given in the environment? try: return os.environ["VOLATILITY_" + attr.upper()] except KeyError: pass ## No - try the configuration file: try: return self.cnf_opts[attr.lower()] except KeyError: pass ## No - is there a default for it? try: return self.default_opts[attr.lower()] except KeyError: pass ## Maybe its just a command line option: try: if not attr.startswith("_") and self.optparse_opts: return getattr(self.optparse_opts, attr.lower()) except AttributeError: pass raise AttributeError("Parameter {0} is not configured - try setting it on the command line (-h for help)".format(attr)) class DummyConfig(ConfObject): pass config = ConfObject() if os.access(default_config, os.R_OK): config.add_file(default_config) else: config.add_file("volatilityrc") default_conf_path = ".volatilityrc" try: default_conf_path = os.environ['HOME'] + '/.volatilityrc' except KeyError: pass config.add_option("CONF-FILE", default = default_conf_path, cache_invalidator = False, help = "User based configuration file") config.add_file(config.CONF_FILE) volatility-2.3.1/volatility/fmtspec.py0000644000175000017500000000663612227253532020042 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re class FormatSpec(object): def __init__(self, string = '', **kwargs): self.fill = '' self.align = '' self.sign = '' self.altform = False self.minwidth = -1 self.precision = -1 self.formtype = '' if string != '': self.from_string(string) # Ensure we parse the remaining arguments after the string to that they override self.from_specs(**kwargs) def from_specs(self, fill = None, align = None, sign = None, altform = None, minwidth = None, precision = None, formtype = None): ## Allow setting individual elements using kwargs if fill is not None: self.fill = fill if align is not None: self.align = align if sign is not None: self.sign = sign if altform is not None: self.altform = altform if minwidth is not None: self.minwidth = minwidth if precision is not None: self.precision = precision if formtype is not None: self.formtype = formtype def from_string(self, formatspec): # Format specifier regular expression regexp = "\A(.[<>=^]|[<>=^])?([-+ ]|\(\))?(#?)(0?)(\d*)(\.\d+)?(.)?\Z" match = re.search(regexp, formatspec) if match is None: raise ValueError("Invalid format specification: " + formatspec) if match.group(1): fillalign = match.group(1) if len(fillalign) > 1: self.fill = fillalign[0] self.align = fillalign[1] elif fillalign: self.align = fillalign if match.group(2): self.sign = match.group(2) if match.group(3): self.altform = len(match.group(3)) > 0 if len(match.group(4)): if not self.fill: self.fill = "0" if not self.align: self.align = "=" if match.group(5): self.minwidth = int(match.group(5)) if match.group(6): self.precision = int(match.group(6)[1:]) if match.group(7): self.formtype = match.group(7) def to_string(self): formatspec = "" if self.align: formatspec = self.fill + self.align formatspec += self.sign if self.sign == '(': formatspec += ')' if self.altform: formatspec += '#' if self.minwidth >= 0: formatspec += str(self.minwidth) if self.precision >= 0: formatspec += '.' + str(self.precision) formatspec += self.formtype return formatspec def __str__(self): return self.to_string() volatility-2.3.1/volatility/constants.py0000644000175000017500000000226512234427254020411 0ustar mikemike00000000000000# Volatility # Copyright (C) 2008-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # Blocksize was chosen to make it aligned # on 8 bytes # Optimized by Michael Cohen import os, sys VERSION = "2.3.1" SCAN_BLOCKSIZE = 1024 * 1024 * 10 PLUGINPATH = os.path.dirname(__file__) # If we're in a pyinstaller executable if hasattr(sys, "frozen"): try: PLUGINPATH = sys._MEIPASS #pylint: disable-msg=W0212,E1101 except ImportError: pass PLUGINPATH = os.path.join(PLUGINPATH, 'plugins') volatility-2.3.1/volatility/registry.py0000644000175000017500000001505312227253532020242 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Derived from source in PyFlag developed by: # Copyright 2004: Commonwealth of Australia. # Michael Cohen # David Collett # # Subclassing plugin code developed by: # # Mike Auty # # ****************************************************** # Version: FLAG $Version: 0.84RC4 Date: Wed May 30 20:48:31 EST 2007$ # ****************************************************** # # * This program is free software; you can redistribute it and/or # * modify it under the terms of the GNU General Public License # * as published by the Free Software Foundation; either version 2 # * of the License, or (at your option) any later version. # * # * This program is distributed in the hope that it will be useful, # * but WITHOUT ANY WARRANTY; without even the implied warranty of # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # * GNU General Public License for more details. # * # * You should have received a copy of the GNU General Public License # * along with this program; if not, write to the Free Software # * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # ***************************************************** #pylint: disable-msg=C0111 """ This module implements a class registry. We scan the memory_plugins directory for all python files and add those classes which should be registered into their own lookup tables. These are then ordered as required. The rest of Volatility will then call onto the registered classes when needed. This mechanism allows us to reorganise the code according to functionality. For example we may include a Scanner, Report and File classes in the same plugin and have them all automatically loaded. """ import os, zipfile import volatility.debug as debug import volatility.plugins as plugins class PluginImporter(object): """This class searches through a comma-separated list of plugins and imports all classes found, based on their path and a fixed prefix. """ def __init__(self): """Gathers all the plugins from config.PLUGINS Determines their namespaces and maintains a dictionary of modules to filepaths Then imports all modules found """ self.modnames = {} # Handle additional plugins for path in plugins.__path__: path = os.path.abspath(path) for relfile in self.walkzip(path): module_path, ext = os.path.splitext(relfile) namespace = ".".join(['volatility.plugins'] + [ x for x in module_path.split(os.path.sep) if x ]) #Lose the extension for the module name if ext in [".py", ".pyc", ".pyo"]: filepath = os.path.join(path, relfile) # Handle Init files initstr = '.__init__' if namespace.endswith(initstr): self.modnames[namespace[:-len(initstr)]] = filepath else: self.modnames[namespace] = filepath self.run_imports() def walkzip(self, path): """Walks a path independent of whether it includes a zipfile or not""" if os.path.exists(path) and os.path.isdir(path): for dirpath, _dirnames, filenames in os.walk(path): for filename in filenames: # Run through files as we always used to yield os.path.join(dirpath[len(path) + len(os.path.sep):], filename) else: index = -1 zippath = None while path.find(os.path.sep, index + 1) > -1: index = path.find(os.path.sep, index + 1) if zipfile.is_zipfile(path[:index]): zippath = path[:index] break else: if zipfile.is_zipfile(path): zippath = path # Now yield the files if zippath: zipf = zipfile.ZipFile(zippath) prefix = path[len(zippath):].strip(os.path.sep) # If there's a prefix, ensure it ends in a slash if len(prefix): prefix += os.path.sep for fn in zipf.namelist(): # Zipfiles seem to always list contents using / as their separator fn = fn.replace('/', os.path.sep) if fn.startswith(prefix) and not fn.endswith(os.path.sep): # We're a file in the zipfile yield fn[len(prefix):] def run_imports(self): """Imports all the already found modules""" for i in self.modnames.keys(): if self.modnames[i] is not None: try: __import__(i) except Exception, e: print "*** Failed to import " + i + " (" + str(e.__class__.__name__) + ": " + str(e) + ")" # This is too early to have had the debug filter lowered to include debugging messages debug.post_mortem(2) def _get_subclasses(cls): """ Run through subclasses of a particular class This returns all classes descended from the main class, _including_ the main class itself. If showall is set to False (the default) then classes starting with Abstract will not be returned. """ for i in cls.__subclasses__(): for c in _get_subclasses(i): yield c yield cls def get_plugin_classes(cls, showall = False, lower = False): """Returns a dictionary of plugins""" # Plugins all make use of the Abstract concept result = {} for plugin in set(_get_subclasses(cls)): if showall or not (plugin.__name__.startswith("Abstract") or plugin == cls): # FIXME: This is due to not having done things correctly at the start if not showall and plugin.__name__ in ['BufferAddressSpace', 'HiveFileAddressSpace', 'HiveAddressSpace']: continue name = plugin.__name__.split('.')[-1] if lower: name = name.lower() if name not in result: result[name] = plugin else: raise Exception("Object {0} has already been defined by {1}".format(name, plugin)) return result def register_global_options(config, cls): ## Register all register_options for the various classes for m in get_plugin_classes(cls, True).values(): if hasattr(m, 'register_options'): m.register_options(config) volatility-2.3.1/volatility/win32/0000755000175000017500000000000012234427260016755 5ustar mikemike00000000000000volatility-2.3.1/volatility/win32/modules.py0000644000175000017500000000222012227253532020774 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Nick Petroni @license: GNU General Public License 2.0 @contact: awalters@4tphi.net, npetroni@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32.tasks as tasks def lsmod(addr_space): """ A Generator for modules """ for m in tasks.get_kdbg(addr_space).modules(): yield m volatility-2.3.1/volatility/win32/crashdump.py0000644000175000017500000006677012227253532021336 0ustar mikemike00000000000000# Volatility # Copyright (c) 2007-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters and Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: awalters@4tphi.net,bdolangavitt@wesleyan.edu @organization: Volatility Foundation Tool: This tool generates a crash dump from a image of ram """ #pylint: disable-msg=C0111 #from forensics.object import get_obj_offset #from forensics.win32.info import find_psactiveprocesshead #from forensics.win32.info import find_psloadedmodulelist #from forensics.win32.info import find_mmpfndatabase #from forensics.win32.info import find_kddebuggerdatablock #from forensics.win32.info import find_systemtime #from forensics.win32.info import find_suitemask #from forensics.win32.tasks import process_list #from forensics.win32.tasks import process_addr_space #from forensics.win32.tasks import peb_number_processors #from forensics.win32.tasks import process_peb #from forensics.win32.tasks import * dump_hdr = "" # 0x00 dump_hdr += "\x50\x41\x47\x45\x44\x55\x4D\x50\x0F\x00\x00\x00\x28\x0A\x00\x00" # 0x10 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x20 dump_hdr += "\x4C\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x30 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45" # 0x40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x00\x41\x47\x45" # 0x60 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x70 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x80 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x90 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xa0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xb0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xc0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xd0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xe0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0xf0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x100 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x110 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x120 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x130 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x140 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x150 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x160 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x170 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x180 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x190 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x1f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x200 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x210 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x220 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x230 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x240 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x250 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x260 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x270 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x280 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x290 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x2f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x300 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x310 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x320 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x330 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x340 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x350 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x360 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x370 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x380 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x390 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x3f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x400 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x410 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x420 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x430 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x440 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x450 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x460 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x470 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x480 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x490 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x4f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x500 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x510 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x520 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x530 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x540 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x550 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x560 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x570 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x580 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x590 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5a0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5b0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5c0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x5e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45" # 0x5f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x600 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x610 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x620 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x630 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x640 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x650 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x660 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x670 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x680 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x690 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x6F0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x700 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x710 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x720 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x730 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x740 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x750 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x760 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x770 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x780 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x790 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x7c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x00\x41\x47\x45" # 0x7d0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x7e0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x7f0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x800 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x810 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x820 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x830 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x840 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x850 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x860 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x870 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x880 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x890 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x8f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x900 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x910 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x920 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x930 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x940 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x950 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x960 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x970 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x980 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x990 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9a0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9b0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9c0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9d0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9e0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0x9f0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xA90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAa0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAe0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xAf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xb90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xba0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbe0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xbf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xc90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xca0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xce0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xcf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xd90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xda0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdc0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdd0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xde0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xdf0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xe90 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xea0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xeb0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xec0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xed0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xee0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xef0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf00 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf10 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf20 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf30 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf40 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" #0xf50 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf60 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf70 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xf80 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x01\x00\x00\x00\x50\x41\x47\x45" # 0xF90 dump_hdr += "\x50\x41\x47\x45\x01\x00\x00\x00\x10\x01\x00\x00\x00\x00\x00\x00" # 0xFA0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45\x00\x41\x47\x45" # 0xFB0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x00\x00\x00\x00\x00\x00\x00\x00" # 0xFC0 dump_hdr += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFD0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFE0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" # 0xFF0 dump_hdr += "\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45\x50\x41\x47\x45" num_of_runs = 0x00000001 base_page = 0x00000000 pae_enabled = 0x01 #def find_numberprocessors(addr_space, types): # # NumberOfProcessorsDict = dict() # all_tasks = process_list(addr_space, types) # # for task in all_tasks: # # if not addr_space.is_valid_address(task): # continue # # process_address_space = process_addr_space(addr_space, types, task, addr_space.base.fname) # if process_address_space is None: # continue # # peb = process_peb(addr_space, types, task) # # try: # if not process_address_space.is_valid_address(peb): # continue # except: # continue # # NumberOfProcessors = peb_number_processors(process_address_space, types, peb) # if NumberOfProcessors in NumberOfProcessorsDict: # NumberOfProcessorsDict[NumberOfProcessors] += 1 # else: # NumberOfProcessorsDict[NumberOfProcessors] = 1 # # MaxNumberOfProcessors = max([ (NumberOfProcessorsDict[x], x) for x in NumberOfProcessorsDict])[1] # # return MaxNumberOfProcessors # #def write_char_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=B', value) + hdr[offset+1:] # return new_hdr # #def write_long_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=I', value) + hdr[offset+4:] # return new_hdr # #def write_long_long_phys(value, member_list, hdr, types): # # (offset, _current_type) = get_obj_offset(types, member_list) # new_hdr = hdr[:offset] + struct.pack('=Q', value) + hdr[offset+8:] # return new_hdr # #def dd_to_crash(addr_space, types, _symbol_table, opts): # # outfile = opts.outfile # filename = opts.filename # # DirectoryTableBaseValue = addr_space.pgd_vaddr # # PsActiveProcessHead = find_psactiveprocesshead(addr_space, types) # # PsLoadedModuleList = find_psloadedmodulelist(addr_space, types) # # MmPfnDatabase = find_mmpfndatabase(addr_space, types) # # KdDebuggerDataBlock = find_kddebuggerdatablock(addr_space, types) # # NumberOfProcessors = find_numberprocessors(addr_space, types) # # SuiteMask = find_suitemask(addr_space, types) # # SystemTime = find_systemtime(addr_space, types) # # num_pages = os.path.getsize(filename)/4096 # # new_hdr = write_long_phys(DirectoryTableBaseValue, ['_DMP_HEADER', 'DirectoryTableBase'], dump_hdr, types) # new_hdr = write_long_phys(PsLoadedModuleList, ['_DMP_HEADER', 'PsLoadedModuleList'], new_hdr, types) # new_hdr = write_long_phys(PsActiveProcessHead, ['_DMP_HEADER', 'PsActiveProcessHead'], new_hdr, types) # new_hdr = write_long_phys(KdDebuggerDataBlock, ['_DMP_HEADER', 'KdDebuggerDataBlock'], new_hdr, types) # new_hdr = write_long_phys(NumberOfProcessors, ['_DMP_HEADER', 'NumberProcessors'], new_hdr, types) # new_hdr = write_long_phys(MmPfnDatabase, ['_DMP_HEADER', 'PfnDataBase'], new_hdr, types) # new_hdr = write_long_phys(SuiteMask, ['_DMP_HEADER', 'SuiteMask'], new_hdr, types) # new_hdr = write_long_long_phys(SystemTime, ['_DMP_HEADER', 'SystemTime'], new_hdr, types) # # if addr_space.pae == True: # new_hdr = write_char_phys(pae_enabled, ['_DMP_HEADER', 'PaeEnabled'], new_hdr, types) # # new_hdr = new_hdr[:100] + struct.pack('=I', num_of_runs) + \ # struct.pack('=I', num_pages) + \ # struct.pack('=I', 0x00000000) + \ # struct.pack('=I', num_pages) + \ # new_hdr[116:] # # MI = open(outfile, 'wb') # MI.write("%s" % new_hdr) # # FILEOPEN = open(filename, 'rb') # # offset = 0 # end = os.path.getsize(filename) # # while offset <= end: # fdata = FILEOPEN.read(0x1000) # if fdata == None: # break # MI.write("%s"%fdata) # # progress.update(offset) # offset += 0x1000 # # print # # FILEOPEN.close() # MI.close() # # return volatility-2.3.1/volatility/win32/hive.py0000644000175000017500000002354512227253532020274 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.obj as obj import volatility.addrspace as addrspace import struct FILTER = ''.join([(len(repr(chr(x))) == 3) and chr(x) or '.' for x in range(256)]) CI_TYPE_MASK = 0x80000000 CI_TYPE_SHIFT = 0x1F CI_TABLE_MASK = 0x7FE00000 CI_TABLE_SHIFT = 0x15 CI_BLOCK_MASK = 0x1FF000 CI_BLOCK_SHIFT = 0x0C CI_OFF_MASK = 0x0FFF CI_OFF_SHIFT = 0x0 BLOCK_SIZE = 0x1000 class HiveAddressSpace(addrspace.BaseAddressSpace): def __init__(self, base, config, hive_addr, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config) self.base = base self.hive = obj.Object("_HHIVE", hive_addr, base) self.baseblock = self.hive.BaseBlock.v() self.flat = self.hive.Flat.v() > 0 def __getstate__(self): result = addrspace.BaseAddressSpace.__getstate__(self) result['hive_addr'] = self.hive.obj_offset return result def vtop(self, vaddr): # If the hive is listed as "flat", it is all contiguous in memory # so we can just calculate it relative to the base block. if self.flat: return self.baseblock + vaddr + BLOCK_SIZE + 4 ci_type = (vaddr & CI_TYPE_MASK) >> CI_TYPE_SHIFT ci_table = (vaddr & CI_TABLE_MASK) >> CI_TABLE_SHIFT ci_block = (vaddr & CI_BLOCK_MASK) >> CI_BLOCK_SHIFT ci_off = (vaddr & CI_OFF_MASK) >> CI_OFF_SHIFT block = self.hive.Storage[ci_type].Map.Directory[ci_table].Table[ci_block].BlockAddress return block + ci_off + 4 #def hentry(self, vaddr): # ci_type = (vaddr & CI_TYPE_MASK) >> CI_TYPE_SHIFT # ci_table = (vaddr & CI_TABLE_MASK) >> CI_TABLE_SHIFT # ci_block = (vaddr & CI_BLOCK_MASK) >> CI_BLOCK_SHIFT # ci_off = (vaddr & CI_OFF_MASK) >> CI_OFF_SHIFT # dir_map = read_obj(self.base, self.types, ['_HHIVE', 'Storage', ci_type, 'Map'], # self.hive) # if not dir_map: # return None # table = read_obj(self.base, self.types, ['_HMAP_DIRECTORY', 'Directory', ci_table], # dir_map) # if not table: # return None # #block = read_obj(self.base, self.types, ['_HMAP_TABLE', 'Table', ci_block, 'BlockAddress'], # # table) # # return Obj("_HMAP_ENTRY", table, self.base) def read(self, vaddr, length, zero = False): length = int(length) vaddr = int(vaddr) first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1 left_over = (length + vaddr) % BLOCK_SIZE paddr = self.vtop(vaddr) if paddr == None and zero: if length < first_block: return "\0" * length else: stuff_read = "\0" * first_block elif paddr == None: return None else: if length < first_block: stuff_read = self.base.read(paddr, length) if not stuff_read and zero: return "\0" * length else: return stuff_read stuff_read = self.base.read(paddr, first_block) if not stuff_read and zero: stuff_read = "\0" * first_block new_vaddr = vaddr + first_block for _i in range(0, full_blocks): paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * BLOCK_SIZE elif paddr == None: return None else: new_stuff = self.base.read(paddr, BLOCK_SIZE) if not new_stuff and zero: new_stuff = "\0" * BLOCK_SIZE elif not new_stuff: return None else: stuff_read = stuff_read + new_stuff new_vaddr = new_vaddr + BLOCK_SIZE if left_over > 0: paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * left_over elif paddr == None: return None else: stuff_read = stuff_read + self.base.read(paddr, left_over) return stuff_read def zread(self, addr, length): return self.read(addr, length, True) def read_long_phys(self, addr): string = self.base.read(addr, 4) (longval,) = struct.unpack('=I', string) return longval def is_valid_address(self, addr): if not addr: return False vaddr = self.vtop(addr) if not vaddr: return False return self.base.is_valid_address(vaddr) def save(self, outf): baseblock = self.base.read(self.baseblock, BLOCK_SIZE) if baseblock: outf.write(baseblock) else: outf.write("\0" * BLOCK_SIZE) length = self.hive.Storage[0].Length.v() for i in range(0, length, BLOCK_SIZE): data = None paddr = self.vtop(i) if paddr: paddr = paddr - 4 data = self.base.read(paddr, BLOCK_SIZE) else: print "No mapping found for index {0:x}, filling with NULLs".format(i) if not data: print "Physical layer returned None for index {0:x}, filling with NULL".format(i) data = '\0' * BLOCK_SIZE outf.write(data) def stats(self, stable = True): if stable: stor = 0 ci = lambda x: x else: stor = 1 ci = lambda x: x | 0x80000000 length = self.hive.Storage[stor].Length.v() total_blocks = length / BLOCK_SIZE bad_blocks_reg = 0 bad_blocks_mem = 0 for i in range(0, length, BLOCK_SIZE): i = ci(i) data = None paddr = self.vtop(i) - 4 if paddr: data = self.base.read(paddr, BLOCK_SIZE) else: bad_blocks_reg += 1 continue if not data: bad_blocks_mem += 1 print "{0} bytes in hive.".format(length) print "{0} blocks not loaded by CM, {1} blocks paged out, {2} total blocks.".format(bad_blocks_reg, bad_blocks_mem, total_blocks) if total_blocks: print "Total of {0:.2f}% of hive unreadable.".format(((bad_blocks_reg + bad_blocks_mem) / float(total_blocks)) * 100) return (bad_blocks_reg, bad_blocks_mem, total_blocks) class HiveFileAddressSpace(addrspace.BaseAddressSpace): def __init__(self, base, config): addrspace.BaseAddressSpace.__init__(self, base, config) self.base = base def vtop(self, vaddr): return vaddr + BLOCK_SIZE + 4 def read(self, vaddr, length, zero = False): first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1 left_over = (length + vaddr) % BLOCK_SIZE paddr = self.vtop(vaddr) if paddr == None and zero: if length < first_block: return "\0" * length else: stuff_read = "\0" * first_block elif paddr == None: return None else: if length < first_block: stuff_read = self.base.read(paddr, length) if not stuff_read and zero: return "\0" * length else: return stuff_read stuff_read = self.base.read(paddr, first_block) if not stuff_read and zero: stuff_read = "\0" * first_block new_vaddr = vaddr + first_block for _i in range(0, full_blocks): paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * BLOCK_SIZE elif paddr == None: return None else: new_stuff = self.base.read(paddr, BLOCK_SIZE) if not new_stuff and zero: new_stuff = "\0" * BLOCK_SIZE elif not new_stuff: return None else: stuff_read = stuff_read + new_stuff new_vaddr = new_vaddr + BLOCK_SIZE if left_over > 0: paddr = self.vtop(new_vaddr) if paddr == None and zero: stuff_read = stuff_read + "\0" * left_over elif paddr == None: return None else: stuff_read = stuff_read + self.base.read(paddr, left_over) return stuff_read def zread(self, addr, length): return self.read(addr, length, True) def read_long_phys(self, addr): string = self.base.read(addr, 4) (longval,) = struct.unpack('=I', string) return longval def is_valid_address(self, vaddr): paddr = self.vtop(vaddr) if not paddr: return False return self.base.is_valid_address(paddr) volatility-2.3.1/volatility/win32/rawreg.py0000644000175000017500000001446412227253532020630 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.debug as debug import volatility.obj as obj import struct ROOT_INDEX = 0x20 LH_SIG = "lh" LF_SIG = "lf" RI_SIG = "ri" NK_SIG = "nk" VK_SIG = "vk" BIG_DATA_MAGIC = 0x3fd8 KEY_FLAGS = { "KEY_IS_VOLATILE" : 0x01, "KEY_HIVE_EXIT" : 0x02, "KEY_HIVE_ENTRY" : 0x04, "KEY_NO_DELETE" : 0x08, "KEY_SYM_LINK" : 0x10, "KEY_COMP_NAME" : 0x20, "KEY_PREFEF_HANDLE" : 0x40, "KEY_VIRT_MIRRORED" : 0x80, "KEY_VIRT_TARGET" : 0x100, "KEY_VIRTUAL_STORE" : 0x200, } VALUE_TYPES = dict(enumerate([ "REG_NONE", "REG_SZ", "REG_EXPAND_SZ", "REG_BINARY", "REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_LINK", "REG_MULTI_SZ", "REG_RESOURCE_LIST", "REG_FULL_RESOURCE_DESCRIPTOR", "REG_RESOURCE_REQUIREMENTS_LIST", "REG_QWORD", ])) def get_root(address_space, stable = True): if stable: return obj.Object("_CM_KEY_NODE", ROOT_INDEX, address_space) else: return obj.Object("_CM_KEY_NODE", ROOT_INDEX | 0x80000000, address_space) def open_key(root, key): if key == []: return root if not root.is_valid(): return None keyname = key.pop(0) for s in subkeys(root): if s.Name.upper() == keyname.upper(): return open_key(s, key) debug.debug("Couldn't find subkey {0} of {1}".format(keyname, root.Name), 1) return obj.NoneObject("Couldn't find subkey {0} of {1}".format(keyname, root.Name)) def read_sklist(sk): if (sk.Signature.v() == LH_SIG or sk.Signature.v() == LF_SIG): for i in sk.List: yield i elif sk.Signature.v() == RI_SIG: for i in range(sk.Count): # Read and dereference the pointer ptr_off = sk.List.obj_offset + (i * 4) if not sk.obj_vm.is_valid_address(ptr_off): continue ssk_off = obj.Object("unsigned int", ptr_off, sk.obj_vm) if not sk.obj_vm.is_valid_address(ssk_off): continue ssk = obj.Object("_CM_KEY_INDEX", ssk_off, sk.obj_vm) for i in read_sklist(ssk): yield i # Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py def subkeys(key): if not key.is_valid(): return if int(key.SubKeyCounts[0]) > 0: sk_off = key.SubKeyLists[0] sk = obj.Object("_CM_KEY_INDEX", sk_off, key.obj_vm) if not sk or not sk.is_valid(): pass else: for i in read_sklist(sk): if i.Signature.v() == NK_SIG: yield i if int(key.SubKeyCounts[1]) > 0: sk_off = key.SubKeyLists[1] sk = obj.Object("_CM_KEY_INDEX", sk_off, key.obj_vm) if not sk or not sk.is_valid(): pass else: for i in read_sklist(sk): if i and i.Signature.v() == NK_SIG: yield i def values(key): return [ v for v in key.ValueList.List.dereference() if v.Signature.v() == VK_SIG ] def key_flags(key): return [ k for k in KEY_FLAGS if key.Flags & KEY_FLAGS[k] ] value_formats = {"REG_DWORD": "L", "REG_QWORD": " 0x4000: # Value is a BIG_DATA block, stored in chunked format datalen = val.DataLength big_data = obj.Object("_CM_BIG_DATA", val.Data, val.obj_vm) valdata = "" thelist = [] if not big_data.Count or big_data.Count > 0x80000000: thelist = [] else: for i in range(big_data.Count): ptr_off = big_data.List + (i * 4) chunk_addr = obj.Object("unsigned int", ptr_off, val.obj_vm) if not val.obj_vm.is_valid_address(chunk_addr): continue thelist.append(chunk_addr) for chunk in thelist: amount_to_read = min(BIG_DATA_MAGIC, datalen) chunk_data = val.obj_vm.read(chunk, amount_to_read) if not chunk_data: valdata = None break valdata += chunk_data datalen -= amount_to_read else: valdata = val.obj_vm.read(val.Data, val.DataLength) valtype = VALUE_TYPES.get(val.Type.v(), "REG_UNKNOWN") if valdata == None: return (valtype, obj.NoneObject("Value data is unreadable")) if valtype in ["REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_QWORD"]: if len(valdata) != struct.calcsize(value_formats[valtype]): return (valtype, obj.NoneObject("Value data did not match the expected data size for a {0}".format(valtype))) if valtype in ["REG_SZ", "REG_EXPAND_SZ", "REG_LINK"]: valdata = valdata.decode('utf-16-le', "ignore") elif valtype == "REG_MULTI_SZ": valdata = valdata.decode('utf-16-le', "ignore").split('\0') elif valtype in ["REG_DWORD", "REG_DWORD_BIG_ENDIAN", "REG_QWORD"]: valdata = struct.unpack(value_formats[valtype], valdata)[0] return (valtype, valdata) def walk(root): yield root for k in subkeys(root): for j in walk(k): yield j volatility-2.3.1/volatility/win32/network.py0000644000175000017500000001604312227253532021025 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.win32 as win32 import volatility.obj as obj module_versions_xp = { 'MP' : { 'TCBTableOff' : [0x497e8], 'SizeOff' : [0x3f7c8], 'AddrObjTableOffset' : [0x48760], 'AddrObjTableSizeOffset' : [0x48764], }, 'UP' : { 'TCBTableOff' : [0x495e8], 'SizeOff' : [0x3f5bc], 'AddrObjTableOffset' : [0x48560], 'AddrObjTableSizeOffset' : [0x48564], }, '2180' : { 'TCBTableOff' : [0x493e8], 'SizeOff' : [0x3f3b0], 'AddrObjTableOffset' : [0x48360], 'AddrObjTableSizeOffset' : [0x48364], }, '3244' : { 'TCBTableOff' : [0x496E8], 'SizeOff' : [0x3F6BC], 'AddrObjTableOffset' : [0x48660], 'AddrObjTableSizeOffset' : [0x48664], }, '3394': { 'TCBTableOff': [0x49768], 'SizeOff': [0x3F73C], 'AddrObjTableOffset': [0x486E0], 'AddrObjTableSizeOffset': [0x486E4], }, '5625' : { 'TCBTableOff' : [0x49ae8], 'SizeOff' : [0x3fac8], 'AddrObjTableOffset' : [0x48a60], 'AddrObjTableSizeOffset' : [0x48a64], }, '2111' : { 'TCBTableOff' : [0x49A68], 'SizeOff' : [0x3FA48], 'AddrObjTableOffset' : [0x489E0], 'AddrObjTableSizeOffset' : [0x489E4], }, } module_versions_2003 = { # w2003 sp0 '3790' : { 'TCBTableOff' : [0x4c6c8], 'SizeOff' : [0x4312c], 'AddrObjTableOffset' : [0x4bba0], 'AddrObjTableSizeOffset' : [0x4bba4], }, # w2003 sp1 '1830' : { 'TCBTableOff' : [0x4e428], 'SizeOff' : [0x44140], 'AddrObjTableOffset' : [0x4d4e4], 'AddrObjTableSizeOffset' : [0x4d4e8], }, # w2003 sp2 '3959' : { 'TCBTableOff' : [0x7c548], 'SizeOff' : [0x50308], 'AddrObjTableOffset' : [0x5ada4], 'AddrObjTableSizeOffset' : [0x5ada8], }, # w2003 sp2 '4573' : { 'TCBTableOff' : [0x7f0ac], 'SizeOff' : [0x52328], 'AddrObjTableOffset' : [0x5cf04], 'AddrObjTableSizeOffset' : [0x5cf08], }, # w2003 sp2 x64 '3959_x64' : { 'TCBTableOff' : [0x000c8d30], 'SizeOff' : [0x0009b4a0], 'AddrObjTableOffset' : [0x000a4880], 'AddrObjTableSizeOffset' : [0x000a4888], }, # w2003 sp1 x64 '1830_x64' : { 'TCBTableOff' : [0x8f2d0], 'SizeOff' : [0x861cc], 'AddrObjTableOffset' : [0x8c4c0], 'AddrObjTableSizeOffset' : [0x8c4c8], }, # w2003 sp2 x64 (unknown build number) 'unk_1_x64' : { 'TCBTableOff' : [0xCD2D8], 'SizeOff' : [0x9E4A0], 'AddrObjTableOffset' : [0xa78E0], 'AddrObjTableSizeOffset' : [0xa78E8], }, } ## Define the maxiumum number of sockets that we expect to see on a given system. ## Due to the way we currently iterate over possible offsets, its easy to pick ## the wrong one and end up creating an array of up to 0xFFFFFFFF objects, even ## though there's no possibility of ever having that many active at one time. ## This can lead to a MemoryError, which is bad. The limit we've chosen (2 million) ## is based on 65535 for TCP, 65535 for UDP, for each of up to 100 IP addresses; ## then rounded up to the nearest million. Its not perfect, but it should prevent ## memory errors until we redesign the way we find socket and connection objects. MAX_SOCKETS = 2000000 def determine_connections(addr_space): """Determines all connections for each module""" all_modules = win32.modules.lsmod(addr_space) version = (addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0)) if version <= (5, 1): module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "long", offset = m.DllBase + module_versions[attempt]['SizeOff'][0], vm = addr_space) table_addr = obj.Object( "address", offset = m.DllBase + module_versions[attempt]['TCBTableOff'][0], vm = addr_space) if table_size > 0: table = obj.Object("Array", offset = table_addr, vm = addr_space, count = table_size, target = obj.Curry(obj.Pointer, '_TCPT_OBJECT')) if table: for entry in table: conn = entry.dereference() seen = set() while conn.is_valid() and conn.obj_offset not in seen: yield conn seen.add(conn.obj_offset) conn = conn.Next.dereference() def determine_sockets(addr_space): """Determines all sockets for each module""" all_modules = win32.modules.lsmod(addr_space) if addr_space.profile.metadata.get('major', 0) <= 5.1 and addr_space.profile.metadata.get('minor', 0) == 1: module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "unsigned long", offset = m.DllBase + module_versions[attempt]['AddrObjTableSizeOffset'][0], vm = addr_space) table_addr = obj.Object( "address", offset = m.DllBase + module_versions[attempt]['AddrObjTableOffset'][0], vm = addr_space) if int(table_size) > 0 and int(table_size) < MAX_SOCKETS: table = obj.Object("Array", offset = table_addr, vm = addr_space, count = table_size, target = obj.Curry(obj.Pointer, "_ADDRESS_OBJECT")) if table: for entry in table: sock = entry.dereference() seen = set() while sock.is_valid() and sock.obj_offset not in seen: yield sock seen.add(sock.obj_offset) sock = sock.Next.dereference() volatility-2.3.1/volatility/win32/__init__.py0000644000175000017500000000000011602715532021054 0ustar mikemike00000000000000volatility-2.3.1/volatility/win32/tasks.py0000644000175000017500000000671612227253532020467 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import volatility.obj as obj import volatility.debug as debug #pylint: disable-msg=W0611 from bisect import bisect_right def get_kdbg(addr_space): """A function designed to return the KDBG structure from an address space. First we try scanning for KDBG and if that fails, we try scanning for KPCR and bouncing back to KDBG from there. Also note, both the primary and backup methods rely on the 4-byte KDBG.Header.OwnerTag. If someone overwrites this value, then neither method will succeed. The same is true even if a user specifies --kdbg, because we check for the OwnerTag even in that case. """ kdbgo = obj.VolMagic(addr_space).KDBG.v() kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = kdbgo, vm = addr_space) if kdbg.is_valid(): return kdbg # Fall back to finding it via the KPCR. We cannot # accept the first/best suggestion, because only # the KPCR for the first CPU allows us to find KDBG. for kpcr_off in obj.VolMagic(addr_space).KPCR.generate_suggestions(): kpcr = obj.Object("_KPCR", offset = kpcr_off, vm = addr_space) kdbg = kpcr.get_kdbg() if kdbg.is_valid(): return kdbg return obj.NoneObject("KDDEBUGGER structure not found using either KDBG signature or KPCR pointer") def pslist(addr_space): """ A Generator for _EPROCESS objects """ for p in get_kdbg(addr_space).processes(): yield p def find_space(addr_space, procs, mod_base): """Search for an address space (usually looking for a GUI process)""" if addr_space.is_valid_address(mod_base): return addr_space for proc in procs: ps_ad = proc.get_process_address_space() if ps_ad != None: if ps_ad.is_valid_address(mod_base): return ps_ad return None def find_module(modlist, mod_addrs, addr): """Uses binary search to find what module a given address resides in. This is much faster than a series of linear checks if you have to do it many times. Note that modlist and mod_addrs must be sorted in order of the module base address. NOTE: the mod_addrs and addr parameters must already be masked for the address space""" pos = bisect_right(mod_addrs, addr) - 1 if pos == -1: return None mod = modlist[mod_addrs[pos]] if (mod.obj_vm.address_compare(addr, mod.DllBase) != -1 and mod.obj_vm.address_compare(addr, mod.DllBase + mod.SizeOfImage) == -1): return mod else: return None volatility-2.3.1/volatility/win32/lsasecrets.py0000644000175000017500000001071012227253532021477 0ustar mikemike00000000000000# Volatility # Copyright (c) 2008-2013 Volatility Foundation # Copyright (c) 2008 Brendan Dolan-Gavitt # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import struct import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive import volatility.win32.hashdump as hashdump from Crypto.Hash import MD5 from Crypto.Cipher import ARC4, DES def get_lsa_key(secaddr, bootkey): if not bootkey: return None root = rawreg.get_root(secaddr) if not root: return None enc_reg_key = rawreg.open_key(root, ["Policy", "PolSecretEncryptionKey"]) if not enc_reg_key: return None enc_reg_value = enc_reg_key.ValueList.List.dereference()[0] if not enc_reg_value: return None obf_lsa_key = secaddr.read(enc_reg_value.Data, enc_reg_value.DataLength) if not obf_lsa_key: return None md5 = MD5.new() md5.update(bootkey) for _i in range(1000): md5.update(obf_lsa_key[60:76]) rc4key = md5.digest() rc4 = ARC4.new(rc4key) lsa_key = rc4.decrypt(obf_lsa_key[12:60]) return lsa_key[0x10:0x20] def decrypt_secret(secret, key): """Python implementation of SystemFunction005. Decrypts a block of data with DES using given key. Note that key can be longer than 7 bytes.""" decrypted_data = '' j = 0 # key index for i in range(0, len(secret), 8): enc_block = secret[i:i + 8] block_key = key[j:j + 7] des_key = hashdump.str_to_key(block_key) des = DES.new(des_key, DES.MODE_ECB) decrypted_data += des.decrypt(enc_block) j += 7 if len(key[j:j + 7]) < 7: j = len(key[j:j + 7]) (dec_data_len,) = struct.unpack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # # The source code in this file was inspired by the work of Matthieu Suiche, # http://sandman.msuiche.net/, and the information presented released as # part of the Microsoft Interoperability Initiative: # http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf # A special thanks to Matthieu for all his help! """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ #pylint: disable-msg=C0111 from struct import unpack from struct import error as StructError def recombine(outbuf): return "".join(outbuf[k] for k in sorted(outbuf.keys())) def xpress_decode(inputBuffer): outputBuffer = {} outputIndex = 0 inputIndex = 0 indicatorBit = 0 nibbleIndex = 0 # we are decoding the entire input here, so I have changed # the check to see if we're at the end of the output buffer # with a check to see if we still have any input left. while inputIndex < len(inputBuffer): if (indicatorBit == 0): # in pseudocode this was indicatorBit = ..., but that makes no # sense, so I think this was intended... try: indicator = unpack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ #pylint: disable-msg=C0111 import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive import volatility.win32.lsasecrets as lsasecrets import volatility.win32.hashdump as hashdump from Crypto.Hash import HMAC from Crypto.Cipher import ARC4 from struct import unpack def get_nlkm(secaddr, lsakey): return lsasecrets.get_secret_by_name(secaddr, 'NL$KM', lsakey) def decrypt_hash(edata, nlkm, ch): hmac_md5 = HMAC.new(nlkm, ch) rc4key = hmac_md5.digest() rc4 = ARC4.new(rc4key) data = rc4.encrypt(edata) return data def parse_cache_entry(cache_data): (uname_len, domain_len) = unpack(" # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # #pylint: disable-msg=C0111 """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: bdolangavitt@wesleyan.edu """ import volatility.obj as obj import volatility.win32.rawreg as rawreg import volatility.win32.hive as hive from Crypto.Hash import MD5, MD4 from Crypto.Cipher import ARC4, DES from struct import unpack, pack odd_parity = [ 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14, 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31, 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47, 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62, 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79, 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94, 97, 97, 98, 98, 100, 100, 103, 103, 104, 104, 107, 107, 109, 109, 110, 110, 112, 112, 115, 115, 117, 117, 118, 118, 121, 121, 122, 122, 124, 124, 127, 127, 128, 128, 131, 131, 133, 133, 134, 134, 137, 137, 138, 138, 140, 140, 143, 143, 145, 145, 146, 146, 148, 148, 151, 151, 152, 152, 155, 155, 157, 157, 158, 158, 161, 161, 162, 162, 164, 164, 167, 167, 168, 168, 171, 171, 173, 173, 174, 174, 176, 176, 179, 179, 181, 181, 182, 182, 185, 185, 186, 186, 188, 188, 191, 191, 193, 193, 194, 194, 196, 196, 199, 199, 200, 200, 203, 203, 205, 205, 206, 206, 208, 208, 211, 211, 213, 213, 214, 214, 217, 217, 218, 218, 220, 220, 223, 223, 224, 224, 227, 227, 229, 229, 230, 230, 233, 233, 234, 234, 236, 236, 239, 239, 241, 241, 242, 242, 244, 244, 247, 247, 248, 248, 251, 251, 253, 253, 254, 254 ] # Permutation matrix for boot key p = [ 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 ] # Constants for SAM decrypt algorithm aqwerty = "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%\0" anum = "0123456789012345678901234567890123456789\0" antpassword = "NTPASSWORD\0" almpassword = "LMPASSWORD\0" lmkey = "KGS!@#$%" empty_lm = "aad3b435b51404eeaad3b435b51404ee".decode('hex') empty_nt = "31d6cfe0d16ae931b73c59d7e0c089c0".decode('hex') def str_to_key(s): key = [] key.append(ord(s[0]) >> 1) key.append(((ord(s[0]) & 0x01) << 6) | (ord(s[1]) >> 2)) key.append(((ord(s[1]) & 0x03) << 5) | (ord(s[2]) >> 3)) key.append(((ord(s[2]) & 0x07) << 4) | (ord(s[3]) >> 4)) key.append(((ord(s[3]) & 0x0F) << 3) | (ord(s[4]) >> 5)) key.append(((ord(s[4]) & 0x1F) << 2) | (ord(s[5]) >> 6)) key.append(((ord(s[5]) & 0x3F) << 1) | (ord(s[6]) >> 7)) key.append(ord(s[6]) & 0x7F) for i in range(8): key[i] = (key[i] << 1) key[i] = odd_parity[key[i]] return "".join(chr(k) for k in key) def sid_to_key(sid): s1 = "" s1 += chr(sid & 0xFF) s1 += chr((sid >> 8) & 0xFF) s1 += chr((sid >> 16) & 0xFF) s1 += chr((sid >> 24) & 0xFF) s1 += s1[0] s1 += s1[1] s1 += s1[2] s2 = s1[3] + s1[0] + s1[1] + s1[2] s2 += s2[0] + s2[1] + s2[2] return str_to_key(s1), str_to_key(s2) def hash_lm(pw): pw = pw[:14].upper() pw = pw + ('\0' * (14 - len(pw))) d1 = DES.new(str_to_key(pw[:7]), DES.MODE_ECB) d2 = DES.new(str_to_key(pw[7:]), DES.MODE_ECB) return d1.encrypt(lmkey) + d2.encrypt(lmkey) def hash_nt(pw): return MD4.new(pw.encode('utf-16-le')).digest() def find_control_set(sysaddr): root = rawreg.get_root(sysaddr) if not root: return 1 csselect = rawreg.open_key(root, ["Select"]) if not csselect: return 1 for v in rawreg.values(csselect): if v.Name == "Current": return v.Data def get_bootkey(sysaddr): cs = find_control_set(sysaddr) lsa_base = ["ControlSet{0:03}".format(cs), "Control", "Lsa"] lsa_keys = ["JD", "Skew1", "GBG", "Data"] root = rawreg.get_root(sysaddr) if not root: return None lsa = rawreg.open_key(root, lsa_base) if not lsa: return None bootkey = "" for lk in lsa_keys: key = rawreg.open_key(lsa, [lk]) class_data = sysaddr.read(key.Class, key.ClassLength) bootkey += class_data.decode('utf-16-le').decode('hex') bootkey_scrambled = "" for i in range(len(bootkey)): bootkey_scrambled += bootkey[p[i]] return bootkey_scrambled def get_hbootkey(samaddr, bootkey): sam_account_path = ["SAM", "Domains", "Account"] if not bootkey: return None root = rawreg.get_root(samaddr) if not root: return None sam_account_key = rawreg.open_key(root, sam_account_path) if not sam_account_key: return None F = None for v in rawreg.values(sam_account_key): if v.Name == 'F': F = samaddr.read(v.Data, v.DataLength) if not F: return None md5 = MD5.new() md5.update(F[0x70:0x80] + aqwerty + bootkey + anum) rc4_key = md5.digest() rc4 = ARC4.new(rc4_key) hbootkey = rc4.encrypt(F[0x80:0xA0]) return hbootkey def get_user_keys(samaddr): user_key_path = ["SAM", "Domains", "Account", "Users"] root = rawreg.get_root(samaddr) if not root: return [] user_key = rawreg.open_key(root, user_key_path) if not user_key: return [] return [k for k in rawreg.subkeys(user_key) if k.Name != "Names"] def decrypt_single_hash(rid, hbootkey, enc_hash, lmntstr): (des_k1, des_k2) = sid_to_key(rid) d1 = DES.new(des_k1, DES.MODE_ECB) d2 = DES.new(des_k2, DES.MODE_ECB) md5 = MD5.new() md5.update(hbootkey[:0x10] + pack(". # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.com @organization: Volatility Foundation Alias for all address spaces """ #pylint: disable-msg=C0111 import fractions import volatility.obj as obj import volatility.registry as registry import volatility.debug as debug ## Make sure the profiles are cached so we only parse it once. This is ## important since it allows one module to update the profile for ## another module. PROFILES = {} class ASAssertionError(AssertionError): def __init__(self, *args, **kwargs): AssertionError.__init__(self, *args, **kwargs) def check_valid_profile(option, _opt_str, value, parser): """Checks to make sure the selected profile is valid""" # PROFILES may not have been created yet, # but the callback should get called once it has # during the final parse of the config options profs = registry.get_plugin_classes(obj.Profile) if profs: try: profs[value] except KeyError: debug.error("Invalid profile " + value + " selected") setattr(parser.values, option.dest, value) class BaseAddressSpace(object): """ This is the base class of all Address Spaces. """ def __init__(self, base, config, *_args, **_kwargs): """ base is the AS we will be stacking on top of, opts are options which we may use. """ self.base = base self.name = "Unnamed AS" self._config = config self.profile = self._set_profile(config.PROFILE) @staticmethod def register_options(config): ## By default load the profile that the user asked for config.add_option("PROFILE", default = 'WinXPSP2x86', type = 'str', nargs = 1, action = "callback", callback = check_valid_profile, help = "Name of the profile to load") config.add_option("LOCATION", default = None, short_option = 'l', help = "A URN location from which to load an address space") def get_config(self): """Returns the config object used by the vm for use in other vms""" return self._config def _set_profile(self, profile_name): ## Load the required profile if profile_name in PROFILES: ret = PROFILES[profile_name] else: profs = registry.get_plugin_classes(obj.Profile) if profile_name in profs: ret = profs[profile_name]() PROFILES[profile_name] = ret else: raise ASAssertionError, "Invalid profile " + profile_name + " selected" if not self.is_valid_profile(ret): raise ASAssertionError, "Incompatible profile " + profile_name + " selected" return ret def is_valid_profile(self, profile): #pylint: disable-msg=W0613 """Determines whether a selected profile is compatible with this address space""" return True def as_assert(self, assertion, error = None): """Duplicate for the assert command (so that optimizations don't disable them) It had to be called as_assert, since assert is a keyword """ if not assertion: if error == None: error = "Instantiation failed for unspecified reason" raise ASAssertionError, error def __eq__(self, other): return (self.__class__ == other.__class__ and self.profile == other.profile and self.base == other.base) def __ne__(self, other): return not self == other def read(self, addr, length): """ Read some data from a certain offset """ def zread(self, addr, length): """ Read data from a certain offset padded with \x00 where data is not available """ def get_available_addresses(self): """ Return a generator of address ranges as (offset, size) covered by this AS sorted by offset. The address ranges produced must be disjoint (no overlaps) and not be continuous (there must be a gap between two ranges). """ raise StopIteration def is_valid_address(self, _addr): """ Tell us if the address is valid """ return True def write(self, _addr, _buf): if not self._config.WRITE: return False raise NotImplementedError("Write support for this type of Address Space has not been implemented") def __getstate__(self): """ Serialise this address space efficiently """ ## FIXME: Note that types added/overridden in the config.PROFILE may bleed through ## into other plugins from the cache. This needs fixing. return dict(name = self.__class__.__name__, base = self.base, config = self._config) def __setstate__(self, state): self.__init__(**state) @classmethod def address_mask(cls, addr): """Masks an address value for this address space""" return addr @classmethod def address_compare(cls, a, b): """Compares two addresses, a and b, and return -1 if a is less than b, 0 if they're equal and 1 if a is greater than b""" return cmp(cls.address_mask(a), cls.address_mask(b)) @classmethod def address_equality(cls, a, b): """Compare two addresses and returns True if they're the same, or False if they're not""" return cls.address_compare(a, b) == 0 class AbstractDiscreteAllocMemory(BaseAddressSpace): """A class based on memory stored as discrete allocations. """ minimum_size = None alignment_gcd = None def __init__(self, base, config, *args, **kwargs): BaseAddressSpace.__init__(self, base, config, *args, **kwargs) def translate(self, vaddr): raise NotImplementedError("This is an abstract method and should not be referenced directly") def get_available_allocs(self): """A generator that returns (addr, size) for each of the virtual addresses present, sorted by offset""" raise NotImplementedError("This is an abstract method and should not be referenced directly") def calculate_alloc_stats(self): """Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread. """ available_allocs = list(self.get_available_allocs()) self.minimum_size = int(min([size for _, size in available_allocs])) accumulator = self.minimum_size for start, _ in available_allocs: if accumulator is None and start > 1: accumulator = start if accumulator and start > 0: accumulator = fractions.gcd(accumulator, start) self.alignment_gcd = int(accumulator) # Pick an arbitrary cut-off that'll lead to too many reads if self.alignment_gcd < 0x4: debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") def _read(self, addr, length, pad = False): """Reads length bytes at the address addr If pad is False, this can return None if some of the address space is empty If pad is True, any read errors result in "\x00" bytes filling the missing read locations """ if not self.alignment_gcd or not self.minimum_size: self.calculate_alloc_stats() position = addr remaining = length buff = "" read = self.base.zread if pad else self.base.read # For each allocation... while remaining > 0: # Determine whether we're within an alloc or not alloc_remaining = (self.alignment_gcd - (addr % self.alignment_gcd)) # Try to jump out early paddr = self.translate(position) datalen = min(remaining, alloc_remaining) if paddr is None: if not pad: return None buff += "\x00" * datalen else: # This accounts for a special edge case # when the address is valid in this address space # but not in the underlying (base) address space. # We have seen this happen with IA32/FileAddr if self.base.is_valid_address(paddr): data = read(paddr, datalen) else: data = None if data is None: if not pad: return obj.NoneObject("Could not read_chunks from addr " + hex(position) + " of size " + hex(datalen)) data = "\x00" * datalen buff += data position += datalen remaining -= datalen assert (addr + length == position + remaining), "Address + length != position + remaining (" + hex(addr + length) + " != " + hex(position + remaining) + ") in " + self.base.__class__.__name__ assert (position - addr == len(buff)), "Position - address != len(buff) (" + str(position - addr) + " != " + str(len(buff)) + ") in " + self.base.__class__.__name__ return buff def read(self, addr, length): ''' This method reads 'length' bytes from the specified 'addr'. If any range is unavailable it returns None. ''' return self._read(addr, length, False) def zread(self, addr, length): ''' This method reads 'length' bytes from the specified 'addr'. If any range is unavailable it pads the region with zeros. ''' return self._read(addr, length, True) class AbstractRunBasedMemory(AbstractDiscreteAllocMemory): """A class based on memory stored as separate segments. @var runs: Stores an ordered list of the segments or runs A run is a tuple of (input/domain/virtual address, output/range/physical address, size of segment) """ def __init__(self, base, config, *args, **kwargs): AbstractDiscreteAllocMemory.__init__(self, base, config, *args, **kwargs) self.runs = [] self.header = None def get_runs(self): """Get the memory block info""" return self.runs def get_header(self): """Get the header info""" return self.header def translate(self, addr): """Find the offset in the file where a memory address can be found. @param addr: a memory address """ for input_addr, output_addr, length in self.runs: if addr >= input_addr and addr < input_addr + length: return output_addr + (addr - input_addr) # Since runs are in order, we can bail out early if we're # looking for something before the start of the current one if addr < input_addr: return None return None def get_available_allocs(self): """Get a list of accessible physical memory regions""" for input_addr, _, length in self.runs: yield input_addr, length def get_available_addresses(self): """Get a list of physical memory runs""" # Since runs are in order and not contiguous # we can reuse the output from available_allocs return self.get_available_allocs() def is_valid_address(self, phys_addr): """Check if a physical address is in the file. @param phys_addr: a physical address """ return self.translate(phys_addr) is not None def get_address_range(self): """ This relates to the logical address range that is indexable """ # Runs must not be empty (input_address, _, length) = self.runs[-1] size = input_address + length (start, _, _) = self.runs[0] return [start, size] class AbstractVirtualAddressSpace(AbstractDiscreteAllocMemory): """Base Ancestor for all Virtual address spaces, as determined by astype""" def __init__(self, base, config, astype = 'virtual', *args, **kwargs): AbstractDiscreteAllocMemory.__init__(self, base, config, astype = astype, *args, **kwargs) self.as_assert(astype == 'virtual' or astype == 'any', "User requested non-virtual AS") def vtop(self, vaddr): raise NotImplementedError("This is an abstract method and should not be referenced directly") def translate(self, vaddr): return self.vtop(vaddr) ## This is a specialised AS for use internally - Its used to provide ## transparent support for a string buffer so types can be ## instantiated off the buffer. class BufferAddressSpace(BaseAddressSpace): def __init__(self, config, base_offset = 0, data = '', **kwargs): BaseAddressSpace.__init__(self, None, config, **kwargs) self.fname = "Buffer" self.data = data self.base_offset = base_offset def assign_buffer(self, data, base_offset = 0): self.base_offset = base_offset self.data = data def is_valid_address(self, addr): return not (addr < self.base_offset or addr > self.base_offset + len(self.data)) def read(self, addr, length): offset = addr - self.base_offset return self.data[offset: offset + length] def zread(self, addr, length): return self.read(addr, length) def write(self, addr, data): if not self._config.WRITE: return False self.data = self.data[:addr] + data + self.data[addr + len(data):] return True def get_available_addresses(self): yield (self.base_offset, len(self.data)) volatility-2.3.1/volatility/utils.py0000644000175000017500000001243312227253532017531 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.exceptions as exceptions import volatility.registry as registry import volatility.addrspace as addrspace import volatility.debug as debug import socket import itertools #pylint: disable-msg=C0111 def load_as(config, astype = 'virtual', **kwargs): """Loads an address space by stacking valid ASes on top of each other (priority order first)""" base_as = None error = exceptions.AddrSpaceError() # Start off requiring another round found = True ## A full iteration through all the classes without anyone ## selecting us means we are done: while found: debug.debug("Voting round") found = False for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(), key = lambda x: x.order if hasattr(x, 'order') else 10): debug.debug("Trying {0} ".format(cls)) try: base_as = cls(base_as, config, astype = astype, **kwargs) debug.debug("Succeeded instantiating {0}".format(base_as)) found = True break except addrspace.ASAssertionError, e: debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2) error.append_reason(cls.__name__, e) continue except Exception, e: debug.debug("Failed instantiating (exception): {0}".format(e)) error.append_reason(cls.__name__ + " - EXCEPTION", e) continue if not isinstance(base_as, addrspace.AbstractVirtualAddressSpace) and (astype == 'virtual'): base_as = None if base_as is None: raise error return base_as def Hexdump(data, width = 16): """ Hexdump function shared by various plugins """ for offset in xrange(0, len(data), width): row_data = data[offset:offset + width] translated_data = [x if ord(x) < 127 and ord(x) > 32 else "." for x in row_data] hexdata = " ".join(["{0:02x}".format(ord(x)) for x in row_data]) yield offset, hexdata, translated_data # Compensate for Windows python not supporting socket.inet_ntop and some # Linux systems (i.e. OpenSuSE 11.2 w/ Python 2.6) not supporting IPv6. def inet_ntop(address_family, packed_ip): def inet_ntop4(packed_ip): if not isinstance(packed_ip, str): raise TypeError("must be string, not {0}".format(type(packed_ip))) if len(packed_ip) != 4: raise ValueError("invalid length of packed IP address string") return "{0}.{1}.{2}.{3}".format(*[ord(x) for x in packed_ip]) def inet_ntop6(packed_ip): if not isinstance(packed_ip, str): raise TypeError("must be string, not {0}".format(type(packed_ip))) if len(packed_ip) != 16: raise ValueError("invalid length of packed IP address string") words = [] for i in range(0, 16, 2): words.append((ord(packed_ip[i]) << 8) | ord(packed_ip[i + 1])) # Replace a run of 0x00s with None numlen = [(k, len(list(g))) for k, g in itertools.groupby(words)] max_zero_run = sorted(sorted(numlen, key = lambda x: x[1], reverse = True), key = lambda x: x[0])[0] words = [] for k, l in numlen: if (k == 0) and (l == max_zero_run[1]) and not (None in words): words.append(None) else: for i in range(l): words.append(k) # Handle encapsulated IPv4 addresses encapsulated = "" if (words[0] is None) and (len(words) == 3 or (len(words) == 4 and words[1] == 0xffff)): words = words[:-2] encapsulated = inet_ntop4(packed_ip[-4:]) # If we start or end with None, then add an additional : if words[0] is None: words = [None] + words if words[-1] is None: words += [None] # Join up everything we've got using :s return ":".join(["{0:x}".format(w) if w is not None else "" for w in words]) + encapsulated if address_family == socket.AF_INET: return inet_ntop4(packed_ip) elif address_family == socket.AF_INET6: return inet_ntop6(packed_ip) raise socket.error("[Errno 97] Address family not supported by protocol") def iterfind(data, string): """This function is called by the search_process_memory() method of windows, linux, and mac process objects""" offset = data.find(string, 0) while offset >= 0: yield offset offset = data.find(string, offset + len(string)) volatility-2.3.1/volatility/obj.py0000644000175000017500000013202412227253532017142 0ustar mikemike00000000000000# Volatility # Copyright (C) 2007-2013 Volatility Foundation # # Copyright (C) 2005,2006 4tphi Research # Author: {npetroni,awalters}@4tphi.net (Nick Petroni and AAron Walters) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111,W0613 import sys if __name__ == '__main__': sys.path.append(".") sys.path.append("..") import cPickle as pickle # pickle implementation must match that in volatility.cache import struct, copy, operator import volatility.debug as debug import volatility.fmtspec as fmtspec import volatility.exceptions as exceptions import volatility.plugins.overlays.native_types as native_types ## Curry is now a standard python feature import functools Curry = functools.partial import traceback class classproperty(property): def __get__(self, cls, owner): # We don't think pylint knows what it's talking about here return self.fget.__get__(None, owner)() #pylint: disable-msg=E1101 def get_bt_string(_e = None): return ''.join(traceback.format_stack()[:-3]) class NoneObject(object): """ A magical object which is like None but swallows bad dereferences, __getattribute__, iterators etc to return itself. Instantiate with the reason for the error. """ def __init__(self, reason = '', strict = False): debug.debug("None object instantiated: " + reason, 2) self.reason = reason self.strict = strict if strict: self.bt = get_bt_string() def __str__(self): ## If we are strict we blow up here if self.strict: debug.error("Strict NoneObject string failure: {0} n{1}".format(self.reason, self.bt)) sys.exit(0) else: debug.warning("NoneObject as string: {0}".format(self.reason)) return "" def write(self, data): """Write procedure only ever returns False""" return False def __repr__(self): return "" ## Behave like an empty set def __iter__(self): return self def __len__(self): return 0 def __format__(self, formatspec): spec = fmtspec.FormatSpec(string = formatspec, altform = False, formtype = 's', fill = "-", align = ">") return format('-', str(spec)) def next(self): raise StopIteration() def __getattr__(self, attr): # By returning self for any unknown attribute # and ensuring the self is callable, we cover both properties and methods # Override NotImplemented functions in object with self return self def __bool__(self): return False def __nonzero__(self): return False def __eq__(self, other): return (other is None) def __ne__(self, other): return not self.__eq__(other) ## Make us subscriptable obj[j] def __getitem__(self, item): return self def __call__(self, *arg, **kwargs): return self def __int__(self): return -1 # These must be defined explicitly, # due to the way new style objects bypass __getattribute__ for speed # See http://docs.python.org/reference/datamodel.html#new-style-special-lookup __add__ = __call__ __sub__ = __call__ __mul__ = __call__ __floordiv__ = __call__ __mod__ = __call__ __divmod__ = __call__ __pow__ = __call__ __lshift__ = __call__ __rshift__ = __call__ __and__ = __call__ __xor__ = __call__ __or__ = __call__ __radd__ = __call__ __rsub__ = __call__ __rmul__ = __call__ __rfloordiv__ = __call__ __rmod__ = __call__ __rdivmod__ = __call__ __rpow__ = __call__ __rlshift__ = __call__ __rrshift__ = __call__ __rand__ = __call__ __rxor__ = __call__ __ror__ = __call__ class InvalidOffsetError(exceptions.VolatilityException): """Simple placeholder to identify invalid offsets""" pass def Object(theType, offset, vm, name = None, **kwargs): """ A function which instantiates the object named in theType (as a string) from the type in profile passing optional args of kwargs. """ name = name or theType offset = int(offset) try: if vm.profile.has_type(theType): result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs) return result except InvalidOffsetError: ## If we cant instantiate the object here, we just error out: return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name), strict = vm.profile.strict) ## If we get here we have no idea what the type is supposed to be? ## This is a serious error. debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) class BaseObject(object): # We have **kwargs here, but it's unclear if it's a good idea # Benefit is objects will never fail with duff parameters # Downside is typos won't show up and be difficult to diagnose def __init__(self, theType, offset, vm, native_vm = None, parent = None, name = None, **kwargs): self._vol_theType = theType self._vol_offset = offset self._vol_vm = vm self._vol_native_vm = native_vm self._vol_parent = parent self._vol_name = name if not self.obj_vm.is_valid_address(self.obj_offset): raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, self.obj_name)) @property def obj_type(self): return self._vol_theType @property def obj_vm(self): return self._vol_vm @property def obj_offset(self): return self._vol_offset @property def obj_parent(self): return self._vol_parent @property def obj_name(self): return self._vol_name @property def obj_native_vm(self): return self._vol_native_vm or self._vol_vm def set_native_vm(self, native_vm): """Sets the native_vm """ self._vol_native_vm = native_vm def rebase(self, offset): # If it's needed, we should be using the __getstate__ and __setstate__ functions raise DeprecationWarning("The rebase function has been deprecated and will be removed in future versions") def proxied(self, attr): return None def newattr(self, attr, value): """Sets a new attribute after the object has been created""" return BaseObject.__setattr__(self, attr, value) def write(self, value): """Function for writing the object back to disk""" pass def __getattr__(self, attr): """ This is only useful for proper methods (not ones that start with __ ) """ ## Search for the attribute of the proxied object proxied = self.proxied(attr) # Don't do a __nonzero__ check on proxied or things like '' will fail if proxied is None: raise AttributeError("Unable to resolve attribute {0} on {1}".format(attr, self.obj_name)) return getattr(proxied, attr) def __setattr__(self, attr, value): try: object.__setattr__(self, attr, value) except AttributeError: pass def __nonzero__(self): """ This method is called when we test the truth value of an Object. In volatility we consider an object to have True truth value only when its a valid object. Its possible for example to have a Pointer object which is not valid - this will have a truth value of False. You should be testing for validity like this: if X: # object is valid Do not test for validity like this: if int(X) == 0: or if X is None: ..... the later form is not going to work when X is a NoneObject. """ result = self.obj_vm.is_valid_address(self.obj_offset) return result def __eq__(self, other): return self.v() == other or ((self.__class__ == other.__class__) and (self.obj_offset == other.obj_offset) and (self.obj_vm == other.obj_vm)) def __ne__(self, other): return not self.__eq__(other) def __hash__(self): # This should include the critical components of self.obj_vm return hash(self.obj_name) ^ hash(self.obj_offset) def m(self, memname): raise AttributeError("No member {0}".format(memname)) def is_valid(self): return self.obj_vm.is_valid_address(self.obj_offset) def dereference(self): return NoneObject("Can't dereference {0}".format(self.obj_name), self.obj_vm.profile.strict) def dereference_as(self, derefType, **kwargs): # Make sure we use self.obj_native_vm to automatically # dereference from the highest available VM if self.obj_native_vm.is_valid_address(self.v()): return Object(derefType, self.v(), self.obj_native_vm, parent = self, **kwargs) else: return NoneObject("Invalid offset {0} for dereferencing {1} as {2}".format(self.v(), self.obj_name, derefType)) def cast(self, castString): return Object(castString, self.obj_offset, self.obj_vm) def v(self): """ Do the actual reading and decoding of this member """ return NoneObject("No value for {0}".format(self.obj_name), self.obj_vm.profile.strict) def __format__(self, formatspec): return format(self.v(), formatspec) def __str__(self): return str(self.v()) def __repr__(self): return "[{0} {1}] @ 0x{2:08X}".format(self.__class__.__name__, self.obj_name or '', self.obj_offset) def d(self): """Display diagnostic information""" return self.__repr__() def __getstate__(self): """ This controls how we pickle and unpickle the objects """ try: thetype = self._vol_theType.__name__ except AttributeError: thetype = self._vol_theType # Note: we lose the parent attribute here result = dict(offset = self.obj_offset, name = self.obj_name, vm = self.obj_vm, native_vm = self.obj_native_vm, theType = thetype) ## Introspect the kwargs for the constructor and store in the dict try: for arg in self.__init__.func_code.co_varnames: if (arg not in result and arg not in "self parent profile args".split()): result[arg] = self.__dict__[arg] except KeyError: debug.post_mortem() raise pickle.PicklingError("Object {0} at 0x{1:08x} cannot be cached because of missing attribute {2}".format(self.obj_name, self.obj_offset, arg)) return result def __setstate__(self, state): ## What we want to do here is to instantiate a new object and then copy it into ourselves #new_object = Object(state['theType'], state['offset'], state['vm'], name = state['name']) new_object = Object(**state) if not new_object: raise pickle.UnpicklingError("Object {0} at 0x{1:08x} invalid".format(state['name'], state['offset'])) ## (Scudette) Im not sure how much of a hack this is - we ## basically take over all the new object's members. This is ## needed because __setstate__ can not return a new object, ## but must update the current object instead. I'm sure ikelos ## will object!!! I am open to suggestions ... self.__dict__ = new_object.__dict__ def CreateMixIn(mixin): def make_method(name): def method(self, *args, **kw): proxied = self.proxied(name) try: ## Try to coerce the other in case its also a proxied ## class args = list(args) args[0] = args[0].proxied(name) except (AttributeError, IndexError): pass try: method = getattr(operator, name) args = [proxied] + args except AttributeError: method = getattr(proxied, name) return method(*args, **kw) return method for name in mixin._specials: setattr(mixin, name, make_method(name)) class NumericProxyMixIn(object): """ This MixIn implements the numeric protocol """ _specials = [ ## Number protocols '__add__', '__sub__', '__mul__', '__floordiv__', '__mod__', '__divmod__', '__pow__', '__lshift__', '__rshift__', '__and__', '__xor__', '__or__', '__div__', '__truediv__', '__radd__', '__rsub__', '__rmul__', '__rdiv__', '__rtruediv__', '__rfloordiv__', '__rmod__', '__rdivmod__', '__rpow__', '__rlshift__', '__rrshift__', '__rand__', '__rxor__', '__ror__', '__neg__', '__pos__', '__abs__', '__invert__', '__int__', '__long__', '__float__', '__oct__', '__hex__', ## Comparisons '__lt__', '__le__', '__eq__', '__ne__', '__ge__', '__gt__', '__index__', ## Formatting '__format__', ] CreateMixIn(NumericProxyMixIn) class NativeType(BaseObject, NumericProxyMixIn): def __init__(self, theType, offset, vm, format_string = None, **kwargs): BaseObject.__init__(self, theType, offset, vm, **kwargs) NumericProxyMixIn.__init__(self) self.format_string = format_string def write(self, data): """Writes the data back into the address space""" output = struct.pack(self.format_string, data) return self.obj_vm.write(self.obj_offset, output) def proxied(self, attr): return self.v() def size(self): return struct.calcsize(self.format_string) def v(self): data = self.obj_vm.read(self.obj_offset, self.size()) if not data: return NoneObject("Unable to read {0} bytes from {1}".format(self.size(), self.obj_offset)) (val,) = struct.unpack(self.format_string, data) # Ensure that integer NativeTypes are converted to longs # to avoid integer boundaries when doing __rand__ proxying # (see issue 265) if isinstance(val, int): val = long(val) return val def cdecl(self): return self.obj_name def __repr__(self): return " [{0}]: {1}".format(self._vol_theType, self.v()) def d(self): return " [{0} {1} | {2}]: {3}".format(self.__class__.__name__, self.obj_name or '', self._vol_theType, self.v()) class BitField(NativeType): """ A class splitting an integer into a bunch of bit. """ def __init__(self, theType, offset, vm, start_bit = 0, end_bit = 32, native_type = None, **kwargs): # Defaults to profile-endian address, but can be overridden by native_type format_string = vm.profile.native_types.get(native_type, vm.profile.native_types['address'])[1] NativeType.__init__(self, theType, offset, vm, format_string = format_string, **kwargs) self.start_bit = start_bit self.end_bit = end_bit self.native_type = native_type # Store this for proper caching def v(self): i = NativeType.v(self) return (i & ((1 << self.end_bit) - 1)) >> self.start_bit def write(self, data): data = data << self.start_bit return NativeType.write(self, data) class Pointer(NativeType): def __init__(self, theType, offset, vm, target = None, **kwargs): # Default to profile-endian address # We don't allow native_type overriding for pointers since we can't dereference invalid pointers anyway # You can define a POINTER_64 in 32-bit windows, it becomes a signed pointer for use with special pointers like -1. # However, in that case it's unlikely to dereference properly either # We can always change this later if it becomes necessary to handle such unusual circumstances NativeType.__init__(self, theType, offset, vm, format_string = vm.profile.native_types['address'][1], **kwargs) if theType: self.target = Curry(Object, theType) else: self.target = target def __getstate__(self): ## This one is too complicated to pickle right now raise pickle.PicklingError("Pointer objects do not support caching") def is_valid(self): """ Returns if what we are pointing to is valid """ return self.obj_native_vm.is_valid_address(self.v()) def dereference(self): offset = self.v() if self.obj_native_vm.is_valid_address(offset): # Make sure we use self.obj_native_vm to automatically # dereference from the highest available VM result = self.target(offset = offset, vm = self.obj_native_vm, parent = self.obj_parent, name = self.obj_name) return result else: return NoneObject("Pointer {0} invalid".format(self.obj_name), self.obj_vm.profile.strict) def cdecl(self): return "Pointer {0}".format(self.v()) def __nonzero__(self): return bool(self.is_valid()) def __repr__(self): target = self.dereference() return "<{0} pointer to [0x{1:08X}]>".format(target.__class__.__name__, self.v()) def d(self): target = self.dereference() return "<{0} {1} pointer to [0x{2:08X}]>".format(target.__class__.__name__, self.obj_name or '', self.v()) def __getattr__(self, attr): ## We just dereference ourself result = self.dereference() #if isinstance(result, CType): # return result.m(attr) return getattr(result, attr) def m(self, memname): # Look for children on the dereferenced object result = self.dereference() return result.m(memname) class Void(NativeType): def __init__(self, theType, offset, vm, **kwargs): # Default to profile-endian unsigned long # This should never need to be overridden, but can be by changing the 'Void' value in a profile's object_classes format_string = vm.profile.native_types['unsigned long'][1] NativeType.__init__(self, theType, offset, vm, format_string = format_string, **kwargs) def cdecl(self): return "0x{0:08X}".format(self.v()) def __repr__(self): return "Void (0x{0:08X})".format(self.v()) def d(self): return "Void[{0} {1}] (0x{2:08X})".format(self.__class__.__name__, self.obj_name or '', self.v()) def __nonzero__(self): return bool(self.dereference()) class Array(BaseObject): """ An array of objects of the same size """ def __init__(self, theType, offset, vm, parent = None, count = 1, targetType = None, target = None, name = None, **kwargs): ## Instantiate the first object on the offset: BaseObject.__init__(self, theType, offset, vm, parent = parent, name = name, **kwargs) if callable(count): count = count(parent) self.count = int(count) self.original_offset = offset if targetType: self.target = Curry(Object, targetType) else: self.target = target self.current = self.target(offset = offset, vm = vm, parent = self, name = name) if self.current.size() == 0: ## It is an error to have a zero sized element debug.debug("Array with 0 sized members???", level = 10) debug.b() def __getstate__(self): ## This one is too complicated to pickle right now raise pickle.PicklingError("Array objects do not support caching") def size(self): return self.count * self.current.size() def __iter__(self): ## This method is better than the __iter__/next method as it ## is reentrant for position in range(0, self.count): ## We don't want to stop on a NoneObject. Its ## entirely possible that this array contains a bunch of ## pointers and some of them may not be valid (or paged ## in). This should not stop us though we just return the ## invalid pointers to our callers. It's up to the callers ## to do what they want with the array. if (self.current == None): return yield self[position] def __repr__(self): result = [ x.__str__() for x in self ] return "".format(",".join(result)) def d(self): result = [ x.__str__() for x in self ] return "".format(self.__class__.__name__, self.obj_name or '', ",".join(result)) def __eq__(self, other): # Check we can carry out further tests for equality/inequality if not (hasattr(other, '__len__') and hasattr(other, '__getitem__')): return False if self.count != len(other): return False for i in range(self.count): if not self[i] == other[i]: return False return True def __getitem__(self, pos): ## Check for slice object if isinstance(pos, slice): start, stop, step = pos.indices(self.count) return [self[i] for i in xrange(start, stop, step)] # Handle negative values if pos >= self.count or pos <= -self.count: raise IndexError("array index out of range") if pos < 0: pos = self.count - pos ## Check if the offset is valid offset = self.original_offset + pos * self.current.size() if self.obj_vm.is_valid_address(offset): # Ensure both the true VM and offsetlayer are copied across return self.target(offset = offset, vm = self.obj_vm, native_vm = self.obj_native_vm, parent = self, name = "{0} {1}".format(self.obj_name, pos)) else: return NoneObject("Array {0} invalid member {1}".format(self.obj_name, pos), self.obj_vm.profile.strict) def __setitem__(self, pos, value): ## Get the item, then try writing to it item = self.__getitem__(pos) if item != None: item.write(value) class CType(BaseObject): """ A CType is an object which represents a c struct """ def __init__(self, theType, offset, vm, name = None, members = None, struct_size = 0, **kwargs): """ This must be instantiated with a dict of members. The keys are the offsets, the values are Curried Object classes that will be instantiated when accessed. """ if not members: # Warn rather than raise an error, since some types (_HARDWARE_PTE, for example) are generated without members debug.debug("No members specified for CType {0} named {1}".format(theType, name), level = 2) members = {} self.members = members self.struct_size = struct_size BaseObject.__init__(self, theType, offset, vm, name = name, **kwargs) self.__initialized = True def size(self): return self.struct_size def __repr__(self): return "[{0} {1}] @ 0x{2:08X}".format(self.__class__.__name__, self.obj_name or '', self.obj_offset) def d(self): result = self.__repr__() + "\n" for k in self.members.keys(): result += " {0} -\n {1}\n".format(k, self.m(k)) return result def v(self): """ When a struct is evaluated we just return our offset. """ # Ensure that proxied offsets are converted to longs # to avoid integer boundaries when doing __rand__ proxying # (see issue 265) return long(self.obj_offset) def m(self, attr): if attr in self.members: # Allow the element to be a callable rather than a list - this is # useful for aliasing member names element = self.members[attr] if callable(element): return element(self) offset, cls = element elif attr.find('__') > 0 and attr[attr.find('__'):] in self.members: offset, cls = self.members[attr[attr.find('__'):]] else: ## hmm - tough choice - should we raise or should we not #return NoneObject("Struct {0} has no member {1}".format(self.obj_name, attr)) raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) if callable(offset): ## If offset is specified as a callable its an absolute ## offset offset = int(offset(self)) else: ## Otherwise its relative to the start of our struct offset = int(offset) + int(self.obj_offset) try: result = cls(offset = offset, vm = self.obj_vm, parent = self, name = attr, native_vm = self.obj_native_vm) except InvalidOffsetError, e: return NoneObject(str(e)) return result def __getattr__(self, attr): return self.m(attr) def __setattr__(self, attr, value): """Change underlying members""" # Special magic to allow initialization if not self.__dict__.has_key('_CType__initialized'): # this test allows attributes to be set in the __init__ method return BaseObject.__setattr__(self, attr, value) elif self.__dict__.has_key(attr): # any normal attributes are handled normally return BaseObject.__setattr__(self, attr, value) else: obj = self.m(attr) if hasattr(obj, 'write'): if not obj.write(value): raise ValueError("Error writing value to member " + attr) return # If you hit this, consider using obj.newattr('attr', value) raise ValueError("Attribute " + attr + " was set after object initialization") class VolatilityMagic(BaseObject): """Class to contain Volatility Magic value""" # TODO: At some point, make it possible to use these without requiring .v() # by making them inherit from NumericProxyMixIn when they're supposed to be numeric values def __init__(self, theType, offset, vm, value = None, configname = None, **kwargs): try: BaseObject.__init__(self, theType, offset, vm, **kwargs) except InvalidOffsetError: pass # If we've been given a configname override, # then override the value with the one from the config self.configname = configname if self.configname: configval = getattr(self.obj_vm.get_config(), self.configname) # Check the configvalue is actually set to something if configval: value = configval self.value = value def v(self): # We explicitly want to check for None, # in case the user wants a value # that gives not self.value = True if self.value is None: return self.get_best_suggestion() else: return self.value def __str__(self): return self.v() def get_suggestions(self): """Returns a list of possible suggestions for the value These should be returned in order of likelihood, since the first one will be taken as the best suggestion This is also to avoid a complete scan of the memory address space, since """ if self.value: yield self.value for x in self.generate_suggestions(): yield x def generate_suggestions(self): raise StopIteration("No suggestions available") def get_best_suggestion(self): """Returns the best suggestion for a list of possible suggestsions""" for val in self.get_suggestions(): return val else: return NoneObject("No suggestions available") def VolMagic(vm): """Convenience function to save people typing out an actual obj.Object call""" return Object("VOLATILITY_MAGIC", 0x0, vm = vm) #### This must live here, otherwise there are circular dependency issues ## ## The Profile relies on several classes in obj.py, because ## it needs to parse legacy list formats into appropriate types ## Leaving a deprecated obj.Profile object would create a circular dependency ## ## Profiles are the interface for creating/interpreting ## objects class Profile(object): native_mapping = {'32bit': native_types.x86_native_types, '64bit': native_types.x64_native_types} def __init__(self, strict = False): self.strict = strict self._mods = [] # The "output" variables self.types = {} self.object_classes = {} self.native_types = {} # Place for modifications to extend profiles with additional (profile-specific) information self.additional = {} # Set up the "input" data self.vtypes = {} # Carry out the inital setup self.reset() @property def applied_modifications(self): return self._mods def clear(self): """ Clears out the input vtypes and object_classes, and only the base object types """ # Prepopulate object_classes with base classes self.object_classes = {'BitField': BitField, 'Pointer': Pointer, 'Void': Void, 'Array': Array, 'CType': CType, 'VolatilityMagic': VolatilityMagic} # Ensure VOLATILITY_MAGIC is always present in vtypes self.vtypes = {'VOLATILITY_MAGIC' : [0x0, {}]} # Clear out the ordering that modifications were applied (since now, none were) self._mods = [] def reset(self): """ Resets the profile's vtypes to those automatically loaded """ # Clear everything out self.clear() # Setup the initial vtypes and native_types self.load_vtypes() # Run through any modifications (new vtypes/overlays, object_classes) self.load_modifications() # Recompile self.compile() def load_vtypes(self): """ Identifies the module from which to load the vtypes Eventually this could do the importing directly, and avoid having the profiles loaded in memory all at once. """ ntvar = self.metadata.get('memory_model', '32bit') self.native_types = copy.deepcopy(self.native_mapping.get(ntvar)) vtype_module = self.metadata.get('vtype_module', None) if not vtype_module: debug.warning("No vtypes specified for this profile") else: module = sys.modules.get(vtype_module, None) # Try to locate the _types dictionary for i in dir(module): if i.endswith('_types'): self.vtypes.update(getattr(module, i)) def load_modifications(self): """ Find all subclasses of the modification type and applies them Each modification object can specify the metadata with which it can work Allowing the overlay to decide which profile it should act on """ # Collect together all the applicable modifications mods = {} for i in self._get_subclasses(ProfileModification): modname = i.__name__ instance = i() # Leave abstract modifications out of the dependency tree # Also don't consider the base ProfileModification object if not modname.startswith("Abstract") and i != ProfileModification: if modname in mods: raise RuntimeError("Duplicate profile modification name {0} found".format(modname)) mods[instance.__class__.__name__] = instance # Run through the modifications in dependency order self._mods = [] for modname in self._resolve_mod_dependencies(mods.values()): mod = mods.get(modname, None) # We check for invalid/mistyped modification names, AbstractModifications should be caught by this too if not mod: # Note, this does not allow for optional dependencies raise RuntimeError("No concrete ProfileModification found for " + modname) if mod.check(self): debug.debug("Applying modification from " + mod.__class__.__name__) self._mods.append(mod.__class__.__name__) mod.modification(self) def compile(self): """ Compiles the vtypes, overlays, object_classes, etc into a types dictionary We populate as we go, so that _list_to_type can refer to existing classes rather than Curry everything. If the compile fails, the profile will be left in a bad/unusable state """ # Load the native types self.types = {} for nt, value in self.native_types.items(): if type(value) == list: self.types[nt] = Curry(NativeType, nt, format_string = value[1]) # Go through the vtypes, creating the stubs for object creation at # a later point by the Object factory for name in self.vtypes.keys(): self.types[name] = self._convert_members(name) # Add in any object_classes that had no defined members, for completeness for name in self.object_classes.keys(): if name not in self.types: self.types[name] = Curry(self.object_classes[name], name) @property def metadata(self): """ Returns a read-only dictionary copy of the metadata associated with a profile """ prefix = '_md_' result = {} for i in dir(self): if i.startswith(prefix): result[i[len(prefix):]] = getattr(self, i) return result def _get_subclasses(self, cls): """Returns a list of all subclasses""" for i in cls.__subclasses__(): for c in self._get_subclasses(i): yield c yield cls def _get_dummy_obj(self, name): """ Returns a dummy object/profile for use in determining size and offset of substructures. This is done since profile are effectively a compiled language, so reading the value from self.vtypes may not be accurate. """ class dummy(object): profile = self name = 'dummy' def is_valid_address(self, _offset): """States that every address is valid, since we tend not to care""" return True def read(self, _addr, _length): """Returns no data when reading""" return None tmp = self.types[name](offset = 0, name = name, vm = dummy(), parent = None) return tmp def has_type(self, theType): """ Returns a simple check of whether the type is in the profile """ return theType in self.types def get_obj_offset(self, name, member): """ Returns a members offset within the struct """ tmp = self._get_dummy_obj(name) offset, _cls = tmp.members[member] return offset def get_obj_size(self, name): """Returns the size of a struct""" tmp = self._get_dummy_obj(name) return tmp.size() def obj_has_member(self, name, member): """Returns whether an object has a certain member""" tmp = self._get_dummy_obj(name) return hasattr(tmp, member) def merge_overlay(self, overlay): """Applies an overlay to the profile's vtypes""" for k, v in overlay.items(): if k not in self.vtypes: debug.warning("Overlay structure {0} not present in vtypes".format(k)) else: self.vtypes[k] = self._apply_overlay(self.vtypes[k], v) def add_types(self, vtypes, overlay = None): """ Add in a deprecated function that mimics the previous add_types function """ debug.warning("Deprecation warning: A plugin is making use of profile.add_types") self.vtypes.update(vtypes) if overlay: self.merge_overlay(overlay) self.compile() def apply_overlay(self, *args, **kwargs): """ Calls the old apply_overlay function with a deprecation warning """ debug.warning("Deprecation warning: A plugin is making use of profile.apply_overlay") return self._apply_overlay(*args, **kwargs) def _apply_overlay(self, type_member, overlay): """ Update the overlay with the missing information from type. Basically if overlay has None in any slot it gets applied from vtype. We make extensive use of copy.deepcopy to ensure we don't modify the original variables. Some of the calls may not be necessary (specifically the return of type_member and overlay) but this saves us the concern that things will get changed later and have a difficult-to-track down knock-on effect. """ # If we've been called without an overlay, # the end result should be a complete copy of the type_member if not overlay: return copy.deepcopy(type_member) if isinstance(type_member, dict): result = copy.deepcopy(type_member) for k, v in overlay.items(): if k not in type_member: result[k] = v else: result[k] = self._apply_overlay(type_member[k], v) elif isinstance(overlay, list): # If we're changing the underlying type, skip looking any further if len(overlay) != len(type_member): return copy.deepcopy(overlay) result = [] # Otherwise go through every item for i in range(len(overlay)): if overlay[i] == None: result.append(type_member[i]) else: result.append(self._apply_overlay(type_member[i], overlay[i])) else: return copy.deepcopy(overlay) return result def _resolve_mod_dependencies(self, mods): """ Resolves the modification dependencies, providing an ordered list of all modifications whose only dependencies are in earlier lists """ # Convert the before/after to a directed graph result = [] data = {} for mod in mods: before, after = mod.dependencies(self) data[mod.__class__.__name__] = data.get(mod.__class__.__name__, set([])).union(set(before)) for a in after: data[a] = data.get(a, set([])).union(set([mod.__class__.__name__])) # Ignore self dependencies for k, v in data.items(): v.discard(k) # Fill out any items not in the original data list, as having no dependencies extra_items_in_deps = reduce(set.union, data.values()) - set(data.keys()) for item in extra_items_in_deps: data.update({item:set()}) while True: # Pull out all the items with no dependencies nodeps = set([item for item, dep in data.items() if not dep]) # If there's none left then we're done if not nodeps: break result.append(sorted(nodeps)) # Any items we just returned, remove from all dependencies for item, dep in data.items(): if item not in nodeps: data[item] = (dep - nodeps) else: data.pop(item) # Check there's no dependencies left, if there are we've got a cycle if data: debug.warning("A cyclic dependency exists amongst {0}".format(data)) raise StopIteration # Finally, after having checked for no cycles, flatten and return the results for s in result: for i in s: yield i def _list_to_type(self, name, typeList, typeDict = None): """ Parses a specification list and returns a VType object. This function is a bit complex because we support lots of different list types for backwards compatibility. """ ## This supports plugin memory objects: try: kwargs = typeList[1] if type(kwargs) == dict: ## We have a list of the form [ ClassName, dict(.. args ..) ] return Curry(Object, theType = typeList[0], name = name, **kwargs) except (TypeError, IndexError), _e: pass ## This is of the form [ 'void' ] if typeList[0] == 'void': return Curry(Void, None, name = name) ## This is of the form [ 'pointer' , [ 'foobar' ]] if typeList[0] == 'pointer': try: target = typeList[1] except IndexError: raise RuntimeError("Syntax Error in pointer type defintion for name {0}".format(name)) return Curry(Pointer, None, name = name, target = self._list_to_type(name, target, typeDict)) ## This is an array: [ 'array', count, ['foobar'] ] if typeList[0] == 'array': return Curry(Array, None, name = name, count = typeList[1], target = self._list_to_type(name, typeList[2], typeDict)) ## This is a list which refers to a type which is already defined if typeList[0] in self.types: return Curry(self.types[typeList[0]], name = name) ## Does it refer to a type which will be defined in future? in ## this case we just curry the Object function to provide ## it on demand. This allows us to define structures ## recursively. ##if typeList[0] in typeDict: try: tlargs = typeList[1] except IndexError: tlargs = {} obj_name = typeList[0] if type(tlargs) == dict: return Curry(Object, obj_name, name = name, **tlargs) ## If we get here we have no idea what this list is #raise RuntimeError("Error in parsing list {0}".format(typeList)) debug.warning("Unable to find a type for {0}, assuming int".format(typeList[0])) return Curry(self.types['int'], name = name) def _convert_members(self, cname): """ Convert the structure named by cname from the c description present in vtypes into a list of members that can be used for later parsing. cname is the name of the struct. We expect the vtypes value to be a list of the following format [ Size of struct, members_dict ] members_dict is a dict of all members (fields) in this struct. The key is the member name, and the value is a list of this form: [ offset_from_start_of_struct, specification_list ] The specification list has the form specified by self._list_to_type() above. We return an object that is a CType or has been overridden by object_classes. """ size, raw_members = self.vtypes.get(cname) members = {} for k, v in raw_members.items(): if callable(v): members[k] = v elif v[0] == None: debug.warning("{0} has no offset in object {1}. Check that vtypes has a concrete definition for it.".format(k, cname)) else: members[k] = (v[0], self._list_to_type(k, v[1], self.vtypes)) ## Allow the plugins to over ride the class constructor here if self.object_classes and cname in self.object_classes: cls = self.object_classes[cname] else: cls = CType return Curry(cls, cname, members = members, struct_size = size) class ProfileModification(object): """ Class for modifying profiles for additional functionality """ before = [] after = [] conditions = {} def check(self, profile): """ Returns True or False as to whether the Modification should be applied """ result = True for k, v in self.conditions.items(): result = result and v(profile.metadata.get(k, None)) return result def dependencies(self, profile): """ Returns a list of modifications that should go before this, and modifications that need to be after this """ return self.before, self.after def modification(self, profile): """ Abstract function for modifying the profile """ volatility-2.3.1/volatility/timefmt.py0000644000175000017500000001073512227253532020041 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import os, time, calendar import datetime import volatility.conf as conf import volatility.debug as debug try: import pytz tz_pytz = True except ImportError: tz_pytz = False config = conf.ConfObject() class OffsetTzInfo(datetime.tzinfo): """Timezone implementation that allows offsets specified in seconds""" def __init__(self, offset = None, *args, **kwargs): """Accepts offset in seconds""" self.offset = offset datetime.tzinfo.__init__(self, *args, **kwargs) def set_offset(self, offset): """Simple setter for offset""" self.offset = offset def utcoffset(self, dt): """Returns the offset from UTC""" if self.offset is None: return None return datetime.timedelta(seconds = self.offset) + self.dst(dt) def dst(self, _dt): """We almost certainly can't know about DST, so we say it's always off""" # FIXME: Maybe we can know or make guesses about DST? return datetime.timedelta(0) def tzname(self, _dt): """Return a useful timezone name""" if self.offset is None: return "UNKNOWN" return "" class UTC(datetime.tzinfo): """Concrete instance of the UTC timezone""" def utcoffset(self, _dt): """Returns an offset from UTC of 0""" return datetime.timedelta(0) def dst(self, _dt): """Returns no daylight savings offset""" return datetime.timedelta(0) def tzname(self, _dt): """Returns the timezone name""" return "UTC" def display_datetime(dt, custom_tz = None): """Returns a string from a datetime according to the display TZ (or a custom one""" timeformat = "%Y-%m-%d %H:%M:%S %Z%z" if dt.tzinfo is not None and dt.tzinfo.utcoffset(dt) is not None: if custom_tz is not None: dt = dt.astimezone(custom_tz) elif config.TZ is not None: if isinstance(config.TZ, str): secs = calendar.timegm(dt.timetuple()) os.environ['TZ'] = config.TZ time.tzset() # Remove the %z which appears not to work timeformat = timeformat[:-2] return time.strftime(timeformat, time.localtime(secs)) else: dt = dt.astimezone(config.tz) return ("{0:" + timeformat + "}").format(dt) def tz_from_string(_option, _opt_str, value, parser): """Stores a tzinfo object from a string""" if value is not None: if value[0] in ['+', '-']: # Handed a numeric offset, create an OffsetTzInfo valarray = [value[i:i + 2] for i in range(1, len(value), 2)] multipliers = [3600, 60] offset = 0 for i in range(min(len(valarray), len(multipliers))): offset += int(valarray[i]) * multipliers[i] if value[0] == '-': offset = -offset timezone = OffsetTzInfo(offset = offset) else: # Value is a lookup, choose pytz over time.tzset if tz_pytz: try: timezone = pytz.timezone(value) except pytz.UnknownTimeZoneError: debug.error("Unknown display timezone specified") else: if not hasattr(time, 'tzset'): debug.error("This operating system doesn't support tzset, please either specify an offset (eg. +1000) or install pytz") timezone = value parser.values.tz = timezone config.add_option("TZ", action = "callback", callback = tz_from_string, cache_invalidator = False, help = "Sets the timezone for displaying timestamps", default = None, nargs = 1, type = str) volatility-2.3.1/volatility/dwarf.py0000644000175000017500000003340312227253532017474 0ustar mikemike00000000000000# Volatility # Copyright (C) 2010 Brendan Dolan-Gavitt # Copyright (c) 2011 Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re class DWARFParser(object): """A parser for DWARF files.""" # Nasty, but appears to parse the lines we need dwarf_header_regex = re.compile( r'<(?P\d+)><(?P[0-9+]+)><(?P\w+)>') dwarf_key_val_regex = re.compile( '\s*(?P\w+)<(?P[^>]*)>') dwarf_header_regex2 = re.compile(r'<(?P\d+)><(?P0x[0-9a-fA-F]+([+]0x[0-9a-fA-F]+)?)><(?P\w+)>') sz2tp = {8: 'long long', 4: 'int', 2: 'short', 1: 'char'} tp2vol = { '_Bool': 'unsigned char', 'char': 'char', 'float': 'float', 'double': 'double', 'long double': 'double', 'int': 'int', 'long int': 'long', 'long long int': 'long long', 'long long unsigned int': 'unsigned long long', 'long unsigned int': 'unsigned long', 'short int': 'short', 'short unsigned int': 'unsigned short', 'signed char': 'signed char', 'unsigned char': 'unsigned char', 'unsigned int': 'unsigned int', 'sizetype' : 'unsigned long', } def __init__(self, data = None): self.current_level = -1 self.name_stack = [] self.id_to_name = {} self.all_vtypes = {} self.vtypes = {} self.enums = {} self.all_vars = {} self.vars = {} self.all_local_vars = [] self.local_vars = [] self.anons = 0 self.base = 10 if data: for line in data.splitlines(): self.feed_line(line) def resolve(self, memb): """Lookup anonymous member and replace it with a well known one.""" # Reference to another type if isinstance(memb, str) and memb.startswith('<'): if memb[1:3] == "0x": memb = "<0x" + memb[3:].lstrip('0') resolved = self.id_to_name[memb[1:]] return self.resolve(resolved) elif isinstance(memb, list): return [self.resolve(r) for r in memb] else: # Literal return memb def resolve_refs(self): """Replace references with types.""" for v in self.vtypes: for m in self.vtypes[v][1]: self.vtypes[v][1][m] = self.resolve(self.vtypes[v][1][m]) return self.vtypes def deep_replace(self, t, search, repl): """Recursively replace anonymous references.""" if t == search: return repl elif isinstance(t, list): return [self.deep_replace(x, search, repl) for x in t] else: return t def get_deepest(self, t): if isinstance(t, list): if len(t) == 1: return t[0] else: for part in t: res = self.get_deepest(part) if res: return res return None return None def base_type_name(self, data): """Replace references to base types.""" if 'DW_AT_name' in data: return self.tp2vol[data['DW_AT_name'].strip('"')] else: sz = int(data['DW_AT_byte_size'], self.base) if data['DW_AT_encoding'] == 'DW_ATE_unsigned': return 'unsigned ' + self.sz2tp[sz] else: return self.sz2tp[sz] def feed_line(self, line): """Accepts another line from the input. A DWARF line looks like: <2><1442> DW_AT_name ... The header is level, statement_id, and kind followed by key value pairs. """ # Does the header match? m = self.dwarf_header_regex.match(line) if self.dwarf_header_regex2.match(line): m = self.dwarf_header_regex2.match(line) self.base = 16 if m: parsed = m.groupdict() parsed['data'] = {} # Now parse the key value pairs while m: i = m.end() m = self.dwarf_key_val_regex.search(line, i) if m: d = m.groupdict() parsed['data'][d['keyname']] = d['val'] if parsed['kind'] in ('DW_TAG_formal_parameter', 'DW_TAG_variable'): self.process_variable(parsed['data']) else: self.process_statement(**parsed) #pylint: disable-msg=W0142 def process_statement(self, kind, level, data, statement_id): """Process a single parsed statement.""" new_level = int(level) if new_level > self.current_level: self.current_level = new_level self.name_stack.append([]) elif new_level < self.current_level: self.name_stack = self.name_stack[:new_level + 1] self.current_level = new_level self.name_stack[-1] = [kind, statement_id] try: parent_kind, parent_name = self.name_stack[-2] except IndexError: parent_kind, parent_name = (None, None) if kind == 'DW_TAG_compile_unit': self.finalize() self.vtypes = {} self.vars = {} self.all_local_vars += self.local_vars self.local_vars = [] self.id_to_name = {} elif kind == 'DW_TAG_structure_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'DW_AT_declaration' not in data: self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ] elif kind == 'DW_TAG_union_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ] elif kind == 'DW_TAG_array_type': self.name_stack[-1][1] = statement_id self.id_to_name[statement_id] = data['DW_AT_type'] elif kind == 'DW_TAG_enumeration_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'DW_AT_declaration' not in data: sz = int(data['DW_AT_byte_size'], self.base) self.enums[name] = [sz, {}] elif kind == 'DW_TAG_pointer_type': self.id_to_name[statement_id] = ['pointer', data.get('DW_AT_type', ['void'])] elif kind == 'DW_TAG_base_type': self.id_to_name[statement_id] = [self.base_type_name(data)] elif kind == 'DW_TAG_volatile_type': self.id_to_name[statement_id] = data.get('DW_AT_type', ['void']) elif kind == 'DW_TAG_const_type': self.id_to_name[statement_id] = data.get('DW_AT_type', ['void']) elif kind == 'DW_TAG_typedef': self.id_to_name[statement_id] = data['DW_AT_type'] elif kind == 'DW_TAG_subroutine_type': self.id_to_name[statement_id] = ['void'] # Don't need these elif kind == 'DW_TAG_variable' and level == '1': if 'DW_AT_location' in data: split = data['DW_AT_location'].split() if len(split) > 1: loc = int(split[1], 0) self.vars[data['DW_AT_name']] = [loc, data['DW_AT_type']] elif kind == 'DW_TAG_subprogram': # IDEK pass elif kind == 'DW_TAG_member' and parent_kind == 'DW_TAG_structure_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') try: off = int(data['DW_AT_data_member_location'].split()[1]) except: d = data['DW_AT_data_member_location'] idx = d.find("(") if idx != -1: d = d[:idx] off = int(d) if 'DW_AT_bit_size' in data and 'DW_AT_bit_offset' in data: full_size = int(data['DW_AT_byte_size'], self.base) * 8 stbit = int(data['DW_AT_bit_offset'], self.base) edbit = stbit + int(data['DW_AT_bit_size'], self.base) stbit = full_size - stbit edbit = full_size - edbit stbit, edbit = edbit, stbit assert stbit < edbit memb_tp = ['BitField', dict(start_bit = stbit, end_bit = edbit)] else: memb_tp = data['DW_AT_type'] self.vtypes[parent_name][1][name] = [off, memb_tp] elif kind == 'DW_TAG_member' and parent_kind == 'DW_TAG_union_type': name = data.get('DW_AT_name', "__unnamed_%s" % statement_id).strip('"') self.vtypes[parent_name][1][name] = [0, data['DW_AT_type']] elif kind == 'DW_TAG_enumerator' and parent_kind == 'DW_TAG_enumeration_type': name = data['DW_AT_name'].strip('"') try: val = int(data['DW_AT_const_value']) except ValueError: val = int(data['DW_AT_const_value'].split('(')[0], self.base) self.enums[parent_name][1][name] = val elif kind == 'DW_TAG_subrange_type' and parent_kind == 'DW_TAG_array_type': if 'DW_AT_upper_bound' in data: try: sz = int(data['DW_AT_upper_bound']) except ValueError: try: sz = int(data['DW_AT_upper_bound'].split('(')[0]) except ValueError: # Give up sz = 0 sz += 1 else: sz = 0 tp = self.id_to_name[parent_name] self.id_to_name[parent_name] = ['array', sz, tp] else: pass #print "Skipping unsupported tag %s" % parsed['kind'] def process_variable(self, data): """Process a local variable.""" if ('DW_AT_name' in data and 'DW_AT_decl_line' in data and 'DW_AT_type' in data): self.local_vars.append( (data['DW_AT_name'], int(data['DW_AT_decl_line'], self.base), data['DW_AT_decl_file'].split()[1], data['DW_AT_type'])) def finalize(self): """Finalize the output.""" if self.vtypes: self.vtypes = self.resolve_refs() self.all_vtypes.update(self.vtypes) if self.vars: self.vars = dict(((k, self.resolve(v)) for k, v in self.vars.items())) self.all_vars.update(self.vars) if self.local_vars: self.local_vars = [ (name, lineno, decl_file, self.resolve(tp)) for (name, lineno, decl_file, tp) in self.local_vars ] self.all_local_vars += self.local_vars # Get rid of unneeded unknowns (shades of Rumsfeld here) # Needs to be done in fixed point fashion changed = True while changed: changed = False s = set() for m in self.all_vtypes: for t in self.all_vtypes[m][1].values(): s.add(self.get_deepest(t)) for m in self.all_vars: s.add(self.get_deepest(self.all_vars[m][1])) for v in list(self.all_vtypes): if v.startswith('__unnamed_') and v not in s: del self.all_vtypes[v] changed = True # Merge the enums into the types directly: for t in self.all_vtypes: for m in list(self.all_vtypes[t][1]): memb = self.all_vtypes[t][1][m] d = self.get_deepest(memb) if d in self.enums: sz = self.enums[d][0] vals = dict((v, k) for k, v in self.enums[d][1].items()) self.all_vtypes[t][1][m] = self.deep_replace( memb, [d], ['Enumeration', dict(target = self.sz2tp[sz], choices = vals)] ) return self.all_vtypes def print_output(self): self.finalize() print "linux_types = {" for t in self.all_vtypes: print " '%s': [ %#x, {" % (t, self.all_vtypes[t][0]) for m in sorted(self.all_vtypes[t][1], key = lambda m: self.all_vtypes[t][1][m][0]): print " '%s': [%#x, %s]," % (m, self.all_vtypes[t][1][m][0], self.all_vtypes[t][1][m][1]) print "}]," print "}" print print "linux_gvars = {" for v in sorted(self.all_vars, key = lambda v: self.all_vars[v][0]): print " '%s': [%#010x, %s]," % (v, self.all_vars[v][0], self.all_vars[v][1]) print "}" if __name__ == '__main__': import sys dp = DWARFParser(open(sys.argv[1], "rb").read()) dp.print_output() volatility-2.3.1/PKG-INFO0000644000175000017500000000040012234427260014702 0ustar mikemike00000000000000Metadata-Version: 1.0 Name: volatility Version: 2.3.1 Summary: Volatility -- Volatile memory framwork Home-page: http://www.volatilityfoundation.org Author: AAron Walters Author-email: awalters@4tphi.net License: GPL Description: UNKNOWN Platform: UNKNOWN volatility-2.3.1/CHANGELOG.txt0000644000175000017500000005624311630474630015657 0ustar mikemike00000000000000Changelog As of Volatility 2.0, all changes are now tracked on the Google Code site: https://code.google.com/p/volatility/updates/list 04.8.2009 Volatility-1.3.1 moyix * Update: Introduce BufferAddressSpace and refactor * Files: forensics/addrspace.py forensics/object.py Description: Added a new BufferAddressSpace class that acts like a regular FileAddressSpace, but can be instantiated from a string buffer. This allows any function that expects an address space to work on a buffer instead. Also refactored the *_buf functions in object.py to use this class instead (reduces code duplication). Thanks to Michael Cohen for the idea. 04.8.2009 Volatility-1.3.1 moyix * Update: Add support for inactive hiberfiles to hibinfo * Files: forensics/win32/hiber_addrspace.py Description: Added the ability to convert hibernation files that are in the "inactive" state (their first page is zeroed) to dd format. It is still not possible to run Volatility directly on such files, but they can now be converted for analysis. Thanks to Jon Evans for the suggestion. 04.8.2009 Volatility-1.3.1 moyix * Update: Pool scanning enhancements * Files: forensics/win32/scan2.py forensics/object.py Description: Incorporated new functions written by Andreas Schuster to allow more fine-grained checks in pool scanners, and modularize some of the accessors (get_poolsize, get_poolsize, etc.). The patch also adds read_unicode_string_buf and read_string_buf, which operate on string buffers. Thanks to Andreas Schuster for the patch. 04.7.2009 Volatility-1.3 awalters * Update: Handle table parsing * Files: forensics/win32/handles.py Description: Updated handle parsing code to fix typo. It was not adding the correct offset for Level 3 tables. It was also not traversing all the entries. Thanks to Brendan Dolan-Gavitt. 04.7.2009 Volatility-1.3 awalters * Update: Network Offsets * Files: forensics/win32/network.py Description: Added new offset updates. Thanks to Jun Koi. 03.17.2009 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. This time it focused on PAE. Certain samples were reading outside of the physical address space. Thanks to Brendan Dolan-Gavitt for patch. 03.17.2009 Volatility-1.3.1 awalters * Bug: Hiberfil Address space w * Files: forensics\win32\hiber_addrspace.py Description: Needed to import the PAE address space. This only meant that hibinfo was having some issue. It would still process hiberfil's just fine. Thanks to Andreas Schuster for the bug report. 03.17.2009 Volatility-1.3.1 awalters * Update: New version of tcp driver needed new offsets in SP3 * Files: forensics/win32/network.py forensics/win32/scan2.py forensics/win32/scan.py Description: Added new offsets to network to handle new driver. Updated scan2 and scan as well to support new pool allocation size. Thanks to Brendan Dolan-Gavitt. 02.22.2009 Volatility-1.3.1 awalters * Update: procdump check peb * Files: vmodules.py Description: Added a check to make sure that the PEB is memory resident. 02.05.2009 Volatility-1.3.1 awalters * Update: Handle parsing * Files: forensics/win32/handles.py vmodules.py Description: Updated handle parsing code to correctly handle middle and upper layer handles in multi-level schemes. Also changed files to now use the common parsing code. 12.11.2008 Volatility-1.3.1 awalters * Update: Plugin Generators * Files: forensics/commands.py memory_plugins/example4.py vutils.py Description: Added the ability to use generators in your plugins. This is extremely powerful and allows us to support arbitrary output formats. Thanks to Michael Cohen for the patch. 12.11.2008 Volatility-1.3.1 awalters * Update: Object Inheritance * Files: forensics/object2.py forensics/registry.py memory_plugins/example3.py Description: Plugins creators are now able to express an inheritance order associated with an object. The default is the Profile objects. This fixes a problem associated with collisions. Thanks to Cameron C Caffee for the bug report and thanks to Brendan Dolan-Gavitt and Michael Cohen for insightful discussions. 12.10.2008 Volatility-1.3.1 awalters * Update: lists.py * Files: forensics/win32/lists.py Description: Added Brendan Dolan-Gavitt lists.py file for traversing kernel linked lists. Thanks Brendan. 12.06.2008 Volatility-1.3.1 awalters * Bug: Crashdump base address space * Files: forensics/win32/tasks.py Description: Changed find_csdversion so that it does not pass in the filename. Made fname an optional parameter to process_addr_space since it is no longer being used and only maintained for backward compatibility. Thanks to Richard Austin for the bug report. 11.25.2008 Volatility-1.3.1 awalters * Bug: modules_list * Files: forensics/win32/modules.py Description: Added a check to make sure both PsLoadedModuleList and this module were defined. 11.25.2008 Volatility-1.3.1 awalters * Update: Tabs and spaces * Files: Too Many Description: Spent some quality time with the tab nanny. 11.25.2008 Volatility-1.3.1 awalters * Bug: Added more checks for registry objects * Files: forensics/win32/registry.py Description: Added more checks in print_entry_keys for invalid pages. Some of the key path was crossing page boundaries so more checks needed to be added. Thanks to Christian Herndler for the bug report. 11.22.2008 Volatility-1.3.1 awalters * Update: get_obj_offset no longer modifies passed in list * Files: forensics/object.py Description: get_obj_offset previously modified the passed-in list used to represent type information. Now it works on a copy to prevent unexpected behavior. Thanks to Brendan Dolan-Gavitt for the update. 11.17.2008 Volatility-1.3.1 awalters * Bug: Checks to make sure KeyControlBlock is a valid address * Files: forensics/win32/registry.py Description: print_entry_keys has been updated to check that KeyControlBlock is a valid address. Thanks to Christian Herndler for the bug report and Brendan Dolan-Gavitt for the bug fix. 11.15.2008 Volatility-1.3.1 awalters * Update: removed sha module from crashdump * Files: forensics/win32/crashdump.py Description: Removed the attempt to import the sha module since it generates a warning with Python 2.6. Thanks to STC for reporting the issue. 11.14.2008 Volatility-1.3.1 awalters * Bug: added more checks in object parsing for invalid pages * Files: forensics/win32/handles.py forensics/win32/registry.py vmodules.py Description: Added more checks for invalid pages while processing the object directory. Thanks to Christian Herndler for the bug report. 11.03.2008 Volatility-1.3.1 awalters * Bug: Python 2.5 finally * Files: vmodules.py Description: Removed the finally clause that is only available in Python 2.5. Thanks to Cameron Caffee for the bug report and Brendan Dolan-Gavitt for the bug fix. 10.17.2008 Volatility-1.3.1 awalters * Bug: Checking for invalid pages * Files: forensics/object2.py Description: Added more checks to object2 to makes sure the addresses being accessed are valid. If not, then they now return a None. Thanks to Jesse Kornblum for submitting a patch. 9.27.2008 Volatility-1.3.1 awalters * Update: plugin directory now relative to registry * Files: forensics/registry.py Description: The plugin search is now performed relative to registry.py. Thanks to Michael Cohen for the patch. 9.4.2008 Volatility-1.3.1 awalters * Bug: length bug in hiberaddrspace * Files: forensics\win32\hiber_addrspace.py Description: We were referencing an undefined length variable. Thanks to Andreas Schuster for sending the patch. 9.4.2008 Volatility-1.3.1 awalters * Update: Find the plugin modules * Files: forensics/registry.py Description: Added the absolute path to search for dynamic plugins. This allows volatility to be called from anywhere on the system. Thanks to Andreas Schuster for sending the patch. 8.14.2008 Volatility-1.3 awalters * Update: x86.py robustness * Files: forensics/x86.py Description: Added more robustness to the x86 address space. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 8.14.2008 Volatility-1.3 awalters * Update: Standardized _LDR_MODULE -> _LDR_DATA_TABLE_ENTRY * Files: forensics/win32/modules.py forensics/win32/scan.py forensics/win32/scan2.py Description: Changed the data type names to make them more standardized across operating system versions. Thanks Brendan Dolan-Gavitt for sending in update request. 6.26.2008 Volatility-1.3 awalters * Bug: regobjkey initialize list * Files: vmodules.py Description: When specifying a offset for regobjkey the list had not been initialized yet. Thanks to Brendan Dolan-Gavitt for sending in a bug report. 6.24.2008 Volatility-1.3 awalters * Update: 64-bit hosts * Files: forensics/object.py forensics/win32/crashdump.py forensics/win32/scan2.py forensics/win32/network.py forensics/win32/executable.py Description: Updated so that modules will work correctly when run from 64-bit hosts using python 2.5. Thanks to sham for sending in the bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Non-resident Vad address * Files: forensics/win32/vad.py vmodules.py Description: Updated the vad modules to handle invalid addresses in low memory situations. Thanks to Bryan D. Payne for sending in a bug report. 6.23.2008 Volatility-1.3 awalters * Bug: Handle count paged * Files: forensics/win32/tasks.py Description: Received a sample where the ObjectTable was not a valid address. Added a check to make sure it is valid. Thanks to Bryan D. Payne for sending in a bug report. 6.22.2008 Volatility-1.3 awalters * Update: Ident info * Files: forensics/win32/tasks.py vutils.py Description: Updated ident command so that it correctly finds the version of XP, now that we have support for SP3. Thanks to jeremie0 for noticing and to Brendan Dolan-Gavitt for helping with the fix. 6.11.2008 Volatility-1.3 awalters * Update: Array Types * Files: forensics/object2.py Description: Changed arrays so that they now return objects in cases where they are not native types. Thanks to Brendan Dolan-Gavitt for the update! 6.8.2008 Volatility-1.3 awalters * Bug: Invalid page directories * Files: vmodules.py Description: Added code to catch the cases when we encounter invalid page directories. Thanks to both Angelo Cavallini and Brendan Dolan-Gavitt for reporting this bug. 6.8.2008 Volatility-1.3 awalters * Update: potential bad string characters (unicode escaping) * Files: forensics/win32/scan2.py forensics/object.py Description: Attempting to standardize error handling related to unicode conversions. Thus we are now passing an explicit error string argument. Thanks to Brendan Dolan-Gavitt. 6.8.2008 Volatility-1.3 awalters * Update: psscan2 check_dtb * Files: forensics/win32/scan2.py Description: Added a check from psscan to psscan2 in the check_dtb constraint to make sure the DTB had a value. Thanks Andreas Schuster! 6.7.2008 Volatility-1.3 awalters * Update: SP3 support * Files: forensics/win32/network.py Description: Made changes to support SP3. 5.21.2008 Volatility-1.3 awalters * Update: Changed create_addr_space api * Files: forensics/win32/tasks.py memory_objects/Windows/xp_sp2.py memory_plugins/example2.py memory_plugins/example3.py vmodules.py Description: Changed the create_addr_space API so that it does not require types or filname. This was an artifact of the way the function used to work. 5.17.2008 Volatility-1.3 awalters * Feature: New Object Model * Files: forensics/registry.py memory_objects/Windows/xp_sp2.py memory_plugins/example3.py forensics/object2.py forensics/win32/meta_info.py vutils.py Description: Added a new object model to make navigating the data structures more intuitive. All future modules will be transition to use this new model. Thanks to Brendan Dolan-Gavitt for all his help! 5.14.2008 Volatility-1.3 awalters * Feature: Plugin Architecture * Files: forensics/commands.py forensics/registry.py volatility memory_plugins/example1.py memory_plugins/example2.py Description: Added an entirely new plugin infrastructure. Now it is possible to load the commands dynamically just by adding them to the correct directory. This will allow people to support their own modules. This work is based on a similar registry implementation found in PyFlag. Thanks to Michael Cohen and David Collett for the great work they have done and help getting this code integrated. 5.13.2008 Volatility-1.3 awalters * Feature: Hiberfil support * Files: vmodules.py volatility forensics/win32/hiber_addrspace.py forensics/win32/xpress.py forensics/win32/scan.py forensics/win32/network.py forensics/win32/datetime.py Description: Added native hiberfil support. Also added the ability to convert from hiberfil to linear format. Now all the commands can be run against hiberfils natively. This is accomplished through the new hiberfil address space. Thanks to Matthieu Suiche and Brendan Dolan-Gavitt for all the great work they have done with hiberfil parsing and the xpress compression algorithm. 5.13.2008 Volatility-1.3 awalters * Feature: New scanning infrastructure * Files: vmodules.py volatility forensics/win32/scan2.py forensics/win32/globals.py forensics/win32/crash_addrspace.py forensics/win32/datetime.py Description: Added an entirely new OO scanning infrastructure. This allows for extremely fast scanning and easier scanning across the logical address spaces. As part of this we also ported the scanning modules over to the new infrastructure. Thanks to Michael Cohen and Andreas Schuster for the help and ideas to get this working! 5.7.2008 Volatility-1.3 awalters * Bug: get_available_addresses * Files: forensics/x86.py vmodules.py volatility Description: Fixed an off by 1 error in get_available_address for non-pae machines that seemed to have crept back in. Also changed the name of usrdmp to memdmp since it is really dumping a processes addressable memory. Thanks Eoghan Casey! 4.30.2008 Volatility-1.3 awalters * New Module: procdump * Files: forensics/win32/executable.py vtypes.py vmodules.py Description: Added a new module that will allow the analyst to extract the executable from memory for further analysis. Thanks to Brendan Dolan-Gavitt for all your hard work! 4.28.2008 Volatility-1.3 awalters * Bug: open registry keys * Files: forensics/win32/handles.py Description: During testing Brendan found a bug when processing object types. It would have been possible to enumerate KeyedEvents. Thanks Brendan Dolan-Gavitt! 4.28.2008 Volatility-1.3 awalters * New Module: regobjkey * Files: vmodules.py forensics/win32/registry.py forensics/win32/handles.py vtypes.py Description: Added a new module that will allow an analyst to dump the open registry keys found in the object table. Thanks to Brendan Dolan-Gavitt for his contributions! 4.27.2008 Volatility-1.3 awalters * Feature: psscan dot format * Files: vmodules.py forensics/win32/scan.py Description: Added the ability to print the output of psscan in dot format. Similar to that available by ptfinder by Andreas Schuster. This was requested by Eoghan Casey. 4.23.2008 Volatility-1.3 awalters * Useability: Pass pid or EPROCESS offset Files: vmodules.py forensics/win32/handles.py Description: Added the ability to dump files and dlllist by pid or EPROCESS offset. One reason this was asked for was to deal with data only attacks which may remove the process from process list. Thanks to Eoghan Casey for the feedback! 4.23.2008 Volatility-1.3 awalters * New Modules: dmp2raw, raw2dmp Files: vtypes.py vmodules.py forensics/win32/crashdump.py forensics/win32/info.py forensics/win32/tasks.py Description: Added modules to convert from raw dumps to crash dumps and vice versa. Thanks to Andreas Schuster for helping to get this started and thanks to Brendan Dolan-Gavitt for helping get it perfected! 4.23.2008 Volatility-1.3 awalters * Optimization: KUSER_SHARED_DATA Files: vmodules.py Description: Changed KUSER_SHARED_DATA in get_image_info and get_datetime to point to 0xFFDF0000 instead of 0x7ffe0000. Thanks Brendan Dolan-Gavitt! 4.1.2008 Volatility-1.2.3pre awalters * Bug: socket crash Files: forensics/win32/network.py Description: In get_open_sockets, we needed to make sure that the AddrObjAddr and AddrTableSize were not none and if they were fail gracefully. Thanks to Eoghan Casey for the bug report. 3.3.2008 Volatility-1.2.3pre awalters * Bug: get_obj_offset() non-builtin Files: forensics/object.py Description: Modified get_obj_offset to support arrays of non-builtin types. Thanks Brendan Dolan-Gavitt! 2.27.2008 Volatility-1.2.3pre awalters * Bug: Not traversing complete module list Files: forensics/win32/modules.py Description: Traversing the module list should not stop when it reaches a None but continue to the next module 2.27.2008 Volatility-1.2.3pre awalters * Bug: is_valid_address(addr) Files: forensics/addrspace.py forensics/x86.py Description: is_valid_address was failing to check if addr was None. This was found by analyzing hiberfile images. Thanks to Brendan Dolan-Gavitt and Andreas Schuster for helping me find the problem! 2.25.2008 Volatility-1.2.3pre awalters * Bug: hidden processes Files: vmodules.py Description: Both usrdmp and memmap were unable to handle hidden processes. They can now be passed the offset to an EPROCESS object. Thanks to Eoghan Casey for the bug report. 12.28.2007 Volatility-1.2.3pre awalters * Bug: 64 bit Files: forensics/addrspace.py forensics/object.py forensics/win32/scan.py forensics/x86.py forensics/win32/crash_addrspace.py Description: Fixed a bug that occurs when people are running Python 2.5 on a 64 bit OS. Python 2.5 changed the way that Python native types are stored and thus changed the unpack usage. Thanks to Jamie Levy and students! 11.28.2007 Volatility-1.2.2pre awalters * Bug: memmap Files: vmodules.py Description: mem_map fixed so that you can specifiy a particular process. 11.28.2007 Volatility-1.2.2pre awalters * Bug: dtb_aligned Files: forensics/win32/scan.py Description: On systems using PAE, EPROCESS.DirectoryTableBase actually points to the base of the page directory pointer array. Thanks Andreas Schuster. 11.27.2007 Volatility-1.2.2pre awalters * Optimization: find_dtb Files: forensics/win32/tasks.py Description: Dramatically reduced the time for find_dtb. Thanks Michael Cohen. 09.21.2007 Volatility-1.2.1pre awalters * New Module: usrdmp Files: vmodules.py Description: Dumps a processes address space. Thanks Eoghan Casey. 09.20.2007 Volatility-1.2pre awalters * New Module: modscan Files: vmodules.py forensics/win32/scan.py forensics/win32/globals.py Description: Performs a linear scan for memory resident Windows modules. Contributed by Andreas Schuster. * New Module: memmap Files: vmodules.py forensics/x86.py Description: Provides a map of the virtual to physical address translations within a particular address space. Based on similar tools by Andreas Schuster (memdump.pl) and Brendan Dolan-Gavitt (memdump.py). * New Module: dmpchk Files: vmodules.py forensics/win32/crash_addrspace.py Description: Prints auxiliary information about the crash dump file. * New Module: WindowsCrashDumpSpace32 Files: forensics/x86.py forensics/win32/crash_addrspace.py Description: Provides the ability to use crash dumps as input to Volatility. This is accomplished through the use of stackable address spaces. Contributions from Andreas Schuster. * New Feature: get_available_pages() Files: forensics/x86.py Description: This functions allows an investigator to find all available pages within a particular address space. Thanks Brendan Dolan-Gavitt. * New Feature: zread() Files: forensics/x86.py forensics/addrspace.py forensics/win32/crash_addrspace.py Description: Added the ability to continuing reading even if pages are unavailable. Invalid pages are replaced with zeros. Thanks Brendan Dolan-Gavitt. 07.31.2007 Volatility-1.1.1 awalters * Virtual Address Descriptor modules: vadinfo, vaddump, vadwalk. Based on the research of Brendan Dolan-Gavitt to be presented at DFRWS 2007 * Constraint based linear scanning framework. New modules include psscan, thrdscan, sockscan, connscan. Inspired by the work of Andreas Schuster. * Completely open source. No third-party closed source dependencies. * Auto-identification speed enhancements * Bug fixes in network and socket modules * Removed symbol dependencies * Multiprocessor support volatility-2.3.1/LICENSE.txt0000644000175000017500000003664012227253532015450 0ustar mikemike00000000000000 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Notwithstanding any rights to use the Software granted by the foregoing, if entities or individuals have received a Cease & Desist letter from the Volatility Project, the Volatility Foundation, or its copyright holders for violating the terms of the GPL version 2, those entities (their employees, subcontractors, independent contractors, and affiliates) and / or persons are granted no such rights and any use by any one or more of them is expressly prohibited, in accordance with Section 4 of the GPL version 2. Any rights granted to such entities and / or persons by earlier license agreements have been previously terminated as to them. volatility-2.3.1/LEGAL.txt0000644000175000017500000000135312227253532015203 0ustar mikemike00000000000000Volatility =============== License ------- Copyright (C) 2007-2013 Volatility Foundation Volatility is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License Version 2 as published by the Free Software Foundation. You may not use, modify or distribute this program under any other version of the GNU General Public License. Volatility is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Volatility. If not, see . volatility-2.3.1/contrib/0000755000175000017500000000000012234427260015253 5ustar mikemike00000000000000volatility-2.3.1/contrib/plugins/0000755000175000017500000000000012234427260016734 5ustar mikemike00000000000000volatility-2.3.1/contrib/plugins/disablewarnings.py0000644000175000017500000000241712227253532022467 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.conf as conf import logging config = conf.ConfObject() def disable_warnings(_option, _opt_str, _value, _parser): """Sets the location variable in the parser to the filename in question""" rootlogger = logging.getLogger('') rootlogger.setLevel(logging.WARNING + 1) config.add_option("WARNINGS", default = False, action = "callback", callback = disable_warnings, short_option = 'W', nargs = 0, help = "Disable warning messages") volatility-2.3.1/contrib/plugins/enumfunc.py0000644000175000017500000001031512227253532021127 0ustar mikemike00000000000000# Volatility # Copyright (c) 2012 Michael Ligh (michael.ligh@mnin.org) # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.plugins.taskmods as taskmods import volatility.utils as utils import volatility.win32.tasks as tasks import volatility.win32.modules as modules import volatility.plugins.filescan as filescan import volatility.plugins.modscan as modscan class EnumFunc(taskmods.DllList): """Enumerate imported/exported functions""" def __init__(self, config, *args, **kwargs): taskmods.DllList.__init__(self, config, *args, **kwargs) config.remove_option("PID") config.remove_option("OFFSET") config.add_option("SCAN", short_option = 's', default = False, action = 'store_true', help = 'Scan for objects') config.add_option("PROCESS-ONLY", short_option = 'P', default = False, action = 'store_true', help = 'Process only') config.add_option("KERNEL-ONLY", short_option = 'K', default = False, action = 'store_true', help = 'Kernel only') config.add_option("IMPORT-ONLY", short_option = 'I', default = False, action = 'store_true', help = 'Imports only') config.add_option("EXPORT-ONLY", short_option = 'E', default = False, action = 'store_true', help = 'Exports only') def calculate(self): addr_space = utils.load_as(self._config) tasklist = [] modslist = [] if self._config.SCAN: if not self._config.KERNEL_ONLY: for t in filescan.PSScan(self._config).calculate(): v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset) if v: tasklist.append(v) if not self._config.PROCESS_ONLY: modslist = [m for m in modscan.ModScan(self._config).calculate()] else: if not self._config.KERNEL_ONLY: tasklist = [t for t in tasks.pslist(addr_space)] if not self._config.PROCESS_ONLY: modslist = [m for m in modules.lsmod(addr_space)] for task in tasklist: for mod in task.get_load_modules(): yield task, mod for mod in modslist: yield None, mod def render_text(self, outfd, data): outfd.write("{0:<20} {1:<10} {2:<20} {3:<10} {4:<20} {5}\n".format( "Process", "Type", "Module", "Ordinal", "Address", "Name")) for process, module in data: if not self._config.IMPORT_ONLY: for o, f, n in module.exports(): outfd.write("{0:<20} {1:<10} {2:<20} {3:<10} {4:#018x} {5}\n".format( process.ImageFileName if process else "", "Export", module.BaseDllName, o, (module.DllBase + f) if f else 0, # None if forwarded n or '' # None if paged )) if not self._config.EXPORT_ONLY: for dll, o, f, n in module.imports(): outfd.write("{0:<20} {1:<10} {2:<20} {3:<10} {4:#018x} {5}\n".format( process.ImageFileName if process else "", "Import", module.BaseDllName, o, f or 0, # None if paged dll + "!" + n or '' # None if paged or imported by ordinal )) volatility-2.3.1/contrib/plugins/scanprof.py0000644000175000017500000000374012227253532021126 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import sys import itertools import timeit class ScanProfInstance(object): def __init__(self, func, *args): self.func = func self.args = args self.results = [] def __call__(self): self.results = self.func(*self.args) def permscan(self, address_space, offset = 0, maxlen = None): times = [] # Run a warm-up scan to ensure the file is cached as much as possible self.oldscan(address_space, offset, maxlen) perms = list(itertools.permutations(self.checks)) for i in range(len(perms)): self.checks = perms[i] print "Running scan {0}/{1}...".format(i + 1, len(perms)) profobj = ScanProfInstance(self.oldscan, address_space, offset, maxlen) value = timeit.timeit(profobj, number = self.repeats) times.append((value, len(list(profobj.results)), i)) print "Scan results" print "{0:20} | {1:7} | {2:6} | {3}".format("Time", "Results", "Perm #", "Ordering") for val, l, ordering in sorted(times): print "{0:20} | {1:7} | {2:6} | {3}".format(val, l, ordering, perms[ordering]) sys.exit(1) def ScanProfiler(cls, repeats = 3): cls.repeats = repeats cls.oldscan = cls.scan cls.scan = permscan return cls volatility-2.3.1/contrib/plugins/pagecheck.py0000644000175000017500000000337612227253532021232 0ustar mikemike00000000000000# Volatility # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.commands as commands import volatility.utils as utils class PageCheck(commands.Command): """Reads the available pages and reports if any are inaccessible""" def render_text(self, outfd, data): """Displays any page errors""" found = False for page, vtop, size, pde, pte in data: found = True outfd.write("(V): 0x{0:08x} [PDE] 0x{3:08x} [PTE] 0x{4:08x} (P): 0x{1:08x} Size: 0x{2:08x}\n".format(page, vtop, size, pde, pte)) if not found: outfd.write("No page failures found!") def calculate(self): """Calculate returns the results of the available pages validity""" addr_space = utils.load_as(self._config) for page, size in addr_space.get_available_pages(): output = addr_space.read(page, size) if output == None: pde_value = addr_space.get_pde(page) pte_value = addr_space.get_pte(page, pde_value) yield page, addr_space.vtop(page), size, pde_value, pte_value volatility-2.3.1/contrib/plugins/aspaces/0000755000175000017500000000000012234427260020353 5ustar mikemike00000000000000volatility-2.3.1/contrib/plugins/aspaces/__init__.py0000644000175000017500000000000012033140535022444 0ustar mikemike00000000000000volatility-2.3.1/contrib/plugins/aspaces/ewf.py0000644000175000017500000000707112033140535021505 0ustar mikemike00000000000000""" This Address Space allows us to open ewf files """ #pylint: disable-msg=C0111 from ctypes import CDLL, c_char_p, c_int, pointer, c_ulonglong, c_ulong, create_string_buffer import ctypes.util import volatility.plugins.addrspaces.standard as standard possible_names = ['libewf-1', 'ewf', ] for name in possible_names: resolved = ctypes.util.find_library(name) if resolved: break if resolved: libewf = CDLL(resolved) if not resolved or not libewf._name: libewf = None class ewffile(object): """ A file like object to provide access to the ewf file """ def __init__(self, volumes): if isinstance(volumes, str): volumes = [volumes, ] volume_array = c_char_p * len(volumes) self.handle = libewf.libewf_open(volume_array(*volumes), c_int(len(volumes)), c_int(1)) if self.handle == 0: raise RuntimeError("Unable to open ewf file") self.readptr = 0 size_p = pointer(c_ulonglong(0)) libewf.libewf_get_media_size(self.handle, size_p) self.size = size_p.contents.value def seek(self, offset, whence = 0): if whence == 0: self.readptr = offset elif whence == 1: self.readptr += offset elif whence == 2: self.readptr = self.size + offset self.readptr = min(self.readptr, self.size) def tell(self): return self.readptr def read(self, length): buf = create_string_buffer(length) length = libewf.libewf_read_random(self.handle, buf, c_ulong(length), c_ulonglong(self.readptr)) return buf.raw[:length] def close(self): libewf.libewf_close(self.handle) def get_headers(self): properties = ["case_number", "description", "examinier_name", "evidence_number", "notes", "acquiry_date", "system_date", "acquiry_operating_system", "acquiry_software_version", "password", "compression_type", "model", "serial_number", ] ## Make sure we parsed all headers libewf.libewf_parse_header_values(self.handle, c_int(4)) result = {'size': self.size} buf = create_string_buffer(1024) for p in properties: libewf.libewf_get_header_value(self.handle, p, buf, 1024) result[p] = buf.value ## Get the hash if libewf.libewf_get_md5_hash(self.handle, buf, 16) == 1: result['md5'] = buf.raw[:16] return result def ewf_open(volumes): return ewffile(volumes) class EWFAddressSpace(standard.FileAddressSpace): """ An EWF capable address space. In order for us to work we need: 1) There must be a base AS. 2) The first 6 bytes must be 45 56 46 09 0D 0A (EVF header) """ order = 20 def __init__(self, base, config, **kwargs): self.as_assert(libewf, "No libEWF implementation found") standard.FileAddressSpace.__init__(self, base, config, layered = True) self.as_assert(base, "No base address space provided") self.as_assert(base.read(0, 6) == "\x45\x56\x46\x09\x0D\x0A", "EWF signature not present") self.fhandle = ewf_open([self.name]) self.fhandle.seek(0, 2) self.fsize = self.fhandle.tell() self.fhandle.seek(0) def write(self, _addr, _buf): if not self._config.WRITE: return False raise NotImplementedError("Write support is not yet implemented for EWF files") volatility-2.3.1/contrib/plugins/example.py0000644000175000017500000000540412227253532020745 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import volatility.timefmt as timefmt import volatility.obj as obj import volatility.utils as utils import volatility.commands as commands #pylint: disable-msg=C0111 class DateTime(commands.Command): """A simple example plugin that gets the date/time information from a Windows image""" def calculate(self): """Calculate and carry out any processing that may take time upon the image""" # Load the address space addr_space = utils.load_as(self._config) # Call a subfunction so that it can be used by other plugins return self.get_image_time(addr_space) def get_image_time(self, addr_space): """Extracts the time and date from the KUSER_SHARED_DATA area""" # Get the Image Datetime result = {} # Create a VOLATILITY_MAGIC object to look up the location of certain constants # Get the KUSER_SHARED_DATA location KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v() # Create the _KUSER_SHARED_DATA object at the appropriate offset k = obj.Object("_KUSER_SHARED_DATA", offset = KUSER_SHARED_DATA, vm = addr_space) # Start reading members from it result['ImageDatetime'] = k.SystemTime result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000) # Return any results we got return result def render_text(self, outfd, data): """Renders the calculated data as text to outfd""" # Convert the result into a datetime object for display in local and non local format dt = data['ImageDatetime'].as_datetime() # Display the datetime in UTC as taken from the image outfd.write("Image date and time : {0}\n".format(data['ImageDatetime'])) # Display the datetime taking into account the timezone of the image itself outfd.write("Image local date and time : {0}\n".format(timefmt.display_datetime(dt, data['ImageTz']))) volatility-2.3.1/contrib/plugins/psdispscan.py0000644000175000017500000001573612227253532021472 0ustar mikemike00000000000000# Volatility # # Authors: # Michael Cohen # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ This module implements the slow thorough process scanning @author: Michael Cohen @license: GNU General Public License 2.0 or later @contact: scudette@users.sourceforge.net @organization: Volatile Systems """ #pylint: disable-msg=C0111 import volatility.commands as commands import volatility.cache as cache import volatility.utils as utils import volatility.obj as obj import volatility.scan as scan class DispatchHeaderCheck(scan.ScannerCheck): """ A very fast check for an _EPROCESS.Pcb.Header. This check assumes that the type and size of _EPROCESS.Pcb.Header are unsigned chars, but allows their offsets to be determined from vtypes (so they could change between OS versions). """ order = 10 def __init__(self, address_space, **_kwargs): ## Because this checks needs to be super fast we first ## instantiate the _EPROCESS and work out the offsets of the ## type and size members. Then in the check we just read those ## offsets directly. eprocess = obj.Object("_EPROCESS", vm = address_space, offset = 0) self.type = eprocess.Pcb.Header.Type self.size = eprocess.Pcb.Header.Size self.buffer_size = max(self.size.obj_offset, self.type.obj_offset) + 2 scan.ScannerCheck.__init__(self, address_space) def check(self, offset): data = self.address_space.read(offset + self.type.obj_offset, self.buffer_size) return data[self.type.obj_offset] == "\x03" and data[self.size.obj_offset] == "\x1b" def skip(self, data, offset): try: nextval = data.index("\x03", offset + 1) return nextval - self.type.obj_offset - offset except ValueError: ## Substring is not found - skip to the end of this data buffer return len(data) - offset class CheckThreadList(scan.ScannerCheck): """ Checks that _EPROCESS thread list points to the kernel Address Space """ def check(self, offset): eprocess = obj.Object("_EPROCESS", vm = self.address_space, offset = offset) kernel = 0x80000000 list_head = eprocess.ThreadListHead if list_head.Flink > kernel and list_head.Blink > kernel: return True class CheckDTBAligned(scan.ScannerCheck): """ Checks that _EPROCESS.Pcb.DirectoryTableBase is aligned to 0x20 """ def check(self, offset): eprocess = obj.Object("_EPROCESS", vm = self.address_space, offset = offset) return eprocess.Pcb.DirectoryTableBase % 0x20 == 0 class CheckSynchronization(scan.ScannerCheck): """ Checks that _EPROCESS.WorkingSetLock and _EPROCESS.AddressCreationLock look valid """ def check(self, offset): eprocess = obj.Object("_EPROCESS", vm = self.address_space, offset = offset) event = eprocess.WorkingSetLock.Event.Header if event.Type != 0x1 or event.Size != 0x4: return False event = eprocess.AddressCreationLock.Event.Header if event.Size == 0x4 and event.Type == 0x1: return True class PSDispScanner(scan.BaseScanner): """ This scanner carves things that look like _EPROCESS structures. Since the _EPROCESS does not need to be linked to the process list, this scanner is useful to recover terminated or cloaked processes. """ checks = [ ("DispatchHeaderCheck", {}), ("CheckDTBAligned", {}), ("CheckThreadList", {}), ("CheckSynchronization", {}) ] class PSDispScan(commands.Command, cache.Testable): """ Scan Physical memory for _EPROCESS objects based on their Dispatch Headers""" # Declare meta information associated with this plugin meta_info = dict( author = 'Brendan Dolan-Gavitt', copyright = 'Copyright (c) 2007,2008 Brendan Dolan-Gavitt', contact = 'bdolangavitt@wesleyan.edu', license = 'GNU General Public License 2.0 or later', url = 'http://moyix.blogspot.com/', os = 'WIN_32_XP_SP2', version = '1.0', ) @cache.CacheDecorator("tests/psscan") def calculate(self): address_space = utils.load_as(self._config, astype = 'physical') for offset in PSDispScanner().scan(address_space): yield obj.Object('_EPROCESS', vm = address_space, offset = offset) def render_dot(self, outfd, data): objects = set() links = set() for eprocess in data: label = "{0} | {1} |".format(eprocess.UniqueProcessId, eprocess.ImageFileName) if eprocess.ExitTime: label += "exited\\n{0}".format(eprocess.ExitTime) options = ' style = "filled" fillcolor = "lightgray" ' else: label += "running" options = '' objects.add('pid{0} [label="{1}" shape="record" {2}];\n'.format(eprocess.UniqueProcessId, label, options)) links.add("pid{0} -> pid{1} [];\n".format(eprocess.InheritedFromUniqueProcessId, eprocess.UniqueProcessId)) ## Now write the dot file outfd.write("digraph processtree { \ngraph [rankdir = \"TB\"];\n") for link in links: outfd.write(link) for item in objects: outfd.write(item) outfd.write("}") def render_text(self, outfd, data): ## Just grab the AS and scan it using our scanner outfd.write(" Offset Name PID PPID PDB Time created Time exited \n" + "---------- ---------------- ------ ------ ---------- ------------------------ ------------------------ \n") for eprocess in data: outfd.write("{0:#010x} {1:16} {2:6} {3:6} {4:#010x} {5:24} {6:24}\n".format( eprocess.obj_offset, eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.InheritedFromUniqueProcessId, eprocess.Pcb.DirectoryTableBase, eprocess.CreateTime or '', eprocess.ExitTime or '')) volatility-2.3.1/contrib/plugins/verinfo.py0000644000175000017500000004142412227253532020764 0ustar mikemike00000000000000# Volatility # # Authors: # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # import re import sre_constants import struct import volatility.plugins.procdump as procdump import volatility.win32 as win32 import volatility.obj as obj import volatility.utils as utils import volatility.addrspace as addrspace import volatility.debug as debug import volatility.exceptions as exceptions MAX_STRING_BYTES = 260 ver_types = { '_IMAGE_RESOURCE_DIRECTORY' : [ 0x12, { 'Characteristics' : [ 0x0, ['unsigned long']], 'Timestamp' : [ 0x4, ['unsigned long']], 'MajorVersion': [ 0x8, ['unsigned short']], 'Minorversion': [ 0xa, ['unsigned short']], 'NamedEntriesCount': [ 0xc, ['unsigned short']], 'IdEntriesCount': [0xe, ['unsigned short']], 'Entries': [0x10, ['array', lambda x: x.NamedEntriesCount + x.IdEntriesCount, ['_IMAGE_RESOURCE_DIRECTORY_ENTRY']]], } ], '_IMAGE_RESOURCE_DIRECTORY_ENTRY': [0x8, { 'Name' : [ 0x0, ['unsigned long']], 'DataOffset' : [ 0x4, ['unsigned long']], } ], '_IMAGE_RESOURCE_DATA_ENTRY' : [0x10, { 'DataOffset' : [0x0, ['unsigned long']], 'Size' : [0x4, ['unsigned long']], 'CodePage' : [0x8, ['unsigned long']], 'Reserved' : [0xc, ['unsigned long']], } ], '_IMAGE_RESOURCE_DIR_STRING_U' : [0x4, { 'Length': [0x0, ['unsigned short']], 'Value' : [0x2, ['array', lambda x: x.Length, ['unsigned short']]], } ], '_VS_VERSION_INFO' : [0x26, { 'Length': [0x0, ['unsigned short']], 'ValueLength': [0x2, ['unsigned short']], 'Type': [0x4, ['unsigned short']], 'Key': [0x6, ['array', len("VS_VERSION_INFO "), ['unsigned short']]], 'FileInfo': [lambda x: (((x.Key.obj_offset + x.Key.size() + 3) / 4) * 4), ['_VS_FIXEDFILEINFO']], } ], 'VerStruct' : [0x26, { 'Length': [0x0, ['unsigned short']], 'ValueLength': [0x2, ['unsigned short']], 'Type': [0x4, ['unsigned short']], 'Key': [0x6, ['array', MAX_STRING_BYTES, ['unsigned short']]], } ], '_VS_FIXEDFILEINFO': [0x34, { 'Signature': [0x0, ['unsigned long']], 'StructVer': [0x4, ['unsigned long']], 'FileVerMS': [0x8, ['unsigned long']], 'FileVerLS': [0xC, ['unsigned long']], 'ProdVerMS': [0x10, ['unsigned long']], 'ProdVerLS': [0x14, ['unsigned long']], 'FileFlagsMask': [0x18, ['unsigned long']], 'FileFlags': [0x1C, ['unsigned long']], 'FileOS': [0x20, ['Enumeration', {'choices': { 0x0: 'Unknown', 0x10000: 'DOS', 0x20000: 'OS/2 16-bit', 0x30000: 'OS/2 32-bit', 0x40000: 'Windows NT', 0x1: 'Windows 16-bit', 0x2: 'Presentation Manager 16-bit', 0x3: 'Presentation Manager 32-bit', 0x4: 'Windows 32-bit', 0x10001: 'Windows 16-bit running on DOS', 0x10004: 'Windows 32-bit running on DOS', 0x20002: 'Presentation Manager running on OS/2 (16-bit)', 0x30003: 'Presentation Manager running on OS/2 (32-bit)', 0x40004: 'Windows NT', }} ]], 'FileType': [0x24, ['Enumeration', {'choices': { 0x0: 'Unknown', 0x1: 'Application', 0x2: 'Dynamic Link Library', 0x3: 'Driver', 0x4: 'Font', 0x5: 'Virtual Device', 0x7: 'Static Library', }} ]], 'FileSubType': [0x28, ['unsigned long']], 'FileDate': [0x2C, ['WinTimeStamp']], } ], } class VerStruct(obj.CType): """Generic Version Structure""" def _determine_key(self, findend = False): """Determines the string value for or end location of the key""" if self.Key != None: name = None for n in self.Key: if n == None: return n # If the letter's valid, then deal with it if n == 0: if findend: return n.obj_offset + n.size() name = self.obj_vm.read(self.Key.obj_offset, n.obj_offset - self.Key.obj_offset).decode("utf16", "ignore").encode("ascii", 'backslashreplace') break return name return self.Key def get_key(self): """Returns the VerStruct Name""" return self._determine_key() def offset_pad(self, offset): """Pads an offset to a 32-bit alignment""" return (((offset + 3) / 4) * 4) def get_children(self): """Returns the available children""" offset = self.offset_pad(self._determine_key(True)) if self.ValueLength > 0: # Nasty hardcoding unicode (length*2) length in here, # but what else can we do? return self.obj_vm.read(offset, self.ValueLength * 2) else: return self._recurse_children(offset) def _recurse_children(self, offset): """Recurses thorugh the available children""" while offset < self.obj_offset + self.Length: item = obj.Object("VerStruct", offset = offset, vm = self.obj_vm, parent = self) if item.Length < 1 or item.get_key() == None: raise StopIteration("Could not recover a key for a child at offset {0}".format(item.obj_offset)) yield item.get_key(), item.get_children() offset = self.offset_pad(offset + item.Length) raise StopIteration("No children") class _VS_VERSION_INFO(VerStruct): """Version Information""" def get_children(self): """Recurses through the children of a Version Info records""" offset = self.offset_pad(self.FileInfo.obj_offset + self.ValueLength) return self._recurse_children(offset) class _VS_FIXEDFILEINFO(obj.CType): """Fixed (language and codepage independent) information""" def file_version(self): """Returns the file version""" return self.get_version(self.FileVerMS) + "." + self.get_version(self.FileVerLS) def product_version(self): """Returns the product version""" return self.get_version(self.ProdVerMS) + "." + self.get_version(self.ProdVerLS) def get_version(self, value): """Returns a version in four parts""" version = [] for i in range(2): version = [(value >> (i * 16)) & 0xFFFF] + version return '.'.join([str(x) for x in version]) def file_type(self): """Returns the type of the file""" ftype = str(self.FileType) choices = None if self.FileType == 'Driver': choices = { 0x0: 'Unknown', 0x1: 'Printer', 0x2: 'Keyboard', 0x3: 'Language', 0x4: 'Display', 0x5: 'Mouse', 0x6: 'Network', 0x7: 'System', 0x8: 'Installable', 0x9: 'Sound', 0xA: 'Comms', 0xB: 'Input Method', 0xC: 'Versioned Printer', } elif self.FileType == 'Font': choices = { 0x1: 'Raster', 0x2: 'Vector', 0x3: 'Truetype', } if choices != None: subtype = obj.Object('Enumeration', 0x28, vm = self.obj_vm, parent = self, choices = choices) ftype += " (" + str(subtype) + ")" return ftype def flags(self): """Returns the file's flags""" data = struct.pack('=I', self.FileFlags & self.FileFlagsMask) addr_space = addrspace.BufferAddressSpace(self.obj_vm.get_config(), 0, data) bitmap = {'Debug': 0, 'Prerelease': 1, 'Patched': 2, 'Private Build': 3, 'Info Inferred': 4, 'Special Build' : 5, } return obj.Object('Flags', offset = 0, vm = addr_space, bitmap = bitmap) def v(self): """Returns the value of the structure""" val = ("File version : {0}\n" + "Product version : {1}\n" + "Flags : {2}\n" + "OS : {3}\n" + "File Type : {4}\n" + "File Date : {5}").format(self.file_version(), self.product_version(), self.flags(), self.FileOS, self.file_type(), self.FileDate or '') return val class _IMAGE_RESOURCE_DIR_STRING_U(obj.CType): """Handles Unicode-esque strings in IMAGE_RESOURCE_DIRECTORY structures""" # This is very similar to a UNICODE object, perhaps they should be merged somehow? def v(self): """Value function for _IMAGE_RESOURCE_DIR_STRING_U""" try: length = self.Length.v() if length > 1024: length = 0 data = self.obj_vm.read(self.Value.obj_offset, length) return data.decode("utf16", "ignore").encode("ascii", 'backslashreplace') except Exception, _e: return '' class _IMAGE_RESOURCE_DIRECTORY(obj.CType): """Handles Directory Entries""" def __init__(self, theType = None, offset = None, vm = None, parent = None, *args, **kwargs): self.sectoffset = offset obj.CType.__init__(self, theType = theType, offset = offset, vm = vm, parent = parent, *args, **kwargs) def get_entries(self): """Gets a tree of the entries from the top level IRD""" for irde in self.Entries: if irde != None: if irde.Name & 0x80000000: # Points to a Name object name = obj.Object("_IMAGE_RESOURCE_DIR_STRING_U", (irde.Name & 0x7FFFFFFF) + self.sectoffset, vm = self.obj_vm, parent = irde) else: name = int(irde.Name) if irde.DataOffset & 0x80000000: # We're another DIRECTORY retobj = obj.Object("_IMAGE_RESOURCE_DIRECTORY", (irde.DataOffset & 0x7FFFFFFF) + self.sectoffset, vm = self.obj_vm, parent = irde) retobj.sectoffset = self.sectoffset else: # We're a DATA_ENTRY retobj = obj.Object("_IMAGE_RESOURCE_DATA_ENTRY", irde.DataOffset + self.sectoffset, vm = self.obj_vm, parent = irde) yield (name, bool(irde.DataOffset & 0x80000000), retobj) resource_types = { 'RT_CURSOR' : 1, 'RT_BITMAP' : 2, 'RT_ICON' : 3, 'RT_MENU' : 4, 'RT_DIALOG' : 5, 'RT_STRING' : 6, 'RT_FONTDIR' : 7, 'RT_FONT' : 8, 'RT_ACCELERATOR' : 9, 'RT_RCDATA' : 10, 'RT_MESSAGETABLE' : 11, 'RT_GROUP_CURSOR' : 12, 'RT_GROUP_ICON' : 14, 'RT_VERSION' : 16, 'RT_DLGINCLUDE' : 17, 'RT_PLUGPLAY' : 19, 'RT_VXD' : 20, 'RT_ANICURSOR' : 21, 'RT_ANIICON' : 22, 'RT_HTML' : 23, } class VerInfo(procdump.ProcExeDump): """Prints out the version information from PE images""" def __init__(self, config, *args, **kwargs): procdump.ProcExeDump.__init__(self, config, *args, **kwargs) config.remove_option("OFFSET") config.remove_option("PID") config.add_option("OFFSET", short_option = "o", type = 'int', help = "Offset of the module to print the version information for") config.add_option('REGEX', short_option = "r", default = None, help = 'Dump modules matching REGEX') config.add_option('IGNORE-CASE', short_option = 'i', action = 'store_true', help = 'ignore case in pattern match', default = False) def calculate(self): """Returns a unique list of modules""" addr_space = utils.load_as(self._config) for cls in [_IMAGE_RESOURCE_DIRECTORY, _IMAGE_RESOURCE_DIR_STRING_U, _VS_FIXEDFILEINFO, _VS_VERSION_INFO, VerStruct]: addr_space.profile.object_classes[cls.__name__] = cls addr_space.profile.add_types(ver_types) if self._config.REGEX is not None: try: if self._config.IGNORE_CASE: module_pattern = re.compile(self._config.REGEX, flags = sre_constants.SRE_FLAG_IGNORECASE) else: module_pattern = re.compile(self._config.REGEX) except sre_constants.error, e: debug.error('Regular expression parsing error: {0}'.format(e)) if self._config.OFFSET is not None: if not addr_space.is_valid_address(self._config.OFFSET): debug.error("Specified offset is not valid for the provided address space") yield addr_space, self._config.OFFSET raise StopIteration tasks = win32.tasks.pslist(addr_space) for task in tasks: for m in task.get_load_modules(): if self._config.REGEX is not None: if not (module_pattern.search(str(m.FullDllName)) or module_pattern.search(str(m.BaseDllName))): continue yield task.get_process_address_space(), m def display_unicode(self, string): """Renders a UTF16 string""" if string is None: return '' return string.decode("utf16", "ignore").encode("ascii", 'backslashreplace') def get_version_info(self, addr_space, offset): """Accepts an address space and an executable image offset Returns a VS_VERSION_INFO object of NoneObject """ if not addr_space.is_valid_address(offset): return obj.NoneObject("Disk image not resident in memory") try: nt_header = self.get_nt_header(addr_space = addr_space, base_addr = offset) except ValueError, ve: return obj.NoneObject("PE file failed initial sanity checks: {0}".format(ve)) except exceptions.SanityCheckException, ve: return obj.NoneObject("PE file failed initial sanity checks: {0}. Try -u or --unsafe".format(ve)) # header = s.read(m.DllBase, nt_header.OptionalHeader.SizeOfHeaders) for sect in nt_header.get_sections(self._config.UNSAFE): if str(sect.Name) == '.rsrc': root = obj.Object("_IMAGE_RESOURCE_DIRECTORY", offset + sect.VirtualAddress, addr_space) for rname, rentry, rdata in root.get_entries(): # We're a VERSION resource and we have subelements if rname == resource_types['RT_VERSION'] and rentry: for sname, sentry, sdata in rdata.get_entries(): # We're the single sub element of the VERSION if sname == 1 and sentry: # Get the string tables for _stname, stentry, stdata in sdata.get_entries(): if not stentry: return obj.Object("_VS_VERSION_INFO", offset = (stdata.DataOffset + offset), vm = addr_space) def render_text(self, outfd, data): """Renders the text""" for s, m in data: outfd.write(str(m.FullDllName)) outfd.write("\n") vinfo = self.get_version_info(s, m.DllBase) if vinfo != None: outfd.write(" File version : {0}\n".format(vinfo.FileInfo.file_version())) outfd.write(" Product version : {0}\n".format(vinfo.FileInfo.product_version())) outfd.write(" Flags : {0}\n".format(vinfo.FileInfo.flags())) outfd.write(" OS : {0}\n".format(vinfo.FileInfo.FileOS)) outfd.write(" File Type : {0}\n".format(vinfo.FileInfo.file_type())) outfd.write(" File Date : {0}\n".format(vinfo.FileInfo.FileDate or '')) for name, children in vinfo.get_children(): if name == 'StringFileInfo': for _codepage, strings in children: for string, value in strings: # Make sure value isn't a generator, and we've a subtree to deal with if isinstance(value, type(strings)): outfd.write(" {0} : Subtrees not yet implemented\n".format(string)) else: outfd.write(" {0} : {1}\n".format(string, self.display_unicode(value))) volatility-2.3.1/AUTHORS.txt0000644000175000017500000000106312227253532015502 0ustar mikemike00000000000000=============================================== This file identifies core Volatility authors. All lists are alphabetical. =============================================== Volatility 2.0, 2.1, 2.2, and 2.3: ------------ Mike Auty Andrew Case Michael Cohen Brendan Dolan-Gavitt Michael Hale Ligh Jamie Levy AAron Walters Volatility 1.3: ------------ AAron Walters Volatile Systems LLC Brendan Dolan-Gavitt Volatools Basic authors: ------------ AAron Walters Komoku, Inc. Nick L. Petroni, Jr. Komoku, Inc. volatility-2.3.1/CREDITS.txt0000644000175000017500000000350512204143450015445 0ustar mikemike00000000000000=============================================== We would like to acknowledge individuals that have made significant contributions, code, or ideas toward the respective volatility releases. All lists are alphabetical. These lists exclude the core Volatility authors, who are identified in AUTHORS.txt. If you believe you've been left off, it is not intentional. Please bring it to our attention! =============================================== Volatility 2.3: Cem Gurkok for his work on the privileges plugin for Windows Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project) @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit) @osxreverser of reverse.put.as for his help with OSX memory analysis Carl Pulley for numerous bug reports, example patches, and plugin testing Andreas Schuster for his work on poison ivy plugins for Windows Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities Philippe Teuwen for his work on the virtual box address space Santiago Vicente for his work on the citadel plugins for Windows Volatility 2.2: ------------ Joe Sylve Volatility 2.1: ------------ --- Volatility 2.0: ------------ Frank Boldewin Carl Pulley Andreas Schuster Bradley Schatz Volatility 1.3: ------------ Harlan Carvey Michael Cohen David Collett Brendan Dolan-Gavitt Andreas Schuster Matthieu Suiche We would also like to acknowledge those who have provided valuable feedback, bug reports, and testing: Jide Abu Joseph Ayo Akinyele Tommaso Assandri Richard Austin Cameron C Caffee Eoghan Casey Angelo Cavallini Andre' DiMino Jon Evans Robert Guess Christian Herndler jeremie0 Eugene Libster Erik Ligda Robert Lowe Tony Martin Timothy Morgan Bryan D. Payne Golden G. Richard III Wyatt Roersma RB Sam F. Stover Marko Thure volatility-2.3.1/resources/0000755000175000017500000000000012234427260015625 5ustar mikemike00000000000000volatility-2.3.1/resources/volatility.ico0000644000175000017500000014603511630474630020534 0ustar mikemike00000000000000 †€€(L¥``¨,Íe@@(u’00¨¨ ¨E·Èí¿hµÆ‰PNG  IHDRk¬XTgAMA± üasRGB®Îé cHRMz&€„ú€èu0ê`:˜pœºQ<£PLTE       !!# "$!#$"$%#%'$'(&()'*+)+-*,-+-.,./-/1.02/3425646859:8;=:<>;=?<>@=@A?AC@CEBDFCFHEGIFHIGJLIMNLNPMOQNPROQSPSTRTVSVWUVXUWYVZ\Y\^[^`]ac`cebdecfhehjgikhkmjlnkmolnpmoqnrtqsurtvsvxuwyvz|y|~{ÿÿÿÿÿÿ &ÿ.-ÿ25ÿ:6ÿ==ÿ>DÿFEÿILÿOMÿRUþWUÿYWÿ[]ÿa_ÿcfþggÿhgÿjhÿlpÿqrÿwtÿy{ÿ~~€}ƒ€‚„ƒ…‚†ˆ…‡‰†ˆŠ‡ŠŒ‰ŒŽ‘Ž’‘“”–“•—”—™–™›˜›™œž›ž Ÿ¡ž¡£ £¥¢¥§£¦¨¥§©¦©«¨ª¬©¬®«­¯¬®°­°²¯³µ²µ·´¶¸µ·¹¶¹»¸»½º½¿¼ÿ‚†ÿ‡ˆÿ‹ÿ“ÿ–•ÿ›™ÿšÿž¡ÿ¤¤þ©§ÿ¬©ÿ¬¯ÿ²³þ¸·ÿº¸¿Á¾ÁÿÂÄÁÄÆÃÆÈÅÇÉÆÉËÈËÎÊÍÏÌÐÒÏÒÔÑÓÕÒÔÖÓÕ×ÔØÚÖÙÛ×ÜÞÛÿÁÃÿÄÆþÇÇÿÉÈÿÊÉþÏÌÿÑÔÿÒÕý××ÿÙÚýÞÝÞàÝßáÞàâßÿàßâäáäæãæèåçéæèêçéëèëíêíïëþæãþéìÿëîîðíïñîðòïüïðñóðòôñóõòô÷óþññÿòòý÷ööøô÷ùöøú÷ùûøÿùøúüùûýúþÿü­l¸¾átRNSÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿV&® pHYs Ö Öoyœ vpAg²gÜŠuIDATxÚíýo•Ç•ÇŸ{WŽYeEcJbÁ[‘cJ Ž¬X¼š¦¯I›¦É¢òbpRR"Ö [ n6¯%› ›24(QyC,¨Ã*ÔˆÌÅ;þSö^üòœ3oÏ93óÜë­ùò¾wfÎùÜyÎ3sž™y¢áI®¨Ô”Z% ôš$„E“€HÐß;€$ÿ‹K ø’ý/*¢ ø_LÅ@óÿ€â(2ªÿ·Üð÷ ;y´-Öàd°1ŠÕ?Ù|=ÙÜê“À­0ÙÜê“À­0lšì&Ù% Ù.¢!(¡•@‘ ¤@e»Š!e¦äPi ¢HAz’ܧ^)3H @²;̃4|q‚ð¨î³/t„@wß­GÇ}wA„`7z¨kË¢óäK «¯H °š{üņÈ»yŽÜš£o6uXÃD`¶´÷¥*GÝÄ?« @ËͿֶ칖2‚@ŒF~ýr=p“ yìƒò¦Š “}¹=ÙÊ| Ƚ½|v{kOzB0×Õ\IâĤ9í¦xPzz»ÛïŒT9\cÊ4I…€7­Q—Úª"è—@‹¦ô‚ƒ) ð 5h`Se¤—G¸©oí NÀ€ÎšþÖò(J @þƸ;0/Sί,‹Ìr» `ÝõoAxИ1Ô^Ùäß ª;€;Gk-f—}g³Çm=àõ»l ¹Œ€3ÍÅ¿ÂhpæÛ甶 ĹŽß0VXµ+T'p 6ÿŠ)ôGµmç„Nviª0U:O3:,"¥íãõC«VÙ.1å^oÈzÕêë!¸PZ~)«5²lé¬ä0riµ×éÌV;Aq(Í4j ¬ø•=ÏCWWƒžï«þ(vß¡³îÛ„]”K`LÇ—h,¿ìK€@±m»®ûOkI¢÷€‚zÔƒš“žØäö¾Öuÿê¹D‡øIÑÞ‡4¨Ëvúà[ëš®±©mˆàŽËsÞÅÚËä¬Yšd‹~«ùMî?KrƾDƤßNSœóW<²9;ÔËòûˆ®8>¸¼Rm³ZF^,›S²­É±O €þhLœPÇ\Uò`+%R+(†ÔõP½pîíP¦Ü‡] pà&rê¹…û=5J×ÛãH€7piò+ì!;0¢Îæ¼yøæ¿K¼¢ƒÊÌ3ó7t¸ú¹J÷ÿ/¦ÿ~Ú¥\/: ~{äæWñº¿¿zfË&H} ,\÷<9© ßü‚ið!ù*®ÁÈW`uoñýÏë%9â À·J מ£T¯KÑŠl4¸Úí’ÿ÷^,‘ÿB”²ÐU8‡€}Mò¿ñ:ÃâÐê–2‘3ð2 oHcñ&ÚÔ/-’RÇsqŠ$Tã—·á7”Ôý¼ÎI£ÂeøãP}9i&²²Ôþ Ñ'eäp†$4€Õ¸±ï–Úû‚NME6•äH€jëÄþ/,öðO¯n|/¸‹ ºúpÌ­»Ì13EÄãåiš‡Ú¹“‘ÅHY¯ãž‰Ÿx@5ý+je5÷W áQqNÌx@õà9Zj§‘ðÌhÊÌpévÔÆÖR»Œ58Y·}è Õò(já¾R{,«eH2è"à$O›8pL»Ðt/ú̪å€2G8¦I8K×øxÕÞVjguº†fUèá´XÁE4Ü\\j_õÂa 9(€‡aÕS'^ÑÔM?¢ˆhþw[ZIh®Zªx^©Ý4ëºU¡8È 2ßb'˜VAKk‚@ÁZKí¤M—Ðú´²š = +~gR‘µÚZZ˜²·Ô.&h4=°b€?‚U6”ÚÁ$õÂäÈ·‚@ëÀ>â™S5AsÑ.G=ÿÆ€Pgá­p¾#Xl`Ì‚üígl]QkyZös d0œµ¹èƒ@[ýü_غ ÖòjÙ-P—E1Ë ÀXÝ!c«_ñü·€?Û.¸z)ç-d°68Ǭ77úEqØz¾mm÷€¦A€µ¸€e®ýˆüG[8çZÚœH=@tÁ_ N]ø†`"䕉ÀÞÜcÒjíIöšÊl‹ù¾ZÃr~ÍÚµkÿ¦Öò µ–3víÀìÛÙ`@MKìÞ¸ðÙ™·O4}ý¸pÕ\Ë•/>=ð‹Ç¬5¬{zÿWvSD?¼wÃÑ ÀXw ‚NÿÀîÿ›7•Ü8½ÞTþñw?'T€Âàƒ^õTÑÖÂÜø¡Íÿ'HuäkyA[|íÛ~?--‡ÏɘàÜ’ºäê“?!V"Ä›šÒßKêúãºw\”àÛ9¸òàµñ+ë,×/€ø±RøYâÏ_œ¶88j™Eoü=KøŒ\ËgrÑŸÒ-À¦Ïv·„l¡7~ÃÒÞ¦Wó.¹þ*½h^p7—e>`0ßå Èë-3€ÐkÁQ`ùú|Røøîup¬à4~e­Àš äZ>@åÎ˨hrpÔÁË>oîo‘+9 ‹ígú/Îã¿é® ÚÎjÝ23 Ž„ØïGçñðìø@ì$¯õ§Ì>¦ÖÇBô›Ç¸à1$ði&Àe0 žÊlý3€§©u<éPh7W&ß„·Ò˜­ß0ÏgÖ\¡U’lk:€è'lv‚^æ6o ƒïÐjxÛ¯δ)sFws[ÿÌ `=­†'â@š*‚#¸¨“ à~Pscc^ß7ø„RþŒomÀþß»÷‘iüæß7ø9¥üÓñ÷Ý:€Øk¸‹“€qà½ÜÆóaÐ2$„Á+qrì‡nþ£$P€ïõÆ’T=gîH.ýNüí?:ÈÛøwt. ƒ-aðÉäÒq\ÇÈ`ÍŒ˜î`à´3Ö’úKRYßtõ_Ü<i1*¸4°×¥ýýfÏ%•C cú(k%ðž1Aøeö^5‡Áµ Ý„@‡iИàºÉßñ€ý13Ý xÖÜÞ·—!4—!0qÀ`̯`V³›Õ3K~<„!£M`£ëR6€>`³³ O˜ óü€Úûœ¶T‡#p# œKµ;›ðŽÀ ¦2q|Ìy0"‚›hŽî[D,aÐ4ÉEžç5¦¬”C€“†QSO›»À} Ði¾ðÆrp… ÀYàEvÓ㲄ÁéKÄ£'×Lȸªõc9€‹†QWæ0¨Ÿçb®™q±\#€iÁÕÛæ. éÿ,1HÐö>È`Epe ƒÛ¿îž “a,GFK¸-CýÔÜNÿ¯òíw®ŽàX®•Œ"ù˜qÚ @“ìXoû)8–ƒ \ˆÀc¿­’æÅ“ê\ï“øCLȨLc9"€»ãҵܦ‘, f”Ù~œDòÉ„Œ n÷3= ·X—®ô²ã‚9 Ê^‚ø®?¸JÆ´VÐ`)(î·]üÇæ. ­ü‰3(^™QÁEnðÜ]"€_ŠóuÀ àüÍ8zeBFBpüö0ì@;ÙCYÖ â„@¿LȈÀ\.r£€ÓAçŒÈˆÞ4w÷à÷âè™ X/lš Úž_<7ÌZvSÀÕ ²WÅiôWà€)!d}<v¢×p—ô#sø4þVã-‹Õ žz°É85 ëiËÍ~+¾™›‚›:\Àç§ül±„Áµã?6ÌuÁzÁ£¯ày»dðù8÷àtY/˜»Àøå‡@ïLÈM‘\N¾&€klZØÍcYÖÎŽ|xµ5ª!°ÛãŸÀßéàdÊo6—e/Õè*È?ŒÿÁ?R\ç §³ xd¯ïÙIšüräqôÏ„´Xl0À•†»¹íK²…Á›?xü,Ý?rSðè›.7ð€ºfnû²,kg?(|‡@ÿLHA9,‡0À p—¯A–0XX-q5þ™‚ãMÏņ“ö uf‘÷ú–-_À RÐ`û6Wp(´‹k¬ÿ4xAˆïÿ'@&¤ x°q”î9häZ ˲vvÝ dBò:–‰¢„ \c’å½ H£_š»À‡q ‘ x©8Üí1œ ˜ ªaï™eY;ûTCdBz2½äçڠȲ…`\A2!Ò9*½îN˜êqÒ~Ï5!c2þrL¨'y¿L²vvL¾kBF•υѵ;L ÀXr‡·]Ï%’ ÁKýQôf€wÏäx^I$‚âèþÍ€² ËyVhôd‚ÿa2!¢,ò´žA8I >È~ékYRô^2¢ÀèJøƒð ç£cºj?'(L&D Üf²Ù€X»Ày_Ûžµ“ A‘Û’ °€Й«|mûÄæ LÈuxü×ð'b¨nŠ÷„À²… P&£e\Áàÿ`Èv ÷” ½rðlå*Û!Jè@9°u$ªHz¥|’®ÐWK8 >Â/Bp€¶Ñ{,•9 †É„ å¡Q%Üô=̀Γ‚Gò”÷q-’d\;(‚ná'Îð[Œ¸gI(2­ “ 9 ß2Q~Ñ:Oέh§êYdÚB&‚Þ‡Ûšè?ñxý­°ÖjÏWÌÂ`˜L|ž•¡ÇY\Àeô–9ß[¡~ílLÈ5®ðïaèIy”õ|ÅÄÇ:ÿÃdBÐ ËÑ£ ?9˜²°M“. É„ô WŒ NÃ|ˆ|ÐE¿ö³S·…ÀwwLA9xšnT‹–¢û@“Â({œe˜¬ÿQÃ`LÈJô+¡ƒð‡] ýðÎhÿX(5 †X‚^/"mòð ~ª_ʱLÑŸeÿÏ¢Ÿ¨’p L€   Ìg'P·Ð4 épW–×mù…i AˆL~äÝDÿYïÅ1f¦Ï;w¥-2!{-?Ï°;<˜ƒñ x &ä èqh8¢¿áÙ'Aˆ¶øgBÎW#ËðZ†a˜À¿£f|Þ;yã9ðÊï{à¨Fwà´•L ˜ /ÌÍGVeñá‡Ã!à9A”q:b+¸ÿøgÁàûÀNá0P6Þ>Û„ý—3ùÀ^íUœ`XšŽ6`‹¦_äøÏ ‡ ïgæžÂ£“(Ó…>MtŽjÀ-–ý®”îç–JþKÂÀë¥6Kx/¸¶Û"OQ’]£À¾®‘Z-Ù{¨ûë$K6âÏ ž¹}Ó¥v-ÿgå_BZ¿@ñŒ@"ÐS)µ¼Ôgf䪣Ó$+äsBt•ImÏôK’¹hkF²aôÀ‚ä€D 3+µžõË°ÕŸd@4WzpMsË€è”û@´Ô÷É9G‡åîÝsÑÅ™@—¢Å{#m›Üý£†ëøT¯d=ò½ h—Aÿb¹åè!éÜ[²S2¾ÅŽ.Æ‹Ùw)}Oy:Ý'™À@½bIvÃu¢®ê™§4ª÷—™À`ƒjLµïú«®µ*W”é¿Åðˆ @&kV D¾«hÌÚ;]m®ò ÿÙd¢cŠjÒ”ÍéÜ?Òt¸¨^ÁÍò‡ @!pªVcUÅï•ŠŽ.Ò4­VÖ«ðÜáPh/ƒhÊ£Þ늑-еR©¦7bw…θLK¸XÐY¯k!š§¶ÀuÆ€JàÔ\­}™åAòe¿ÑW¯Üýùî;P äVêMŒª7xž>2Ô¹¤L_õíÞÝ߀J@t×Dw¿ì­¬2ÔšY¥®ÑpñÄ€†€ØQaBmÜåmžeª1ºG“ŽwrÄ€AÿòȬšæÝœS8Nno¨0W6U—‡usÀ®®lªmÙCˆ—º_^Ri­çaÝ5åè…¡mvÓó—CMÃꇵ!×»okÓ½Ó*ˆ¾ÝÎ}?Z—·V%yPÐmµó/Y±rÃÖ¯¶oim^Ö¸°nf–RpÁ!ÒO:"×>≓aý÷ % r;«ý}Õ¨ñxh÷ýˆŽ±2Ë Ù&?óýˆC+¦ø{=®š-}i¸€A®caÆßõ¼¦¶ßøém{&Bœo«õõ>ûÀ¾¡ÔÜÀ‚@œXíÁ |Ñ+–äRÃC°!ý»›fòÏÎßtÄö–»0f‡`#Wß®åŒáA¦¾õ }oV(«HB Ä—{·5ÍOêfkWï<’ô´=œÍA$#(èZwÇÆï.¸{ÖôÊxì;¥jÆœ{?¼­³—RCH‹ 2ÓPÿÙÇzÎñ¶Ÿ„57<¶B›€„75é HÅдg–•)É =Ó†Aªö¥ÀB궀#„¢ØU4<ų©¨(ŠmL)L(ÝPjJ­ÿ\)íCÔXô±%tEXtdate:create2011-02-15T00:10:03+00:00|îö%tEXtdate:modify2011-02-14T23:55:40+00:00t¿ÃIEND®B`‚(€@ëë   "$##%$$'%%(&&)'(+)*-++-,,.-/200312433644756978:99;::=;>@?@BABECDGEEHFGIHJLJKNLLOMMPNNQOORPPSQTVUUWVUXVVYWY\Z\_]^a__b``caadbdfeegffiggjhiljjmkknllomnqoqtrrussvttwuuxvvywwzxx{yy|zz}{{~|ÿÿÿÿÿ&!ÿ-.ÿ51ÿ6;ÿ==ÿD>ÿEFÿMIÿNPÿURÿVXÿ][ÿ`bÿfbÿghÿhjÿplÿqqÿtwÿ|zÿ|~ý~~€ÿ„‚ƒ†„‡Šˆˆ‹‰‹ŽŒŒŽŽ‘“‘‘”’’•““–”•˜––™—™œš›žœ žž¡ŸŸ¢  £¡¢¥££¦¤¤§¥¥¨¦§ª¨¨«©©¬ª¬¯­­°®¯³±²µ³³¶´´·µµ¸¶¶¹·¸»¹º½»¼¿½‡†þŒŽÿ’ÿ••ÿ˜›þ¡žÿ££þ¤¤ÿ§ªÿ±®ÿ²±þ´´ÿ¶¸þ·¹ÿ¾ÂÀ¿ÃÁÁ¿üÁÄÂÃÆÄÅÈÆÆÉÇÈËÉÉÌÊÊÎËÌÏÍÏÒÐÐÓÑÒÕÓÓÖÔÔ×ÕÖÚØ×ÛÙÛÞÜÜßÝÃÁþÄÂÿÇÇþÈÉÿÉÊÿÌÏþÔÑÿÖÖüÙØþÚÙÿÝÞýÝàÞÞáßàäâåèææéççêèèëééìêêîëëïíáâÿäçÿíëÿíðîîñïïòððóññôòó÷ôñðþôóÿö÷ýôøööù÷÷úøøûùøùÿùüúúýûüÿþÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÐÃÌÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÅ£zE,  %=qŒ³ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜܦL :ŠÑÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÕ> 1}ÆÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜЂ2%p¿ÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÐj4²ÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜØw  &-( BÄÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜ܆=q²ØÜÜÜÜÜÜÜÜÜÜãzElÐÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜ¡N¨ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ¿t& xØÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜܳ-#q²ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÈ‚2ŠÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜqÆÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÕ‡KÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜqJÌÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ~.ÐÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÕ98ÁÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÕn¿ÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜà )¬ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÈE ¡ÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜܪÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÀ-zÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ܆&ÈÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜNBÛÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ܆@ØÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ܃7ÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜܪxÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܧ nÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜà ‘ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÁ‹ÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÕ!³ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÑ4¯ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜ8ÐÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ?ÌÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜp¿ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜØ'(ÛÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜËXWWWWWŸÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÈDÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜܲyÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ“PPPPPP[ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܯ€ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ-AÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜUPPPPPPP½ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÎÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ¡&ØÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ´PPPPPPPPfÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜqKÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÆÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜaPPPPPPPPRÔÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ9ÁÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ܆ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÒQPPPPPPPPP˜ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÐ :ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜØ)ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ•PPPPPPPPPPWÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜv¬ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜw«ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜVPPPPPPPPPPP¹ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜØ*ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÐ 8ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ·PPPPPPPPPPPPbÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ܆ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜjÁÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜbPPPPPPPPPPPPQÒÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÐJÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÓQPPPPPPPPPPPPP”ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ¡‡ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜ܃ÌÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ–PPPPPPPPPPPPPPUÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ-2ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ2qÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜWPPPPPPPPPPPPPPP¢ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ­×ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜØÅÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܹPPPPPPPPPPPPPPPP^ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜŒÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ#ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜdPPPPPPPPPPPPPPPPQÊÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜm>ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ>qÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÓQPPPPPPPPPPPPRPPPPkÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ­ ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ ³ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ—PPPPPPPPPPPPQ¢PPPPTÙÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܦÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜܦÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜXPPPPPPPPPPPP^ÜXPPPP›ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜEKÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜLOÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ»PPPPPPPPPPPPPŸÜ—PPPP[ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ£ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜܨÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜfPPPPPPPPPPPPTÙÜÔQPPPP½ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ ±ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÅÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÔRPPPPPPPPPPPPkÜÜÜdPPPPfÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ:zÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ£=ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ™PPPPPPPPPPPPPÉÜÜܺPPPPRÔÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ܆HÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜzqÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜYPPPPPPPPPPPP\ÜÜÜÜÜWPPPP—ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ°.ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜHŒÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܽPPPPPPPPPPPPPœÜÜÜÜÜ—PPPPWÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ*²ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜfPPPPPPPPPPPPSÙÜÜÜÜÜÓQPPPP·ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜØÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÙRPPPPPPPPPPPPhÜÜÜÜÜÜÜdPPPPbÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ1ÁÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜšPPPPPPPPPPPPP¾ÜÜÜÜÜÜܹPPPPQÒÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ=¬ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ[PPPPPPPPPPPP[ÜÜÜÜÜÜÜÜÜWPPPP”ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜH¤ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܾPPPPPPPPPPPPPšÜÜÜÜÜÜÜÜÜ–PPPPUÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜlÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÐ&ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜhPPPPPPPPPPPPRÙÜÜÜÜÜÜÜÜÜÓQPPPP¢ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜs†ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÄ-ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÙSPPPPPPPPPPPPfÜÜÜÜÜÜÜÜÜÜÜdPPPP^ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ{~ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÐ(ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜœPPPPPPPPPPPPP½ÜÜÜÜÜÜÜÜÜÜܹPPPPQÊÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜv„ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ\PPPPPPPPPPPPYÜÜÜÜÜÜÜÜÜÜÜÜÜWPPPPkÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜnŒÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÉPPPPPPPPPPPPP˜ÜÜÜÜÜÜÜÜÜÜÜÜÜ–PPPPTÙÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜL£ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜkPPPPPPPPPPPPQÔÜÜÜÜÜÜÜÜÜÜÜÜÜÓQPPPP›ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ@ªÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÙTPPPPPPPPPPPPdÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜdPPPP[ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ6±ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ%ÃÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜPPPPPPPPPPPPP¹ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ·PPPPP½ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÑÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ=¡ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ]PPPPPPPPPPPPWÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜWPPPPfÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜqzÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÊQPPPPPPPPPPPP–ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ–PPPPRÔÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÁ&ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜEÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ’PPPPPPPPPPPPQÓÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÓQPPPP“ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ>ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜܳÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÙTPPPPPPPPPPPPbÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ_PPPPSÔÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜHqÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ ¿ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜžPPPPPPPPPPPPP·ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ•PPPPP”ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܤÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ;tÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ^PPPPPPPPPPPPVÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ·PPPPPSËÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܱ ÛÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜ܉&ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܾPPPPPPPPPPPPP”ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜPPPPPPYÙÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜo:ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÕÌÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜdPPPPPPPPPPPPP½ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜePPPPPPPbÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ!ŠÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ0ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܶQPPPPPPPPPPPPTÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ·RPPPPPPPP_ËÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÄÑÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ}2ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ´RPPPPPPPPPPPPPQÉÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜœQPPPPPPPPPPR™ÔÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ{0ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÆ×ÜÜÜÜÜÜÜÜÜÜÜÜÜ¢hdVPPPPPPPPPPPPPPPPQY`i“µÜÜÜÜÜÜÜÜÜ–gaTPPPPPPPPPPPPPPQZšÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ-{ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ%ˆÜÜÜÜÜÜÜÜÜÜÜÜÜfPPPPPPPPPPPPPPPPPPPPPPPPgÜÜÜÜÜÜÜÜÜUPPPPPPPPPPPPPPPPPPP`ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÈÅÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜqÛÜÜÜÜÜÜÜÜÜÜÜÜfPPPPPPPPPPPPPPPPPPPPPPPPgÜÜÜÜÜÜÜÜÜUPPPPPPPPPPPPPPPPPPP`ÜÜÜÜÜÜÜÜÜÜÜÜÜÜH#ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜ¿~ÜÜÜÜÜÜÜÜÜÜÜÜfPPPPPPPPPPPPPPPPPPPPPPPPgÜÜÜÜÜÜÜÜÜUPPPPPPPPPPPPPPPPPPP`ÜÜÜÜÜÜÜÜÜÜÜÜÜÁsÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ4ÕÜÜÜÜÜÜÜÜÜÜܼžžžžžžžžžžžžžžžžžžžžžžžž½ÜÜÜÜÜÜÜÜܵžžžžžžžžžžžžžžžžžžžºÜÜÜÜÜÜÜÜÜÜÜÜÜ: ÐÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜܲnÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ­vÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜBÈÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ.×ÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÄFÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܤ†ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜlÀÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ"ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÐ -ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ¡ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜxNÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܦ-ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ؃ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÁ ®ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜŠ§ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÐAÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜL ÁÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ1ÕÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜ-ÕÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜLÃÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÐ4ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ€¨ÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ¿?ØÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ€ƒÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜ¡'ÈÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜLMÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜz¯ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÐ1-ÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜBŒÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÁÐÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÛ8qÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÆŒ±ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܦ ÁÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜn8ÐÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ-ÐÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜ‹ vØÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜܤ"MÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜܯ†ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ­.ƒÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÈ(¡ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÁ:¨ÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜØD-­ÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÜÜÜÜÈHÃÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜm­ÜÜÜÜÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÜÜÜÅ{-AÕÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÐLE£ÛÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜܱo!-¯ÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÁ9 †ÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜ£¡ÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜܬ*JÜÜÜÜÜÜ‘JÜÜÜÜÜÜ܆ÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜKÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜŽ tØÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜ܇2JÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜŽ#sÐÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜ×> JÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜŽ.}ÅÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜܦKJÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜŽ :ŠÐÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜܱ§ÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÈÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘JÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ‘HÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜ̦¥¦¥¥ÁÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÜÜÜÜÜÜÜÜÜÜÜÜÜÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÝÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿÿÿÿÿÿøÿÿÿÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿøÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿøÿÿÿÿÿÿðÿÿÿÿÿÿàÿÿÿÿÿÿÀÿÿÿÿÿÿ€ÿÿÿÿÿ?ÿÿÿÿþÿÿÿÿüÿÿÿÿøÿÿÿÿðÿÿÿÿàÿÿÿÿàÿÿÿÿÀÿÿÿÿ€ÿÿÿÿÿÿÿÿÿþ?ÿÿþÿÿüÿÿüÿÿøÿÿøÿÿðÿÿðÿÿàÿÿàÿÿàÿÿÀÿÿÀÿÿÀÿÿ€ÿÿ€ÿÿ€ÿÿ€ÿÿÿÿÿ?ÿ?þ?þ?þ?þ?þ?þ?þ?þ?þ?þ?þ?ÿ?ÿ?ÿÿÿÿÿÿ€ÿ€ÿÿ€ÿÿÀÿÿÀÿÿÀÿÿÀÿÿàÿÿàÿÿðÿÿðÿÿðÿÿøÿÿøÿÿüÿÿüÿÿþ?ÿÿÿ?ÿÿÿÿÿÿ€ÿÿÿÿÀÿÿÿÿÀÿÿÿÿàÿÿÿÿðÿÿÿÿøÿÿÿÿüÿÿÿÿüÿÿÿÿþ?ÿÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿàÿÿÿÿÿÿðÿÿÿÿÿÿøÿÿÿÿÿÿüÿÿÿÿÿÿÿ?ÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿðÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀÿÿÿÿÿÿÿÿÿÿøÿÿÿÿÿÿÿÿÿÿÿ?ÿÿÿÿÿÿÿÿÿÿÿðÿÿÿÿÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿþÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ€?ÿÿÿÿÿÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(`À$00    ! #!!$""$#$'%%(&&('')(*-+,.--/..1//200311323644755866977988;9:=;>@??A@@BABECCFDDGEEHFFIGGIHIKJKNLLOMMPNNQOPSQQTRRTSSUTTVUUWVVYWX[YY\ZZ][\_]]`^`caceddfeegffhggjhjmkknllommpnnqopsqsvttwuvywwzxz|{|}ÿÿÿÿÿ& ÿ..ÿ62ÿ==ÿD>ÿEFÿLIÿNPÿTQÿVXÿ][ÿ^`ÿfbÿggþikÿqqÿtwÿ|zÿ|~ý}€~~‚€~€ÿ„‚„‡……ˆ††‰‡‡Šˆˆ‹‰ŒŽŽ‘’‘”’“–””˜–˜›šœŸ žž¡Ÿ¡¤¢£¦¤¤§¥¥¨¦¦©§¨«©©¬ªª­«¬¯­­°®®²°±´²²µ³µ¸¶¶¹··º¸¸»¹¼¿½ˆ‡ÿ‹Žÿ“ÿ””þ••ÿ™›ÿ¡žÿ££þ¦¦ÿ§ªÿ©¬ÿ²²þ¶¸þ·¹ÿ½Á¾¾ÂÀÂÅÃÃÆÄÄÇÅÅÈÆÆÉÇÇÊÈÈËÉÉÌÊËÏÍÌÐÎÐÓÑÒÕÓÓÖÔÔ×ÕÖÚØ×ÛÙÛÞÜÄÃÿÆÆýÇÇþÈÉÿÉÊÿÌÏþÔÑÿ××ýÛÚÿÝÞýÝàÞÞáßßàÿàäâåèææéççêèèëééíëëïíåèÿíêÿíðîîñïïòððóññôòòõóó÷ôððýññþôóÿö÷ýôøööù÷÷úø÷øþøûùùúÿùüúúýûúüÿüÿþàààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßÚÀ¥‡zQA,,AQ{‰¦´ÜßßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßÞßÞÌ‚9:ƒÈßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßÀx++z´ßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßߊ!Žßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààßßßßßßߥ%-AMA.'¨ßßßßßßßààààààààààààààààààààààààààààààààààààààààààààßßßßßß±5Q£ÀØßßßßßßßßßÖÀ“O9³ßßßßßßàààààààààààààààààààààààààààààààààààààààààßßßßßßÆF%v²ßßßßßßßßßßßßßßßßßßß°r"HÈßßßßßàààààààààààààààààààààààààààààààààààààààßßßßß߬RÅßßßßßßßßßßßßßßßßßßßßßßßßßÃP¯ßßßßßßààààààààààààààààààààààààààààààààààààßßßßß߇CÂßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÂBŽÞßßßßßààààààààààààààààààààààààààààààààààßßßßßßq3°ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß®2tßßßßßßààààààààààààààààààààààààààààààààßßßßßÑ8 “ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÞß’ >ÖßßßßßàààààààààààààààààààààààààààààààßßßßÇ ÂßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÂ!ÌßßßßààààààààààààààààààààààààààààààßßßßÚ*=ÖßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÖ=1ÜßßßßààààààààààààààààààààààààààààßßßßßHqßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßrNßßßßßààààààààààààààààààààààààààßßßßß|‰ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß‹€ßßßßßààààààààààààààààààààààààßßßßߢ~ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß{¦ßßßßßàààààààààààààààààààààààßßßßÀJßßßßßßßßßßßßßßßßßßßßß¼UUUUZÞßßßßßßßßßßßßßßßßßßßßßßßF ÂßßßßààààààààààààààààààààààßßßßÜ.ÚßßßßßßßßßßßßßßßßßßßßßiUUUUU¡ßßßßßßßßßßßßßßßßßßßßßßßÚ*%ßßßßßàààààààààààààààààààààßßßßÌßßßßßßßßßßßßßßßßßßßßßÙWUUUUUaßßßßßßßßßßßßßßßßßßßßßßßßdžßßßßààààààààààààààààààààßßßßÖ²ßßßßßßßßßßßßßßßßßßßßßßœUUUUUUU¾ßßßßßßßßßßßßßßßßßßßßßßß߯Úßßßßàààààààààààààààààààßßßßvußßßßßßßßßßßßßßßßßßßßßßß^UUUUUUUlßßßßßßßßßßßßßßßßßßßßßßßßßnzßßßßààààààààààààààààààßßßßÈ Ñßßßßßßßßßßßßßßßßßßßßßß½UUUUUUUUXÕßßßßßßßßßßßßßßßßßßßßßßßßÎ ÎßßßßàààààààààààààààààßßßßOßßßßßßßßßßßßßßßßßßßßßßßjUUUUUUUUUžßßßßßßßßßßßßßßßßßßßßßßßßß|SßßßßààààààààààààààààßßßßÂÜßßßßßßßßßßßßßßßßßßßßßßÙWUUUUUUUUU]ßßßßßßßßßßßßßßßßßßßßßßßßßÚÄßßßßàààààààààààààààßßßßtŽßßßßßßßßßßßßßßßßßßßßßßßžUUUUUUUUUUU¼ßßßßßßßßßßßßßßßßßßßßßßßß߇wßßßßàààààààààààààààßßßß"$ßßßßßßßßßßßßßßßßßßßßßßßß_UUUUUUUUUUUhßßßßßßßßßßßßßßßßßßßßßßßßßß(ßßßßààààààààààààààßßßßÄzßßßßßßßßßßßßßßßßßßßßßßßÁUUUUUUUUUUUUVÒßßßßßßßßßßßßßßßßßßßßßßßßßvÆßßßààààààààààààààßßßß~ÀßßßßßßßßßßßßßßßßßßßßßßßlUUUUUUUUUYUUU™ßßßßßßßßßßßßßßßßßßßßßßßßß²ßßßßàààààààààààààßßßß2ßßßßßßßßßßßßßßßßßßßßßßßÛYUUUUUUUUUµVUU[ßßßßßßßßßßßßßßßßßßßßßßßßßß4ßßßßàààààààààààààßßÞÐoßßßßßßßßßßßßßßßßßßßßßßߟUUUUUUUUU\ßfUUU¸ßßßßßßßßßßßßßßßßßßßßßßßßßRÎßßßààààààààààààßßß߉­ßßßßßßßßßßßßßßßßßßßßßßß`UUUUUUUUU™ß¸UUUdßßßßßßßßßßßßßßßßßßßßßßßßß©‰ßßßßàààààààààààßßßßJßßßßßßßßßßßßßßßßßßßßßßÛÉUUUUUUUUUVÒßß[UUVÊßßßßßßßßßßßßßßßßßßßßßßßßß Pßßßßàààààààààààßßßß89ßßßßßßßßßßßßßßßßßßßßßßÞpUUUUUUUUUfßßß—UUU”ßßßßßßßßßßßßßßßßßßßßßßßßß2>ßßßßàààààààààààßßßß"IßßßßßßßßßßßßßßßßßßßßßßÞYUUUUUUUUU¸ßßßÒVUUYÞßßßßßßßßßßßßßßßßßßßßßßßßD(ßßßßàààààààààààßßßßrßßßßßßßßßßßßßßßßßßßßßß UUUUUUUUU[ßßßßßeUUU ßßßßßßßßßßßßßßßßßßßßßßßßTßßßßàààààààààààßßß߀ßßßßßßßßßßßßßßßßßßßßßßbUUUUUUUUU˜ßßßß߸UUUaßßßßßßßßßßßßßßßßßßßßßßßß|ßßßßàààààààààààßßßÆ‘ßßßßßßßßßßßßßßßßßßßßßÉVUUUUUUUUVÔßßßßßß[UUUÉÛßßßßßßßßßßßßßßßßßßßßßߌÎßßßàààààààààààßßß­®ßßßßßßßßßßßßßßßßßßßßß”UUUUUUUUUeßßßßßßß—UUUkÜßßßßßßßßßßßßßßßßßßßßßß©²ßßßààààààààààßßßßÆßßßßßßßßßßßßßßßßßßßßÞZUUUUUUUUUµßßßßßßßÒVUUXÛßßßßßßßßßßßßßßßßßßßßßß“ßßßààààààààààßßßßÆßßßßßßßßßßßßßßßßßßßß¡UUUUUUUUUZßßßßßßßßßeUUUžßßßßßßßßßßßßßßßßßßßßßß“ßßßàààààààààààßß߬®ßßßßßßßßßßßßßßßßßßßßcUUUUUUUUU•ßßßßßßßßßµUUU]ßßßßßßßßßßßßßßßßßßßßßß©²ßßßàààààààààààßßßÆßßßßßßßßßßßßßßßßßßßÊVUUUUUUUUVÊßßßßßßßßßß[UUU¼ßßßßßßßßßßßßßßßßßßßßß‹Îßßßàààààààààààßßß߀ßßßßßßßßßßßßßßßßßßß•UUUUUUUUUcßßßßßßßßßßß—UUUhßßßßßßßßßßßßßßßßßßßßß|ßßßßàààààààààààßßßßrßßßßßßßßßßßßßßßßßßßZUUUUUUUUU¡ßßßßßßßßßßÞÒVUUVÒßßßßßßßßßßßßßßßßßßßßTßßßßàààààààààààßßßß$IßßßßßßßßßßßßßßßßßßµUUUUUUUUUYÞßßßßßßßßßÞÞßfUUU™ßßßßßßßßßßßßßßßßßßßßF*ßßßßàààààààààààßßßß98ßßßßßßßßßßßßßßßßßßdUUUUUUUUU”ßßßßßßßßßßßßßµUUUZÛßßßßßßßßßßßßßßßßßßß2>ßßßßàààààààààààßßßßJßßßßßßßßßßßßßßßßßÒVUUUUUUUUVÉßßßßßßßßßßßßßßWUUU›ßßßßßßßßßßßßßßßßßßÜ Pßßßßàààààààààààßßßߊ¬ßßßßßßßßßßßßßßßß–UUUUUUUUUaßßßßßßßßßßßßßßßbUUUZÕßßßßßßßßßßßßßßßßߦŠßßßßààààààààààààßßßÑTßßßßßßßßßßßßßßßÛZUUUUUUUUUŸßßßßßßßßßßßßßßß^UUUUdßßßßßßßßßßßßßßßßßPÑßßßàààààààààààààßßßß2ßßßßßßßßßßßßßßß›UUUUUUUUUVÒßßßßßßßßßßßßßßÊVUUUUUpÞßßßßßßßßßßßßßßß4ßßßßàààààààààààààßßßß~Àßßßßßßßßßßßßß·VUUUUUUUUUV¾ßßßßßßßßßßßßß¾ZUUUUUUU]½ßßßßßßßßßßßßß±ßßßßàààààààààààààßßßßÄxßßßßßßßßßß›f]UUUUUUUUUUUUX`gjÊßßßßßßš_XUUUUUUUUUUUZ•ßßßßßßßßßßßtÇßßßàààààààààààààààßßßß$!ßßßßßßßßßßbUUUUUUUUUUUUUUUUUU½ßßßßßßdUUUUUUUUUUUUUU`ßßßßßßßßßßß(ßßßßàààààààààààààààßßßßtŠßßßßßßßßßbUUUUUUUUUUUUUUUUUU½ßßßßßßdUUUUUUUUUUUUUU`ßßßßßßßßß߆wßßßßàààààààààààààààßßßßÂÜßßßßßßßߺ                  Ôßßßßßß»              ¸ßßßßßßßßßÚÅßßßßààààààààààààààààßßßßR~ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßxqßßßßàààààààààààààààààßßßßÌ ÐßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÍ ÎßßßßààààààààààààààààààßßßßwqßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßR|ßßßßàààààààààààààààààààßßßßÚ°ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß­Úßßßßààààààààààààààààààààßßß߃ÈßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßƉßßßßàààààààààààààààààààààßßßßß"-ÜßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÚ''ßßßßßààààààààààààààààààààààßßßß MßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßH Äßßßßàààààààààààààààààààààààßßßßߥßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß|«ßßßßàààààààààààààààààààààààààßßßß߇ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß߇„ßßßßßààààààààààààààààààààààààààßßßßßMTßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßTRßßßßßààààààààààààààààààààààààààààßßßßÜ.8ÐßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßÑ84ÜßßßßààààààààààààààààààààààààààààààßßßßÈ"Âßßßßßßßßßßßßßßßßß³¦¨¦³ßßßßßßßßßßßßßßßßß´&ÎßßßßàààààààààààààààààààààààààààààààßßßßßÖ@ ßßßßßßßßßßßßßßßß6=ßßßßßßßßßßßßßßßßCÚßßßßßààààààààààààààààààààààààààààààààßßßßßßu.¬ßßßßßßßßßßßßßß4:ßßßßßßßßßßßßßß«*xßßßßßßààààààààààààààààààààààààààààààààààßßßßßߎ>´ßßßßßßßßßßßß6=ßßßßßßßßßßßß³:’ßßßßßßààààààààààààààààààààààààààààààààààààßßßßßß°NÀßßßßßßßßßß4:ßßßßßßßßßß´J³ßßßßßßàààààààààààààààààààààààààààààààààààààààßßßßßÈJq¬ßßßßßßß4=ßßßßßß߬TNÎßßßßßààààààààààààààààààààààààààààààààààààààààààßßßßßß´=Tßßßßß6=ßßßßßÂA´ßßßßßßààààààààààààààààààààààààààààààààààààààààààààßßßßßßß«+ ßßßßß6:ßßßßß«.¬ßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßß% ßßßßß4=ßßßßß«&’ßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßÂ|. ßßßßß5=ßßßßß«.|ÄßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßÍ„:ßßßßß5:ßßßß߬:†ÎßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßÜßßßßß5=ßßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßß5:ßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßß5:ßßßßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßß5=ßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßß5=ßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßß5:ßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßß5=ßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßß5:ßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßB FßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßßààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààßßßßßßßßßßßßàààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààààÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÀÿÿÿÿÿÿÿþ?ÿÿÿÿÿÿüÿÿÿÿÿÿðÿÿÿÿÿÿÀÿÿÿÿÿÿÿÿÿÿþ?ÿÿÿÿüÿÿÿÿðÿÿÿÿàÿÿÿÿÀÿÿÿÿ€ÿÿÿÿÿÿÿÿÿþ?ÿÿüÿÿøÿÿðÿÿðÿÿàÿÿàÿÿÀÿÿÀÿÿ€ÿÿ€ÿÿÿÿþþ?þ?þ?üüüüüüüüøøüüüüüüüüþ?þ?þ?þÿÿÿÿ€ÿÿ€ÿÿÀÿÿÀÿÿàÿÿàÿÿðÿÿðÿÿøÿÿüÿÿþ?ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÀÿÿÿÿàÿÿÿÿøÿÿÿÿüÿÿÿÿþ?ÿÿÿÿÿÿÿÿÿÿÀÿÿÿÿÿÿðÿÿÿÿÿÿüÿÿÿÿÿÿþ?ÿÿÿÿÿÿÿÀÿÿÿÿÿÿÿÿüÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿ€ÿÿÿÿÿÿÿÿÿÿÀÿÿÿÿÿÿÿÿÿÿàÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ(@€uu  !!!%%%'''(((+++,,,---...///111333444555666777888:::===>>>AAAEEEHHHIIIJJJLLLMMMPPPSSSVVVXXXZZZ\\\___fffgggkkklllooossstttuuuxxxzzz|||}}}ÿÿÿÿÿÿ ÿ ÿ ÿÿÿÿÿÿÿÿÿ((ÿ,,ÿ//ÿ00ÿ33ÿ66ÿ77ÿ88ÿ>>ÿ??ÿCCÿDDÿEEÿFFÿGGÿJJÿKKÿQQÿUUÿZZÿ\\ÿaaÿddÿeeÿiiÿmmÿqqÿssÿttÿvvÿwwÿzzÿ{{ÿÿ‚‚‚„„„………†††‡‡‡ˆˆˆ‰‰‰‹‹‹ŒŒŒŽŽŽ’’’”””žžž   ¡¡¡£££¦¦¦§§§¬¬¬²²²´´´···¸¸¸ººº½½½¿¿¿ÿ‚‚ÿŠŠÿÿ‘‘ÿ••ÿ––ÿ˜˜ÿššÿ  ÿ¡¡ÿ££ÿ¥¥ÿ¨¨ÿªªÿ««ÿ¯¯ÿ°°ÿ¶¶ÿººÿ½½ÿ¾¾ÿÁÁÁÂÂÂÅÅÅÆÆÆÈÈÈÊÊÊËËËÒÒÒÓÓÓÔÔÔ×××ÙÙÙÚÚÚÜÜÜÞÞÞßßßÁÁÿÆÆÿÉÉÿËËÿÍÍÿÎÎÿÐÐÿÒÒÿØØÿÙÙÿÛÛÿÜÜÿÞÞÿàààáááâââäääèèèêêêëëëìììíííããÿææÿççÿííÿðððñññòòòóóóõõõööö÷÷÷ððÿññÿõõÿ÷÷ÿøøøùùùúúúøøÿùùÿûûÿüüüýýýüüÿýýÿþþþÿÿÿèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççççççççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççççççççççççççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççççççѱ„~C‰©ÆÞçççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççççÞ©>*Æçççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççç²: ~ÕççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççÈ<+6@„y;1"ƒçççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççÞy "y¯ççççççççççÕŠ8ççççèèèèèèèèèèèèèèèèèèèèèèèèèèçççÇ"6ÆçççççççççççççççççŒ>ççççèèèèèèèèèèèèèèèèèèèèèèèèççç­/¯çççççççççççççççççççççƒ-Ìçççèèèèèèèèèèèèèèèèèèèèèèççç„ ŒççççççççççççççççççççççççÕ>²çççèèèèèèèèèèèèèèèèèèèèçç焲ççççççççççççççççççççççççççç‡Æçççèèèèèèèèèèèèèèèèèèççç­/Ñççççççççççççççççççççççççççççç­ ÕççèèèèèèèèèèèèèèèèèçççÇ/çççççççççççççççççççççççççççççççç² 3çççèèèèèèèèèèèèèèèèççÞ"Ñççççççççççççç½DDD çççççççççççççççyçççèèèèèèèèèèèèèèçççy ²ççççççççççççççnDDDbççççççççççççççç瀲ççèèèèèèèèèèèèèèççÊ ŒççççççççççççççáODDDDÀçççççççççççççççç61çççèèèèèèèèèèèèççç<-ççççççççççççççç›DDDDDsççççççççççççççççÈ ­ççèèèèèèèèèèèèç粯ççççççççççççççç]DDDDDOÛççççççççççççççççC(çççèèèèèèèèèèççç88ççççççççççççççç¿DDDDDDD›ççççççççççççççççѧççèèèèèèèèèèççç¶çççççççççççççççoDDDDDDDZçççççççççççççççççy<çççèèèèèèèèèçç©"çççççççççççççççáPDDDDDMDD»çççççççççççççççç¶çççèèèèèèèèèçç>wççççççççççççççç DDDDDD™PDlççççççççççççççççç¯ççèèèèèèèèççç¯ççççççççççççççç_DDDDDMÛsDJØçççççççççççççççç@yççèèèèèèèèççÑçççççççççççççççÂDDDDDDmçÂDD•çççççççççççççççç©-çççèèèèèèèçç±+çççççççççççççççvDDDDDD»çç_DUççççççççççççççççÌçççèèèèèèèçç6çççççççççççççççRDDDDDYççç DD¥çççççççççççççççççççèèèèèèèçç„@çççççççççççççç¢DDDDDD™çççÛPDgççççççççççççççççÞççèèèèèèèçç~ççççççççççççççeDDDDDJØççççsDGÎççççççççççççççç&ÆççèèèèèèèççC„çççççççççççççÍDDDDDDjçççççÀDD’ççççççççççççççç-±ççèèèèèèèççyççççççççççççç’DDDDDD¸çççççç]DSçççççççççççççççÈççèèèèèèèçç‰<çççççççççççççSDDDDDWçççççççDD çççççççççççççççççèèèèèèèçç©1çççççççççççç£DDDDDD•çççççççáODbçççççççççççççÕçççèèèèèèèççÆ"ççççççççççççfDDDDDGÐççççççççoDD»çççççççççççç¶&çççèèèèèèèççÞÕççççççççççÎGDDDDDhççççççççç·DDWáççççççççççç‡5ççèèèèèèèèççç*ŠççççççççççsDDDDDD¥çççççççççÂDDD“ççççççççççç5ƒççèèèèèèèèèçç8ççççççççç½GDDDDDJáçççççççççtDDDJ£çççççççççÞ ÌççèèèèèèèèèççÆççççççç lSDDDDDDDi—¤çççç¿vdDDDDDDb›ççççççç§(çççèèèèèèèèèççç çççççç\DDDDDDDDDDDZçççç—DDDDDDDDDWççççççç8€ççèèèèèèèèèèèçç~çççççç—sssssssssss—çççç¹sssstssss•çççççç¯ÆççèèèèèèèèèèèççÕƒççççççççççççççççççççççççççççççççççççççç/<çççèèèèèèèèèèèçççƒÕççççççççççççççççççççççççççççççççççççç Èççèèèèèèèèèèèèèççç>ççççççççççççççççççççççççççççççççççççÑyçççèèèèèèèèèèèèèèçç‡ççççççççççççççççççççççççççççççççççç/Õççèèèèèèèèèèèèèèèççç>­ççççççççççççççççççççççççççççççççç=©çççèèèèèèèèèèèèèèèèççç-²çççççççççççççççççççççççççççççç炃çççèèèèèèèèèèèèèèèèèçççÑ ççççççççççççççççççççççççççççç=<çççèèèèèèèèèèèèèèèèèèèççç²€çççççççççççÞ±±ÆçççççççççççÑ//çççèèèèèèèèèèèèèèèèèèèèèçççÆ 6Èççççççççç¶"çççççççççç§<ççççèèèèèèèèèèèèèèèèèèèèèèçççÕ3CÑççççççç¶&çççççççç¯-ƒççççèèèèèèèèèèèèèèèèèèèèèèèèççççy~¶ççççç¶&çççççÞ©6©ççççèèèèèèèèèèèèèèèèèèèèèèèèèèçççç²1@Ñçç¶&çççÞ5 yÕçççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççç­(­çç¶"çççÌ<Èççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççç§<­çç¶&çççÌ(€Æçççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççççç¯w²çç¶"çççÑ„Èççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççççççç¶&ççççççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççççç¶&çççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççç¶&ççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççç¶"ççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççç¶&ççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççÈ66yççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèçççççççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèèççççèèèèèèèèèèèèèèèèèèèèèèèèèèèèèÿÿÿÿÿÿÿÿÿÿÿÀÿÿÿÿÿü?ÿÿÿÿðÿÿÿÿÀÿÿÿÿÿÿÿþ?ÿÿüÿÿøÿÿðÿÿàÿÿÀÿÿ€ÿÿÿÿþþ?ü?üøøøøðððððððððððððøøøüüü?þ?ÿÿÿ€ÿÿ€ÿÿÀÿÿàÿÿðÿÿøÿÿü?ÿÿÿÿÿÿ€ÿÿÿÿàÿÿÿÿøÿÿÿÿþÿÿÿÿÿàÿÿÿÿÿÿàÿÿÿÿÿÿàÿÿÿÿÿÿàÿÿÿÿÿÿðÿÿÿÿÿÿðÿÿÿÿÿÿþÿÿÿ(0` —— !!!$$$&&&'''***+++,,,...000111333666777888<<<>>>???@@@IIIMMMOOOQQQRRRTTTXXXYYYZZZ[[[\\\```aaabbbdddeeefffggghhhiiijjjmmmrrrxxxyyyzzz{{{|||}}}~~~ÿÿÿÿÿÿÿÿÿÿÿÿÿ!!ÿ##ÿ,,ÿ00ÿ99ÿ>>ÿ??ÿ@@ÿBBÿMMÿQQÿRRÿWWÿ]]ÿ__ÿggÿiiÿllÿnnÿppÿrrÿwwÿ{{ÿ‚‚‚‡‡‡ŠŠŠ‹‹‹‘‘‘’’’“““”””•••–––˜˜˜ššš›››   ¡¡¡£££¥¥¥¦¦¦¨¨¨«««¬¬¬­­­®®®¯¯¯°°°±±±²²²´´´µµµ¶¶¶ººº¾¾¾¿¿¿‚‚ÿ‡‡ÿŒŒÿššÿžžÿ¢¢ÿ¤¤ÿ¦¦ÿ§§ÿ¨¨ÿ©©ÿ²²ÿ³³ÿ··ÿ¸¸ÿ¹¹ÿ¼¼ÿ½½ÿÂÂÂÆÆÆÇÇÇÈÈÈËËËÌÌÌÍÍÍÏÏÏÐÐÐÑÑÑÓÓÓÕÕÕ×××ØØØÙÙÙÚÚÚÜÜÜÞÞÞßßßÇÇÿÉÉÿÏÏÿÒÒÿÔÔÿÕÕÿÖÖÿ××ÿÙÙÿàààáááâââåååæææçççèèèêêêëëëìììíííááÿääÿèèÿëëÿííÿïïÿñññòòòõõõööö÷÷÷ññÿôôÿööÿ÷÷ÿøøøúúúûûûøøÿúúÿüüüýýýüüÿýýÿþþþþþÿÿÿÿææææææææææææææææææææææææææææææææææææææææææææææææææææææææææææææææææåååååååååååååææææææææææææææææææææææææææææææææåååååÕµ¤„}Ž®Æåååååææææææææææææææææææææææææææææåååå¯q#6‰Õåååæææææææææææææææææææææææææååå## AÒåååææææææææææææææææææææææåå®*A§ÚåååååÅ€- tåååæææææææææææææææææææååå€/¯ååååååååååååÚw(Æååæææææææææææææææææååå@#¥ååååååååååååååååÒF®ååææææææææææææææææåå/>Úååååååååååååååååååå¥ ©ååææææææææææææææååFwåååååååååååååååååååååå¶Åååææææææææææææåå†qåååååååååå—cfåååååååååååÅ#ÚåææææææææææææåÅ 4åååååååååååTII¡ååååååååååå§ Aååææææææææææåå:ÕååååååååååIII_ååååååååååååt Ååæææææææææå屄ååååååååååå_IIIIËåååååååååååå:ååææææææææåå0%åååååååååååÌIIIIIlååååååååååå厵åææææææææåÕ †ååååååååååå’IIIIITÝååååååååååååqååæææææææåŽ ÕåååååååååååVIIIIaI›åååååååååååån(ååææææææåå:+ååååååååååå¡IIII]¿I[åååååååååååå©Æåææææææåå!{åååååååååååaIIII™å]I¼åååååååååååå‰åææææææååååååååååååÎIIIIRÝå™Igåååååååååååå(wååæææææåÚ±åååååååååå“IIIIjååÝRQ×ååååååååååå0AååæææææåÂÒååååååååååVIIII¼åååjI•ååååååååååå@6ååæææææåÂÕååååååååå£IIIIZåååå¼IYååååååååååå@:ååæææææåÚ±åååååååååbIIII–ååååå[I·åååååååååå0AååæææææååååååååååÎOIIIQ×ååååå™Icåååååååååå(wååæææææåå!{åååååååå”IIIIeåååååå×PI¸ååååååååå‰åææææææåå:+ååååååå×VIIII¸åååååååVIXÝååååååå©ÉåæææææææåŽ ÕåååååÏgIIIIOÏåååååוIII]£ååååååF(ååæææææææåÚ †ååååIIIIIIIITÏåå¡IIIIIII›ååååårååæææææææåå0!ååååºllkkkklkl×åå¼lkkkklk¹ååå况åææææææææåå±ååååååååååååååååååååååååååååÚ:ååæææææææææåå>Õåååååååååååååååååååååååååååw ÅåæææææææææææåÆ 0åååååååååååååååååååååååååå© Fååæææææææææææåå†nååååååååååååååååååååååååÆ#ÕåæææææææææææææåånrååååååååååååååååååååååÂÆååææææææææææææææåå06ÚååååååååÆÅÚååååååå央ååæææææææææææææææåååA!¤ååååååå†ååååååÒA¯ååæææææææææææææææææååå€-¯ååååå‰ååååÕt)Éååææææææææææææææææææææåå±-AÉåå‰åå§- {åååææææææææææææææææææææææååå¥(åå‰åå?nÕåååææææææææææææææææææææææææååååµr)åå†ååF>Úåååææææææææææææææææææææææææææææåååååååå‰åååååååæææææææææææææææææææææææææææææææææååååå†ååååææææææææææææææææææææææææææææææææææææææååå‰ååææææææææææææææææææææææææææææææææææææææææååå†ååææææææææææææææææææææææææææææææææææææææææååå{o±ååæææææææææææææææææææææææææææææææææææææææææåååååååææææææææææææææææææææææææææææææææææææææææææåååååæææææææææææææææææææææÿÿÿÿÿÿÿÿÀÿÿÿþÿÿøÿÿðÿÿàÿÿ€ÿÿÿÿþ?ü?üøððððààààààààààððððøüü?þ?ÿÿÿÿ€ÿÿàÿÿðÿÿøÿÿþÿÿÿÀÿÿÿÿðÿÿÿÿðÿÿÿÿðÿÿÿÿøÿÿÿÿüÿÿ( @ºº !!!%%%((()))***---///111222444555999:::===>>>@@@CCCDDDEEEJJJKKKNNNOOORRRTTTUUUVVVWWWXXXeeekkknnnooossstttuuuyyyzzz|||ÿÿÿÿÿ ÿ ÿ ÿÿÿÿ""ÿ##ÿ++ÿ//ÿ11ÿ::ÿ;;ÿ>>ÿ??ÿTTÿUUÿ[[ÿ__ÿeeÿggÿkkÿooÿ€€€„„„………‰‰‰ŽŽŽ”””•••˜˜˜šššŸŸŸ¡¡¡¢¢¢¤¤¤§§§ªªª«««···¹¹¹»»»¿¿¿„„ÿˆˆÿ––ÿ˜˜ÿ››ÿ  ÿ¤¤ÿ©©ÿ¬¬ÿ´´ÿ»»ÿÀÀÀÄÄÄÅÅÅÇÇÇÉÉÉËËËÎÎÎÏÏÏÐÐÐÑÑÑÒÒÒÔÔÔÖÖÖØØØÝÝÝÞÞÞßßßÁÁÿÃÃÿÅÅÿÍÍÿÑÑÿÔÔÿÙÙÿáááâââãããäääåååæææçççéééêêêëëëìììíííîîîââÿééÿëëÿííÿñññòòòóóóôôôõõõööö÷÷÷ððÿóóÿõõÿööÿ÷÷ÿøøøùùùúúúûûûýýýþþþþþÿÿÿÿ¸¸¸¸¸¸¸¸¸¸¸¸¸¸····¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸···²”}nˆ¤···¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸·¨f+[—··¸¸¸¸¸¸¸¸¸¸¸¸¸¸¸··‚……………N u†††††…O u…………]-/|……………%…††††… P……………7--Y……………ig††††kv…………q--?5………………P††††S……………A-/|6e……………%*…††…B"…………1-<…[;……………M…††…E"…………^--f…1s…………M…†††U…………8-3………>@…………'+…†††kv……_--:|…s:-Z……Q††††… Q…r<<<<\…Y<<=q…ig††††…O n…………………………………%…†††††…!………………………………M u†††††††k'v………~v…………GV†††††††††i V……I ……d`…††††††††††…MnI …*v†††††††††††††…~cvJ …cv…†††††††††††††††††…I …††††††††††††††††††††…SE…†††††††††††††††††††††………††††††††††ÿçÿþü?ððàÀÀÀÀ€€ÀÀÀÀàðøü?þÿÃÿÿÃÿÿãÿ( ÜܳŸ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿóóóííí³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ···ÿÿÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³ŸÇÇÇ¡¡¡···ÑÑѸ¸¸ÿÿÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³ŸòòòmmmcccÈÈÈ···çççwwwVVVææ泟³Ÿ³Ÿ³Ÿ³ŸýýýIII³³³ÿÿÿÿÿÿýýýüüüÿÿÿÿÿÿÊÊÊ<<<ïïﳟ³Ÿ³Ÿ³ŸŽŽŽ”””ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿºººhhh³Ÿ³Ÿ³Ÿüüü;;;ÿÿÿ¹¹ÿ??ÿ@@ÿ  ÿóóÿ[[ÿ??ÿ²²ÿÿÿÿTTTÝÝݳŸ³ŸÒÒÒhhhÿÿÿÿÿÿllÿÿÕÕÿÿÿÿ¢¢ÿhhÿýýÿÿÿÿ®®®³Ÿ³Ÿªªª˜˜˜ÿÿÿÿÿÿÞÞÿÿppÿÿÿÿ``ÿ÷÷ÿÿÿÿÿÿÿÀÀÀ‚‚‚³Ÿ³ŸÁÁÁ|||ÿÿÿÿÿÿÿÿÿFFÿÿÞÞÿvvÿÿÿÿÿÿÿÿÿÿ¤¤¤³Ÿ³ŸñññIIIÿÿÿÿÿÿÿÿÿ¬¬ÿÿ55ÿÚÚÿÿÿÿÿÿÿÿÿÿnnnËË˳Ÿ³Ÿ³ŸZZZÌÌÌÿÿÿÿÿÿúúÿÿCCÿÿÿÿÿÿÿÿÿÿæææCCCúúú³Ÿ³Ÿ³Ÿæææ>>>ïïïÿÿÿÿÿÿŸŸÿ¿¿ÿÿÿÿÿÿÿùùùLLLÏÏϳŸ³Ÿ³Ÿ³Ÿ³ŸÅÅÅ>>>ºººÿÿÿÿÿÿÿÿÿÿÿÿÏÏÏAAA­­­³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿïïïsss???LLLQQQ???aaaãã㳟³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿÿÿÿñññìììÿÿÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿ³Ÿðñòóôõö÷øùúûüýþÿàáâãäåæçèéêëìíîïÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏ°±²³´µ¶·¸¹º»¼½¾¿ ¡¢£¤¥¦§¨©ª«¬­®¯‘’“”•–—˜™š›œžŸ€‚ƒ„…†‡ˆ‰Š‹ŒŽpqrstuvwxyz{|}~`abcdefghijklmnoPQRSTUVWXYZ[\]^_@ABCDEFGHIJKLMNO0123456789:;<=>? !"#$%&'()*+,-./ ü?ðàÀÀ€€€€€ÀÀàøþ?þvolatility-2.3.1/resources/volatility.svg0000644000175000017500000001072411602715531020551 0ustar mikemike00000000000000 image/svg+xml V volatility-2.3.1/tools/0000755000175000017500000000000012234427260014753 5ustar mikemike00000000000000volatility-2.3.1/tools/linux/0000755000175000017500000000000012234427260016112 5ustar mikemike00000000000000volatility-2.3.1/tools/linux/Makefile0000644000175000017500000000057212124127373017556 0ustar mikemike00000000000000obj-m += module.o KDIR ?= / KVER ?= $(shell uname -r) -include version.mk all: dwarf dwarf: module.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean clean: $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean rm -f module.dwarf volatility-2.3.1/tools/linux/module.c0000644000175000017500000003300712125563244017550 0ustar mikemike00000000000000/* This module does absolutely nothings at all. We just build it with debugging symbols and then read the DWARF symbols from it. */ #include #include #include #include #include #include #include #include #include #include #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,26) #include #else #include #endif #include #include #include #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,20) #include struct pid_namespace pid_namespace; #endif #include #include #include #include #include #include #include #include struct atomic_notifier_head atomic_notifier_head; #include struct tty_driver tty_driver; #include struct tty_struct tty_struct; struct udp_seq_afinfo udp_seq_afinfo; struct tcp_seq_afinfo tcp_seq_afinfo; struct files_struct files_struct; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,19) struct uts_namespace uts_namespace; #endif struct sock sock; struct inet_sock inet_sock; struct vfsmount vfsmount; struct in_device in_device; struct fib_table fib_table; struct unix_sock unix_sock; struct pid pid; struct radix_tree_root radix_tree_root; #ifdef CONFIG_NETFILTER struct nf_hook_ops nf_hook_ops; struct nf_sockopt_ops nf_sockopt_ops; #endif struct xt_table xt_table; /******************************************************************** The following structs are not defined in headers, so we cant import them. Hopefully they dont change too much. *********************************************************************/ #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,24) #include #endif #include #include #include #include #include #define EMBEDDED_HASH_SIZE (L1_CACHE_BYTES / sizeof(struct hlist_head)) #define __rcu struct fn_zone { struct fn_zone *fz_next; /* Next not empty zone */ struct hlist_head *fz_hash; /* Hash table pointer */ seqlock_t fz_lock; u32 fz_hashmask; /* (fz_divisor - 1) */ u8 fz_order; /* Zone order (0..32) */ u8 fz_revorder; /* 32 - fz_order */ __be32 fz_mask; /* inet_make_mask(order) */ struct hlist_head fz_embedded_hash[EMBEDDED_HASH_SIZE]; int fz_nent; /* Number of entries */ int fz_divisor; /* Hash size (mask+1) */ } fn_zone; struct fn_hash { struct fn_zone *fn_zones[33]; struct fn_zone *fn_zone_list; } fn_hash; struct fib_alias { struct list_head fa_list; struct fib_info *fa_info; u8 fa_tos; u8 fa_type; u8 fa_scope; u8 fa_state; #ifdef CONFIG_IP_FIB_TRIE struct rcu_head rcu; #endif }; struct fib_node { struct hlist_node fn_hash; struct list_head fn_alias; __be32 fn_key; struct fib_alias fn_embedded_alias; }; struct fib_node fib_node; struct fib_alias fib_alias; struct rt_hash_bucket { struct rtable __rcu *chain; } rt_hash_bucket; #define RADIX_TREE_MAP_SHIFT (CONFIG_BASE_SMALL ? 4 : 6) #define RADIX_TREE_MAP_SIZE (1UL << RADIX_TREE_MAP_SHIFT) #define RADIX_TREE_MAP_MASK (RADIX_TREE_MAP_SIZE-1) #define RADIX_TREE_TAG_LONGS ((RADIX_TREE_MAP_SIZE + BITS_PER_LONG - 1) / BITS_PER_LONG) struct radix_tree_node { unsigned int height; /* Height from the bottom */ unsigned int count; struct rcu_head rcu_head; void *slots[RADIX_TREE_MAP_SIZE]; unsigned long tags[RADIX_TREE_MAX_TAGS][RADIX_TREE_TAG_LONGS]; }; #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,25) struct module_sect_attr { struct module_attribute mattr; char *name; unsigned long address; }; struct module_sect_attrs { struct attribute_group grp; unsigned int nsections; struct module_sect_attr attrs[0]; }; #endif struct module_sect_attrs module_sect_attrs; #ifdef CONFIG_SLAB #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,31) #if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22) /* * struct kmem_cache * * manages a cache. */ struct kmem_cache { /* 1) per-cpu data, touched during every alloc/free */ struct array_cache *array[NR_CPUS]; /* 2) Cache tunables. Protected by cache_chain_mutex */ unsigned int batchcount; unsigned int limit; unsigned int shared; unsigned int buffer_size; u32 reciprocal_buffer_size; /* 3) touched by every alloc & free from the backend */ unsigned int flags; /* constant flags */ unsigned int num; /* # of objs per slab */ /* 4) cache_grow/shrink */ /* order of pgs per slab (2^n) */ unsigned int gfporder; /* force GFP flags, e.g. GFP_DMA */ gfp_t gfpflags; size_t colour; /* cache colouring range */ unsigned int colour_off; /* colour offset */ struct kmem_cache *slabp_cache; unsigned int slab_size; unsigned int dflags; /* dynamic flags */ /* constructor func */ void (*ctor)(void *obj); /* 5) cache creation/removal */ const char *name; struct list_head next; /* 6) statistics */ #if STATS unsigned long num_active; unsigned long num_allocations; unsigned long high_mark; unsigned long grown; unsigned long reaped; unsigned long errors; unsigned long max_freeable; unsigned long node_allocs; unsigned long node_frees; unsigned long node_overflow; atomic_t allochit; atomic_t allocmiss; atomic_t freehit; atomic_t freemiss; #endif #if DEBUG /* * If debugging is enabled, then the allocator can add additional * fields and/or padding to every object. buffer_size contains the total * object size including these internal fields, the following two * variables contain the offset to the user object and its size. */ int obj_offset; int obj_size; #endif /* * We put nodelists[] at the end of kmem_cache, because we want to size * this array to nr_node_ids slots instead of MAX_NUMNODES * (see kmem_cache_init()) * We still use [MAX_NUMNODES] and not [1] or [0] because cache_cache * is statically defined, so we reserve the max number of nodes. */ struct kmem_list3 *nodelists[MAX_NUMNODES]; /* * Do not add fields after nodelists[] */ }; #else struct kmem_cache { /* 1) per-cpu data, touched during every alloc/free */ struct array_cache *array[NR_CPUS]; /* 2) Cache tunables. Protected by cache_chain_mutex */ unsigned int batchcount; unsigned int limit; unsigned int shared; unsigned int buffer_size; /* 3) touched by every alloc & free from the backend */ struct kmem_list3 *nodelists[MAX_NUMNODES]; unsigned int flags; /* constant flags */ unsigned int num; /* # of objs per slab */ /* 4) cache_grow/shrink */ /* order of pgs per slab (2^n) */ unsigned int gfporder; /* force GFP flags, e.g. GFP_DMA */ gfp_t gfpflags; size_t colour; /* cache colouring range */ unsigned int colour_off; /* colour offset */ struct kmem_cache *slabp_cache; unsigned int slab_size; unsigned int dflags; /* dynamic flags */ /* constructor func */ void (*ctor) (void *, struct kmem_cache *, unsigned long); /* de-constructor func */ void (*dtor) (void *, struct kmem_cache *, unsigned long); /* 5) cache creation/removal */ const char *name; struct list_head next; /* 6) statistics */ #if STATS unsigned long num_active; unsigned long num_allocations; unsigned long high_mark; unsigned long grown; unsigned long reaped; unsigned long errors; unsigned long max_freeable; unsigned long node_allocs; unsigned long node_frees; unsigned long node_overflow; atomic_t allochit; atomic_t allocmiss; atomic_t freehit; atomic_t freemiss; #endif #if DEBUG /* * If debugging is enabled, then the allocator can add additional * fields and/or padding to every object. buffer_size contains the total * object size including these internal fields, the following two * variables contain the offset to the user object and its size. */ int obj_offset; int obj_size; #endif }; #endif /*kmem_cache decl*/ struct kmem_cache kmem_cache; #endif struct kmem_list3 { struct list_head slabs_partial; /* partial list first, better asm code */ struct list_head slabs_full; struct list_head slabs_free; unsigned long free_objects; unsigned int free_limit; unsigned int colour_next; /* Per-node cache coloring */ spinlock_t list_lock; struct array_cache *shared; /* shared per node */ struct array_cache **alien; /* on other nodes */ unsigned long next_reap; /* updated without locking */ int free_touched; /* updated without locking */ }; struct kmem_list3 kmem_list3; struct slab { struct list_head list; unsigned long colouroff; void *s_mem; /* including colour offset */ unsigned int inuse; /* num of objs active in slab */ unsigned int free; unsigned short nodeid; }; struct slab slab; #endif #if LINUX_VERSION_CODE > KERNEL_VERSION(2,6,31) typedef u64 cycle_t; struct timekeeper { /* Current clocksource used for timekeeping. */ struct clocksource *clock; /* NTP adjusted clock multiplier */ u32 mult; /* The shift value of the current clocksource. */ int shift; /* Number of clock cycles in one NTP interval. */ cycle_t cycle_interval; /* Number of clock shifted nano seconds in one NTP interval. */ u64 xtime_interval; /* shifted nano seconds left over when rounding cycle_interval */ s64 xtime_remainder; /* Raw nano seconds accumulated per NTP interval. */ u32 raw_interval; /* Clock shifted nano seconds remainder not stored in xtime.tv_nsec. */ u64 xtime_nsec; /* Difference between accumulated time and NTP time in ntp * shifted nano seconds. */ s64 ntp_error; /* Shift conversion between clock shifted nano seconds and * ntp shifted nano seconds. */ int ntp_error_shift; /* The current time */ struct timespec xtime; /* * wall_to_monotonic is what we need to add to xtime (or xtime corrected * for sub jiffie times) to get to monotonic time. Monotonic is pegged * at zero at system boot time, so wall_to_monotonic will be negative, * however, we will ALWAYS keep the tv_nsec part positive so we can use * the usual normalization. * * wall_to_monotonic is moved after resume from suspend for the * monotonic time not to jump. We need to add total_sleep_time to * wall_to_monotonic to get the real boot based time offset. * * - wall_to_monotonic is no longer the boot time, getboottime must be * used instead. */ struct timespec wall_to_monotonic; /* time spent in suspend */ struct timespec total_sleep_time; /* The raw monotonic time for the CLOCK_MONOTONIC_RAW posix clock. */ struct timespec raw_time; /* Offset clock monotonic -> clock realtime */ ktime_t offs_real; /* Offset clock monotonic -> clock boottime */ ktime_t offs_boot; /* Seqlock for all timekeeper values */ seqlock_t lock; }; struct timekeeper my_timekeeper; struct log { u64 ts_nsec; /* timestamp in nanoseconds */ u16 len; /* length of entire record */ u16 text_len; /* length of text buffer */ u16 dict_len; /* length of dictionary buffer */ u8 facility; /* syslog facility */ u8 flags:5; /* internal record flags */ u8 level:3; /* syslog level */ }; struct log my_log; #endif #if LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0) struct mnt_namespace { atomic_t count; struct mount * root; struct list_head list; wait_queue_head_t poll; int event; }; struct mnt_pcp { int mnt_count; int mnt_writers; }; struct mount { struct list_head mnt_hash; struct mount *mnt_parent; struct dentry *mnt_mountpoint; struct vfsmount mnt; #ifdef CONFIG_SMP struct mnt_pcp __percpu *mnt_pcp; atomic_t mnt_longterm; /* how many of the refs are longterm */ #else int mnt_count; int mnt_writers; #endif struct list_head mnt_mounts; /* list of children, anchored here */ struct list_head mnt_child; /* and going through their mnt_child */ struct list_head mnt_instance; /* mount instance on sb->s_mounts */ const char *mnt_devname; /* Name of device e.g. /dev/dsk/hda1 */ struct list_head mnt_list; struct list_head mnt_expire; /* link in fs-specific expiry list */ struct list_head mnt_share; /* circular list of shared mounts */ struct list_head mnt_slave_list;/* list of slave mounts */ struct list_head mnt_slave; /* slave list entry */ struct mount *mnt_master; /* slave is on master->mnt_slave_list */ struct mnt_namespace *mnt_ns; /* containing namespace */ #ifdef CONFIG_FSNOTIFY struct hlist_head mnt_fsnotify_marks; __u32 mnt_fsnotify_mask; #endif int mnt_id; /* mount identifier */ int mnt_group_id; /* peer group identifier */ int mnt_expiry_mark; /* true if marked for expiry */ int mnt_pinned; int mnt_ghosts; }; #endif volatility-2.3.1/tools/linux/pmem/0000755000175000017500000000000012234427260017050 5ustar mikemike00000000000000volatility-2.3.1/tools/linux/pmem/Makefile0000644000175000017500000000034712124127373020514 0ustar mikemike00000000000000obj-m += pmem.o KDIR ?= / KVER ?= $(shell uname -r) -include version.mk all: pmem pmem: pmem.c $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules clean: $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean volatility-2.3.1/tools/linux/pmem/pmem.c0000644000175000017500000001617512124127373020164 0ustar mikemike00000000000000/* * pmem.c - physical memory driver * Copyright 2011: Michael Cohen, (scudette@gmail.com) * * ***************************************************************************** * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free Software * Foundation; either version 2, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. * * You should have received a copy of the GNU General Public License along with * this program; if not, write to the Free Software Foundation, Inc., 675 Mass * Ave, Cambridge, MA 02139, USA. * * ***************************************************************************** * * This code is also available under Apache 2.0 License * Copyright 2011 Michael Cohen (scudette@gmail.com) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * ******************************************************************************* */ #include #include #include #include #include #include #include #include #include #include #include #include static char pmem_devname[32] = "pmem"; #define SUCCESS 0 /* Checks to make sure that the page is valid. For now just checks the resource list for "System RAM", which is a very naive approach. */ static int is_page_valid(loff_t paddr) { struct resource *p = &iomem_resource; /* We should really grab the resource lock here but it is not exported. The iomem_resource is the root of the resource tree. We only care about the top level of the tree here because we just need to avoid DMA regions. */ for (p = p->child; p; p = p->sibling) { if(p->end > paddr && p->start < paddr) { if (!strcmp(p->name, "System RAM")) { return 1; }; break; }; }; return 0; }; static loff_t pmem_get_size(void) { /* The size of memory is the end address of the last resource. */ struct resource *p = &iomem_resource; struct resource *last_resource = NULL; for(p=p->child;p;p=p->sibling) { if (!strcmp(p->name, "System RAM")) { last_resource=p; }; } /* This should not happen - something has to be marked as allocated. */ if(!last_resource) { printk(KERN_WARNING "No valid resources found."); return -EINVAL; } else { return last_resource->end; }; }; /* Implement seeking behaviour. For whence=2 we need to figure out the size of RAM which is the end address of the last "System RAM" resource. */ static loff_t pmem_llseek(struct file *file, loff_t offset, int whence) { switch (whence) { case 0: { file->f_pos = offset; break; }; case 1: { file->f_pos += offset; break; }; case 2: { file->f_pos = pmem_get_size() + offset; break; }; default: return -EINVAL; } return file->f_pos; } /* This function reads as much of the page as possible - it may return a short read. If the page is invalid (e.g. the page could not be mapped in or its not in a valid memory resource we null pad the buffer and log to syslog. */ static ssize_t pmem_read_partial(struct file *file, char *buf, size_t count, loff_t *poff) { void *vaddr; unsigned long page_offset = *poff % PAGE_SIZE; size_t to_read = min(PAGE_SIZE - page_offset, count); unsigned long pfn = (unsigned long)(*poff >> PAGE_SHIFT); struct page *page; /* Refuse to read from invalid pages. */ if(!is_page_valid(*poff) || !pfn_valid(pfn)) goto error; /* Map the page in the the kernel AS and get the address for it. */ page = pfn_to_page(pfn); vaddr = kmap(page); if (!vaddr) goto error; /* Copy the data into the user buffer. */ if (copy_to_user(buf, vaddr + page_offset, to_read)) { goto unmap_error; } kunmap(page); /* Increment the file offset. */ *poff += to_read; return to_read; unmap_error: kunmap(page); error: /* Increment the file offset. */ *poff += to_read; /* Error occured we zero pad the result. */ memset(buf, 0, to_read); return to_read; }; /* Read the buffer requested by copying as much as needed from each page. Invalid pages will be replaced with NULLs. */ static ssize_t pmem_read(struct file *file, char *buf, size_t count, loff_t *poff) { loff_t file_size = pmem_get_size(); /* How much data is availanle in the entire memory range. */ size_t available = file_size - *poff; size_t remaining = min(count, available); if(file_size < *poff) return 0; /* Just keep going until the full buffer is copied. Due to the null padding on error its impossible to fail here. */ while(remaining > 0) { remaining -= pmem_read_partial(file, buf, remaining, poff); }; return min(count, available); } static unsigned long long zero_page = 0; static int pmem_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf) { loff_t offset = vmf->pgoff << PAGE_SHIFT; /* Offset of faulting page */ unsigned long pfn = (unsigned long)(vmf->pgoff); /* Faulting page */ struct page *page; /* Refuse to read from invalid pages. Map the zero page instead. */ if(!is_page_valid(offset) || !pfn_valid(pfn)) { page = virt_to_page(zero_page); } else { /* Map the real page here. */ page = pfn_to_page(pfn); }; get_page(page); vmf->page = page; return 0; } static struct vm_operations_struct pmem_vm_ops = { .fault = pmem_vma_fault, }; static int pmem_mmap(struct file *filp, struct vm_area_struct *vma) { if(!zero_page) { zero_page = get_zeroed_page(GFP_KERNEL); }; /* don't do anything here: The fault handler will fill the holes */ vma->vm_ops = &pmem_vm_ops; #if LINUX_VERSION_CODE < KERNEL_VERSION(3,7,0) vma->vm_flags |= VM_RESERVED | VM_CAN_NONLINEAR; #else vma->vm_flags |= VM_IO; #endif return 0; }; /* Set up the module methods. */ static struct file_operations pmem_fops = { .owner = THIS_MODULE, .llseek = pmem_llseek, .read = pmem_read, .mmap = pmem_mmap, }; static struct miscdevice pmem_dev = { MISC_DYNAMIC_MINOR, pmem_devname, &pmem_fops }; static int __init pmem_init(void) { return misc_register(&pmem_dev); } static void __exit pmem_cleanup_module(void) { /* Free the zero page if needed. */ if(zero_page) { free_page(zero_page); }; misc_deregister(&pmem_dev); } module_init(pmem_init); module_exit(pmem_cleanup_module); MODULE_LICENSE("GPL"); volatility-2.3.1/tools/vtype_diff.py0000755000175000017500000001645112227253532017477 0ustar mikemike00000000000000#!/usr/bin/env python # -*- mode: python; -*- # # Volatility # Authors: # Brendan Dolan-Gavitt # Mike Auty # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: Brendan Dolan-Gavitt @license: GNU General Public License 2.0 @contact: brendandg@gatech.edu @organization: Georgia Institute of Technology """ from optparse import OptionParser import hashlib, os, sys class VtypeHolder(object): unstable_var_prefix = "unknown_" def __init__(self): self.vtypes = None self.arrayname = None self.filename = None self.namemap = {} self.dellist = [] self.basis = None def _rename_types(self, vtypes, namemap): # Apply the namemap within the types for t in vtypes: for m in vtypes[t][1]: memb = vtypes[t][1][m] d = self._get_deepest(memb) if d in namemap: vtypes[t][1][m] = self._deep_replace(memb, d, namemap[d]) # Rename the types themselves for n in namemap: if n in vtypes: vtypes[namemap[n]] = vtypes[n] del vtypes[n] return vtypes def _deep_replace(self, t, search, repl): if t == search: return repl elif isinstance(t, list): return [self._deep_replace(x, search, repl) for x in t] else: return t def _get_deepest(self, t): if isinstance(t, list): if len(t) == 1: return t[0] else: for part in t: res = self._get_deepest(part) if res: return res return None return None def _tuplify(self, types, t): if isinstance(t, list) or isinstance(t, tuple): return tuple(sorted([self._tuplify(types, x) for x in t])) elif isinstance(t, dict): return self._tuplify(types, t.items()) elif isinstance(t, str) and t.startswith(self.unstable_var_prefix): return self._tuplify(types, types[t]) else: return t def as_string(self, msizes = True): if not self.vtypes: return "" arrayname = self.arrayname if self.basis: arrayname += "_additions" output = arrayname + " = {\n" for t in sorted(self.vtypes): output += " '{0}': [ {1:#x}, {{\n".format(t, self.vtypes[t][0]) for m in sorted(self.vtypes[t][1], key = lambda m: self.vtypes[t][1][m][0]): if msizes: output += " '{0}': [{1:#x}, {2}],\n".format(m, self.vtypes[t][1][m][0], self.vtypes[t][1][m][1]) else: output += " '{0}': [None, {1}],\n".format(m, self.vtypes[t][1][m][1]) output += " }],\n" output += "}\n" if self.basis: fn, an = self.basis fn = os.path.splitext(os.path.basename(fn))[0] output += "\n# We must use deepcopy to avoid overlays affecting multiple profiles\nimport copy\n" output += "import {0}\n".format(fn) output += "{0} = copy.deepcopy({1}.{2})\n".format(self.arrayname, fn, an) if self.dellist: for i in self.dellist: output += "del {0}['{1}']\n".format(self.arrayname, i) output += "{0}.update({1})\n".format(self.arrayname, arrayname) return output def load(self, filename): self.filename = filename locs, globs = {}, {} execfile(filename, globs, locs) for i in locs.keys(): if i.endswith('_types'): self.arrayname = i self.vtypes = locs[self.arrayname] def canonicalize(self): if not self.vtypes: return False namemap = {} unnamed = [t for t in self.vtypes if t.startswith(self.unstable_var_prefix)] # Create the namemap for t in unnamed: newname = "__volstablename_" + hashlib.md5(str(self._tuplify(self.vtypes, self.vtypes[t]))).hexdigest() #pylint: disable-msg=E1101 if t in namemap: print "Conflicting names for {0}: {1} and {2}".format(t, newname, self.namemap[t]) if newname in self.vtypes: print "Constructed name for {0} ({1}) already exists in vtypes".format(t, newname) namemap[t] = newname self.namemap = namemap self.vtypes = self._rename_types(self.vtypes, namemap) def decanonicalize(self, namemap = None): if not self.vtypes: return False if not namemap: namemap = self.namemap # reverse the namemap newnamemap = {} for i in namemap: newnamemap[namemap[i]] = i # Rename the types self.vtypes = self._rename_types(self.vtypes, newnamemap) # Rename the dellist members dellist = [ newnamemap[x] if x in newnamemap else x for x in self.dellist] self.dellist = dellist def diff(self, base): """Compresses these vtypes based on another vtypes""" self.basis = base.filename, base.arrayname removelist = [] for i in base.vtypes: if i in self.vtypes: inithash = hashlib.md5(str(self._tuplify(base.vtypes, base.vtypes[i]))).hexdigest() #pylint: disable-msg=E1101 diffhash = hashlib.md5(str(self._tuplify(self.vtypes, self.vtypes[i]))).hexdigest() #pylint: disable-msg=E1101 if inithash == diffhash: removelist.append(i) else: self.dellist.append(i) for i in removelist: del self.vtypes[i] if __name__ == '__main__': usage = "usage: %prog [options] " parser = OptionParser(usage = usage) (opts, args) = parser.parse_args() if len(args) != 2: parser.error("Must provide both vtypes files.") # Ensure these can import any modules they require sys.path.append(os.path.dirname(args[0])) sys.path.append(os.path.dirname(args[1])) ### Rename 1 v1 = VtypeHolder() v1.load(args[0]) v1.canonicalize() ### Rename 2 v2 = VtypeHolder() v2.load(args[1]) v2.canonicalize() ### Compress v2.diff(v1) v2.decanonicalize(v1.namemap) # Verify that no two names map to the same value for conflict in v1.namemap: if conflict in v2.namemap: if v1.namemap[conflict] != v2.namemap[conflict]: ### Remove possible conflicting unnamed offsets in original naming convention del v2.namemap[conflict] v2.decanonicalize(v2.namemap) ### Print types print v2.as_string() volatility-2.3.1/tools/mac/0000755000175000017500000000000012234427260015513 5ustar mikemike00000000000000volatility-2.3.1/tools/mac/convert.py0000644000175000017500000005244612134041632017552 0ustar mikemike00000000000000import os, sys, re class DWARFParser(object): """A parser for DWARF files.""" # Nasty, but appears to parse the lines we need dwarf_header_regex = re.compile( r'<(?P\d+)><(?P[0-9+]+)><(?P\w+)>') dwarf_key_val_regex = re.compile( '\s*(?P\w+)<(?P[^>]*)>') sz2tp = {8: 'long long', 4: 'long', 2: 'short', 1: 'char'} tp2vol = { 'bool' : 'int', '_Bool': 'unsigned char', 'char': 'char', 'float': 'float', 'double': 'double', 'long double': 'double', 'int': 'int', 'long int': 'long', 'long long int': 'long long', 'long long unsigned int': 'unsigned long long', 'long unsigned int': 'unsigned long', 'short int': 'short', 'short unsigned int': 'unsigned short', 'unsigned short' : 'unsigned short', 'short' : 'short', 'signed char': 'signed char', 'unsigned char': 'unsigned char', 'unsigned int': 'unsigned int', } def __init__(self): self.current_level = -1 self.name_stack = [] self.id_to_name = {} self.all_vtypes = {} self.vtypes = {} self.enums = {} self.all_vars = {} self.vars = {} self.all_local_vars = [] self.local_vars = [] self.anons = 0 def resolve(self, memb): """Lookup anonymouse member and replace it with a well known one.""" # Reference to another type if isinstance(memb, str) and memb.startswith('<'): resolved = self.id_to_name[memb[1:]] ret = self.resolve(resolved) elif isinstance(memb, list): ret = [self.resolve(r) for r in memb] else: # Literal ret = memb return ret def resolve_refs(self): """Replace references with types.""" for v in self.vtypes: for m in self.vtypes[v][1]: self.vtypes[v][1][m] = self.resolve(self.vtypes[v][1][m]) return self.vtypes def deep_replace(self, t, search, repl): """Recursively replace anonymous references.""" if t == search: return repl elif isinstance(t, list): return [self.deep_replace(x, search, repl) for x in t] else: return t def get_deepest(self, t): if isinstance(t, list): if len(t) == 1: return t[0] else: for part in t: res = self.get_deepest(part) if res: return res return None return None def base_type_name(self, data): """Replace references to base types.""" if 'AT_name' in data: return self.tp2vol[data['AT_name']] else: sz = int(data['AT_byte_size']) if data['AT_encoding'] == 'ATE_unsigned': return 'unsigned ' + self.sz2tp[sz] else: return self.sz2tp[sz] def feed_line(self, line): line = line.replace("\n", "") # Does the header match? m = self.dwarf_header_regex.match(line) if m: parsed = m.groupdict() parsed['data'] = {} # Now parse the key value pairs while m: i = m.end() m = self.dwarf_key_val_regex.search(line, i) if m: d = m.groupdict() parsed['data'][d['keyname']] = d['val'] if parsed['kind'] in ('TAG_formal_parameter','TAG_variable'): self.process_variable(parsed['data']) else: self.process_statement(**parsed) #else: # print "line %s does not match" % line.strip() def process_statement(self, kind, level, data, statement_id): """Process a single parsed statement.""" new_level = int(level) if new_level > self.current_level: self.current_level = new_level self.name_stack.append([]) elif new_level < self.current_level: self.name_stack = self.name_stack[:new_level+1] self.current_level = new_level self.name_stack[-1] = [kind, statement_id] try: parent_kind, parent_name = self.name_stack[-2] except IndexError: parent_kind, parent_name = (None, None) if kind == 'TAG_compile_unit': self.finalize() self.vtypes = {} self.vars = {} self.all_local_vars += self.local_vars self.local_vars = [] self.id_to_name = {} elif kind == 'TAG_structure_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'AT_declaration' not in data: try: self.vtypes[name] = [ int(data['AT_byte_size']), {} ] except: self.vtypes[name] = [ int(data['AT_byte_size'], 16), {} ] elif kind == 'TAG_class_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) name = name + "_class" self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'AT_declaration' not in data: try: self.vtypes[name] = [ int(data['AT_byte_size']), {} ] except: self.vtypes[name] = [ int(data['AT_byte_size'], 16), {} ] elif kind == 'TAG_union_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] try: self.vtypes[name] = [ int(data['AT_byte_size']), {} ] except: self.vtypes[name] = [ 0, {} ] elif kind == 'TAG_array_type': self.name_stack[-1][1] = statement_id self.id_to_name[statement_id] = data['AT_type'] elif kind == 'TAG_enumeration_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) self.name_stack[-1][1] = name self.id_to_name[statement_id] = [name] # If it's just a forward declaration, we want the name around, # but there won't be a size if 'AT_declaration' not in data: try: sz = int(data['AT_byte_size']) except: sz = 0 self.enums[name] = [sz, {}] elif kind == 'TAG_pointer_type': self.id_to_name[statement_id] = ['pointer', data.get('AT_type', ['void'])] elif kind == 'TAG_base_type': self.id_to_name[statement_id] = [self.base_type_name(data)] elif kind == 'TAG_volatile_type': self.id_to_name[statement_id] = data.get('AT_type', ['void']) elif kind == 'TAG_const_type': self.id_to_name[statement_id] = data.get('AT_type', ['void']) elif kind == 'TAG_typedef': try: self.id_to_name[statement_id] = data['AT_type'] except: self.id_to_name[statement_id] = ['void'] elif kind == 'TAG_subroutine_type': self.id_to_name[statement_id] = ['void'] # Don't need these elif kind == 'TAG_variable' and level == '1': if 'AT_location' in data: split = data['AT_location'].split() if len(split) > 1: loc = int(split[1], 0) self.vars[data['AT_name']] = [loc, data['AT_type']] elif kind == 'TAG_subprogram': # IDEK pass elif kind == 'TAG_member' and parent_kind == 'TAG_structure_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) off = int(data['AT_data_member_location']) if 'AT_bit_size' in data and 'AT_bit_offset' in data: full_size = int(data['AT_byte_size'])*8 stbit = int(data['AT_bit_offset']) edbit = stbit + int(data['AT_bit_size']) stbit = full_size - stbit edbit = full_size - edbit stbit, edbit = edbit, stbit assert stbit < edbit memb_tp = ['BitField', dict(start_bit = stbit, end_bit = edbit)] else: memb_tp = data['AT_type'] self.vtypes[parent_name][1][name] = [off, memb_tp] elif kind == 'TAG_member' and parent_kind == 'TAG_class_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) off = int(data['AT_data_member_location']) if 'AT_bit_size' in data and 'AT_bit_offset' in data: full_size = int(data['AT_byte_size'])*8 stbit = int(data['AT_bit_offset']) edbit = stbit + int(data['AT_bit_size']) stbit = full_size - stbit edbit = full_size - edbit stbit, edbit = edbit, stbit assert stbit < edbit memb_tp = ['BitField', dict(start_bit = stbit, end_bit = edbit)] else: memb_tp = data['AT_type'] self.vtypes[parent_name][1][name] = [off, memb_tp] elif kind == 'TAG_member' and parent_kind == 'TAG_union_type': name = data.get('AT_name', "__unnamed_%s" % statement_id) self.vtypes[parent_name][1][name] = [0, data['AT_type']] elif kind == 'TAG_enumerator' and parent_kind == 'TAG_enumeration_type': name = data['AT_name'] try: val = int(data['AT_const_value']) except ValueError: val = int(data['AT_const_value'].split('(')[0]) self.enums[parent_name][1][name] = val elif kind == 'TAG_subrange_type' and parent_kind == 'TAG_array_type': if 'AT_upper_bound' in data: try: sz = int(data['AT_upper_bound']) except ValueError: try: sz = int(data['AT_upper_bound'].split('(')[0]) except ValueError: # Give up sz = 0 sz += 1 else: sz = 0 tp = self.id_to_name[parent_name] self.id_to_name[parent_name] = ['array', sz, tp] else: pass #if kind != "NULL": # print "Skipping unsupported tag %s" % kind def process_variable(self, data): return """Process a local variable.""" if ('AT_name' in data and 'AT_decl_line' in data and 'AT_type' in data): self.local_vars.append( (data['AT_name'], int(data['AT_decl_line']), data['AT_decl_file'].split()[1], data['AT_type']) ) def finalize(self): """Finalize the output.""" if self.vtypes: self.vtypes = self.resolve_refs() self.all_vtypes.update(self.vtypes) if self.vars: self.vars = dict(((k, self.resolve(v)) for k, v in self.vars.items())) self.all_vars.update(self.vars) if self.local_vars: self.local_vars = [ (name, lineno, decl_file, self.resolve(tp)) for (name, lineno, decl_file, tp) in self.local_vars ] self.all_local_vars += self.local_vars # Get rid of unneeded unknowns (shades of Rumsfeld here) # Needs to be done in fixed point fashion changed = True while changed: changed = False s = set() for m in self.all_vtypes: for t in self.all_vtypes[m][1].values(): s.add(self.get_deepest(t)) for m in self.all_vars: s.add(self.get_deepest(self.all_vars[m][1])) for v in list(self.all_vtypes): if v.startswith('__unnamed_') and v not in s: del self.all_vtypes[v] changed = True # Merge the enums into the types directly: for t in self.all_vtypes: for m in list(self.all_vtypes[t][1]): memb = self.all_vtypes[t][1][m] d = self.get_deepest(memb) if d in self.enums: sz = self.enums[d][0] vals = dict((v, k) for k, v in self.enums[d][1].items()) self.all_vtypes[t][1][m] = self.deep_replace( memb, [d], ['Enumeration', dict(target = 'int', choices = vals)] ) return self.all_vtypes def print_output(self): self.finalize() print "mac_types = {" for t in self.all_vtypes: print " '%s': [ %#x, {" % (t, self.all_vtypes[t][0]) for m in sorted(self.all_vtypes[t][1], key=lambda m: self.all_vtypes[t][1][m][0]): print " '%s': [%#x, %s]," % (m, self.all_vtypes[t][1][m][0], self.all_vtypes[t][1][m][1]) print "}]," print "}" print print "mac_gvars = {" for v in sorted(self.all_vars, key=lambda v: self.all_vars[v][0]): print " '%s': [%#010x, %s]," % (v, self.all_vars[v][0], self.all_vars[v][1]) print "}" def parse_dwarf(): """Parse the dwarf file.""" parser = DWARFParser() for line in open(sys.argv[1],"r").readlines(): parser.feed_line(line) parser.print_output() #for k in parser.wtf: # print k def write_line(outfile, level, id, name): outfile.write("<%s><%s><%s> " % (level, id, name)) def convert_file(mac_file, outfile): ''' 5 spaces, level 1 0x00000428: TAG_typedef [15] 9 spaces, level 2, (struct member) 0x00000446: TAG_member [30] at AT_type( {0x0000008b} ''' level1_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{5}(\w+)\s') level2_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{9}(\w+)\s') level3_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{13}(\w+)\s') level4_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{17}(\w+)\s') level5_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{21}(\w+)\s') level6_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{25}(\w+)\s') level7_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{29}(\w+)\s') level8_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{33}(\w+)\s') level9_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{37}(\w+)\s') level10_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{41}(\w+)\s') level11_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{45}(\w+)\s') level12_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{49}(\w+)\s') level13_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{53}(\w+)\s') level14_re = re.compile(r'^(0x[0-9a-fA-F]+):\s{57}(\w+)\s') at_re = re.compile(r'^\s+(\w+)\((.+)') level = 0 dontbreak = 0 for line in mac_file.readlines(): if len(line) < 2: outfile.write("\n") level = 0 continue if line.find("-------------") != -1: level = 0 continue if line.find("File:") != -1: level = 0 continue if line.find(".debug_info") != -1: level = 0 continue if line.find("Compile Unit:") != -1: level = 0 continue if line.find("TAG_compile_unit") != -1: outfile.write("<1><999999999999999> ") level = 1 continue # new declaration if level == 0: m = level1_re.match(line) t = level2_re.match(line) r = level3_re.match(line) f = level4_re.match(line) z = level5_re.match(line) s = level6_re.match(line) y = level7_re.match(line) b = level8_re.match(line) j = level9_re.match(line) a = level10_re.match(line) c = level11_re.match(line) d = level12_re.match(line) e = level13_re.match(line) g = level14_re.match(line) if m: (id, name) = m.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 1, id, name) elif t: (id, name) = t.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 2, id, name) elif r: (id, name) = r.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 3, id, name) elif f: (id, name) = f.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 4, id, name) elif z: (id, name) = z.groups() level = 1 id = "%d" % int(id, 16) write_line(outfile, 5, id, name) elif s: (id, name) = s.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 6, id, name) elif y: (id, name) = y.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 7, id, name) elif b: (id, name) = b.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 8, id, name) elif j: (id, name) = j.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 9, id, name) elif a: (id, name) = a.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 10, id, name) elif c: (id, name) = c.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 11, id, name) elif d: (id, name) = d.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 12, id, name) elif e: (id, name) = e.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 13, id, name) elif g: (id, name) = g.groups() id = "%d" % int(id, 16) level = 1 write_line(outfile, 14, id, name) else: print "State machine broken! level 0! %s" % line sys.exit(1) # can either be: new declaration # AT_xxxx # blank elif level == 1: m = level2_re.match(line) a = at_re.match(line) if m: (id, name) = m.groups() id = "%d" % int(id, 16) level = 2 # <1><41> outfile.write("<%s><%s><%s> " % (level, id, name)) elif a: (name, val) = a.groups() #DW_AT_byte_size<2> val = val[:-2] if val[0] == " ": val = val[1:] # remove the " surround type name if name == "AT_name": val = val[1:-1] if name == "AT_const_value": ents = val.split() if len(ents) > 1: ents = ents[1:] try: val = "%d" % int("0x" + "".join([x for x in ents]),16) except: val = "Bad const list val" else: try: val = "%d" % int(val, 16) except: val = "Bad const value" if name in ["AT_byte_size", "AT_bit_offset", "AT_bit_size", "AT_upper_bound"]: val = "%d" % int(val, 16) if name == "AT_data_member_location": # skip + val = val[1:] if name == "AT_type": # convert {0x00000550} ( queue_chain_t ) # to decimal of int val = val.split()[0] val = val[1:-1] val = "<%d>" % int(val, 16) outfile.write("%s<%s> " % (name, val)) outfile.flush() #else: #print "State machine broken! level %d!%s" % (level, line) #sys.exit(1) def main(): if len(sys.argv) == 3: print "converting file" mac_file = open(sys.argv[1], "r") outfile = open(sys.argv[2], "w") convert_file(mac_file, outfile) outfile.close() else: parse_dwarf() if __name__ == "__main__": main() volatility-2.3.1/vol.py0000644000175000017500000001406112227253532014770 0ustar mikemike00000000000000#!/usr/bin/env python # -*- mode: python; -*- # # Volatility # Copyright (C) 2007-2013 Volatility Foundation # # This file is part of Volatility. # # Volatility is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as # published by the Free Software Foundation. You may not use, modify or # distribute this program under any other version of the GNU General # Public License. # # Volatility is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Volatility. If not, see . # """ @author: AAron Walters @license: GNU General Public License 2.0 @contact: awalters@4tphi.net @organization: Volatility Foundation """ #pylint: disable-msg=C0111 import sys if sys.version_info < (2, 6, 0): sys.stderr.write("Volatility requires python version 2.6, please upgrade your python installation.") sys.exit(1) try: import psyco #pylint: disable-msg=W0611,F0401 except ImportError: pass if False: # Include a fake import for things like pyinstaller to hit # since this is a dependency of the malware plugins import yara import textwrap import volatility.conf as conf config = conf.ConfObject() import volatility.constants as constants import volatility.registry as registry import volatility.exceptions as exceptions import volatility.obj as obj import volatility.debug as debug import volatility.addrspace as addrspace import volatility.commands as commands import volatility.scan as scan config.add_option("INFO", default = None, action = "store_true", cache_invalidator = False, help = "Print information about all registered objects") def list_plugins(): result = "\n\tSupported Plugin Commands:\n\n" cmds = registry.get_plugin_classes(commands.Command, lower = True) profs = registry.get_plugin_classes(obj.Profile) if config.PROFILE not in profs: raise BaseException("Invalid profile " + config.PROFILE + " selected") profile = profs[config.PROFILE]() wrongprofile = "" for cmdname in sorted(cmds): command = cmds[cmdname] helpline = command.help() or '' ## Just put the title line (First non empty line) in this ## abbreviated display for line in helpline.splitlines(): if line: helpline = line break if command.is_valid_profile(profile): result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline) else: wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline) if wrongprofile and config.VERBOSE: result += "\n\tPlugins requiring a different profile:\n\n" result += wrongprofile return result def command_help(command): result = textwrap.dedent(""" --------------------------------- Module {0} ---------------------------------\n""".format(command.__class__.__name__)) return result + command.help() + "\n\n" def print_info(): """ Returns the results """ categories = {addrspace.BaseAddressSpace: 'Address Spaces', commands.Command : 'Plugins', obj.Profile: 'Profiles', scan.ScannerCheck: 'Scanner Checks'} for c, n in sorted(categories.items()): lower = (c == commands.Command) plugins = registry.get_plugin_classes(c, lower = lower) print "\n" print "{0}".format(n) print "-" * len(n) result = [] max_length = 0 for clsname, cls in sorted(plugins.items()): try: doc = cls.__doc__.strip().splitlines()[0] except AttributeError: doc = 'No docs' result.append((clsname, doc)) max_length = max(len(clsname), max_length) for (name, doc) in result: print "{0:{2}} - {1:15}".format(name, doc, max_length) def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION)) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") command.execute() except exceptions.VolatilityException, e: print e if __name__ == "__main__": config.set_usage(usage = "Volatility - A memory forensics analysis platform.") config.add_help_hook(list_plugins) try: main() except Exception, ex: if config.DEBUG: debug.post_mortem() else: raise except KeyboardInterrupt: print "Interrupted" volatility-2.3.1/pyinstaller/0000755000175000017500000000000012234427260016161 5ustar mikemike00000000000000volatility-2.3.1/pyinstaller/hook-distorm3.py0000755000175000017500000000063212227253532021242 0ustar mikemike00000000000000# Distorm3 hook # # This currently contains the hardcoded location for the standard distorm3.dll install # It could be improved by carrying out a search, or using sys.path # # This also requires the distorm3 module to be modified with the following patch: # import sys # if hasattr(sys, '_MEIPASS'): # _distorm_path = sys._MEIPASS datas = [ ("C:\python27\Lib\site-packages\distorm3\distorm3.dll", ''), ] volatility-2.3.1/pyinstaller/hook-volatility.py0000644000175000017500000000133112011271606021661 0ustar mikemike00000000000000 import os projpath = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) modules = set(['volatility.plugins']) for dirpath, _dirnames, filenames in os.walk(os.path.join(projpath, 'volatility', 'plugins')): dirpath = dirpath[len(os.path.join(projpath, 'volatility', 'plugins')):] if dirpath and dirpath[0] == os.path.sep: dirpath = dirpath[1:] for filename in filenames: path = os.path.join(dirpath, os.path.splitext(filename)[0]) if "/." in path: continue if "__" in path: continue path = path.replace("-", "_") path = path.replace(os.path.sep, ".") modules.add("volatility.plugins." + path) hiddenimports = list(modules) volatility-2.3.1/pyinstaller.spec0000644000175000017500000000173212204143450017031 0ustar mikemike00000000000000# -*- mode: python -*- projpath = os.path.dirname(os.path.abspath(SPEC)) def get_plugins(list): for item in list: if item[0].startswith('volatility.plugins') and not (item[0] == 'volatility.plugins' and '__init__.py' in item[1]): yield item exeext = ".exe" if 'win' in sys.platform else "" a = Analysis([os.path.join(projpath, 'vol.py')], pathex = [HOMEPATH], hookspath = [os.path.join(projpath, 'pyinstaller')]) pyz = PYZ(a.pure) plugins = Tree(os.path.join(projpath, 'volatility', 'plugins'), os.path.join('plugins')) exe = EXE(pyz, a.scripts + [('u', '', 'OPTION')], a.binaries, a.zipfiles, a.datas, plugins, name = os.path.join(projpath, 'dist', 'pyinstaller', 'volatility' + exeext), debug = False, strip = False, upx = True, icon = os.path.join(projpath, 'resources', 'volatility.ico'), console = 1) volatility-2.3.1/volatility.egg-info/0000755000175000017500000000000012234427260017505 5ustar mikemike00000000000000volatility-2.3.1/volatility.egg-info/SOURCES.txt0000644000175000017500000002477312234427260021406 0ustar mikemike00000000000000AUTHORS.txt CHANGELOG.txt CREDITS.txt LEGAL.txt LICENSE.txt MANIFEST.in Makefile README.txt pyinstaller.spec setup.py vol.py contrib/plugins/disablewarnings.py contrib/plugins/enumfunc.py contrib/plugins/example.py contrib/plugins/pagecheck.py contrib/plugins/psdispscan.py contrib/plugins/scanprof.py contrib/plugins/verinfo.py contrib/plugins/aspaces/__init__.py contrib/plugins/aspaces/ewf.py pyinstaller/hook-distorm3.py pyinstaller/hook-volatility.py resources/volatility.ico resources/volatility.svg tools/vtype_diff.py tools/linux/Makefile tools/linux/module.c tools/linux/pmem/Makefile tools/linux/pmem/pmem.c tools/mac/convert.py volatility/__init__.py volatility/addrspace.py volatility/cache.py volatility/commands.py volatility/conf.py volatility/constants.py volatility/debug.py volatility/dwarf.py volatility/exceptions.py volatility/fmtspec.py volatility/obj.py volatility/protos.py volatility/registry.py volatility/scan.py volatility/timefmt.py volatility/utils.py volatility.egg-info/PKG-INFO volatility.egg-info/SOURCES.txt volatility.egg-info/dependency_links.txt volatility.egg-info/top_level.txt volatility/plugins/__init__.py volatility/plugins/bioskbd.py volatility/plugins/common.py volatility/plugins/connections.py volatility/plugins/connscan.py volatility/plugins/crashinfo.py volatility/plugins/dlldump.py volatility/plugins/dumpcerts.py volatility/plugins/dumpfiles.py volatility/plugins/envars.py volatility/plugins/evtlogs.py volatility/plugins/fileparam.py volatility/plugins/filescan.py volatility/plugins/getservicesids.py volatility/plugins/getsids.py volatility/plugins/handles.py volatility/plugins/hibinfo.py volatility/plugins/hpakinfo.py volatility/plugins/iehistory.py volatility/plugins/imagecopy.py volatility/plugins/imageinfo.py volatility/plugins/kdbgscan.py volatility/plugins/kpcrscan.py volatility/plugins/machoinfo.py volatility/plugins/mbrparser.py volatility/plugins/mftparser.py volatility/plugins/moddump.py volatility/plugins/modscan.py volatility/plugins/modules.py volatility/plugins/netscan.py volatility/plugins/patcher.py volatility/plugins/privileges.py volatility/plugins/procdump.py volatility/plugins/pstree.py volatility/plugins/raw2dmp.py volatility/plugins/sockets.py volatility/plugins/sockscan.py volatility/plugins/ssdt.py volatility/plugins/strings.py volatility/plugins/taskmods.py volatility/plugins/timeliner.py volatility/plugins/userassist.py volatility/plugins/vadinfo.py volatility/plugins/vboxinfo.py volatility/plugins/vmwareinfo.py volatility/plugins/volshell.py volatility/plugins/addrspaces/__init__.py volatility/plugins/addrspaces/amd64.py volatility/plugins/addrspaces/arm.py volatility/plugins/addrspaces/crash.py volatility/plugins/addrspaces/hibernate.py volatility/plugins/addrspaces/hpak.py volatility/plugins/addrspaces/ieee1394.py volatility/plugins/addrspaces/intel.py volatility/plugins/addrspaces/lime.py volatility/plugins/addrspaces/macho.py volatility/plugins/addrspaces/paged.py volatility/plugins/addrspaces/standard.py volatility/plugins/addrspaces/vboxelf.py volatility/plugins/addrspaces/vmware.py volatility/plugins/gui/__init__.py volatility/plugins/gui/atoms.py volatility/plugins/gui/clipboard.py volatility/plugins/gui/constants.py volatility/plugins/gui/desktops.py volatility/plugins/gui/eventhooks.py volatility/plugins/gui/gahti.py volatility/plugins/gui/gditimers.py volatility/plugins/gui/messagehooks.py volatility/plugins/gui/screenshot.py volatility/plugins/gui/sessions.py volatility/plugins/gui/userhandles.py volatility/plugins/gui/win32k_core.py volatility/plugins/gui/windows.py volatility/plugins/gui/windowstations.py volatility/plugins/gui/vtypes/__init__.py volatility/plugins/gui/vtypes/vista.py volatility/plugins/gui/vtypes/win2003.py volatility/plugins/gui/vtypes/win7.py volatility/plugins/gui/vtypes/win7_sp0_x64_vtypes_gui.py volatility/plugins/gui/vtypes/win7_sp0_x86_vtypes_gui.py volatility/plugins/gui/vtypes/win7_sp1_x64_vtypes_gui.py volatility/plugins/gui/vtypes/win7_sp1_x86_vtypes_gui.py volatility/plugins/gui/vtypes/xp.py volatility/plugins/linux/__init__.py volatility/plugins/linux/arp.py volatility/plugins/linux/banner.py volatility/plugins/linux/bash.py volatility/plugins/linux/check_afinfo.py volatility/plugins/linux/check_creds.py volatility/plugins/linux/check_evt_arm.py volatility/plugins/linux/check_fops.py volatility/plugins/linux/check_idt.py volatility/plugins/linux/check_modules.py volatility/plugins/linux/check_syscall.py volatility/plugins/linux/check_syscall_arm.py volatility/plugins/linux/common.py volatility/plugins/linux/cpuinfo.py volatility/plugins/linux/dentry_cache.py volatility/plugins/linux/dmesg.py volatility/plugins/linux/dump_map.py volatility/plugins/linux/find_file.py volatility/plugins/linux/flags.py volatility/plugins/linux/ifconfig.py volatility/plugins/linux/iomem.py volatility/plugins/linux/keyboard_notifier.py volatility/plugins/linux/linux_volshell.py volatility/plugins/linux/linux_yarascan.py volatility/plugins/linux/lsmod.py volatility/plugins/linux/lsof.py volatility/plugins/linux/mount.py volatility/plugins/linux/mount_cache.py volatility/plugins/linux/netstat.py volatility/plugins/linux/pidhashtable.py volatility/plugins/linux/pkt_queues.py volatility/plugins/linux/proc_maps.py volatility/plugins/linux/psaux.py volatility/plugins/linux/pslist.py volatility/plugins/linux/pslist_cache.py volatility/plugins/linux/pstree.py volatility/plugins/linux/psxview.py volatility/plugins/linux/route_cache.py volatility/plugins/linux/sk_buff_cache.py volatility/plugins/linux/slab_info.py volatility/plugins/linux/tmpfs.py volatility/plugins/linux/tty_check.py volatility/plugins/linux/vma_cache.py volatility/plugins/mac/__init__.py volatility/plugins/mac/arp.py volatility/plugins/mac/check_syscall_table.py volatility/plugins/mac/check_sysctl.py volatility/plugins/mac/check_trap_table.py volatility/plugins/mac/common.py volatility/plugins/mac/dead_procs.py volatility/plugins/mac/dmesg.py volatility/plugins/mac/dump_map.py volatility/plugins/mac/find_aslr_shift.py volatility/plugins/mac/ifconfig.py volatility/plugins/mac/ip_filters.py volatility/plugins/mac/list_zones.py volatility/plugins/mac/lsmod.py volatility/plugins/mac/lsof.py volatility/plugins/mac/mac_volshell.py volatility/plugins/mac/mac_yarascan.py volatility/plugins/mac/machine_info.py volatility/plugins/mac/mount.py volatility/plugins/mac/netstat.py volatility/plugins/mac/notifiers.py volatility/plugins/mac/pgrp_hash_table.py volatility/plugins/mac/pid_hash_table.py volatility/plugins/mac/print_boot_cmdline.py volatility/plugins/mac/proc_maps.py volatility/plugins/mac/psaux.py volatility/plugins/mac/pslist.py volatility/plugins/mac/pstasks.py volatility/plugins/mac/pstree.py volatility/plugins/mac/psxview.py volatility/plugins/mac/route.py volatility/plugins/mac/session_hash_table.py volatility/plugins/mac/trustedbsd.py volatility/plugins/mac/version.py volatility/plugins/malware/__init__.py volatility/plugins/malware/apihooks.py volatility/plugins/malware/callbacks.py volatility/plugins/malware/cmdhistory.py volatility/plugins/malware/devicetree.py volatility/plugins/malware/idt.py volatility/plugins/malware/impscan.py volatility/plugins/malware/malfind.py volatility/plugins/malware/psxview.py volatility/plugins/malware/svcscan.py volatility/plugins/malware/threads.py volatility/plugins/malware/timers.py volatility/plugins/overlays/__init__.py volatility/plugins/overlays/basic.py volatility/plugins/overlays/native_types.py volatility/plugins/overlays/linux/__init__.py volatility/plugins/overlays/linux/elf.py volatility/plugins/overlays/linux/linux.py volatility/plugins/overlays/linux/linux64.py volatility/plugins/overlays/mac/__init__.py volatility/plugins/overlays/mac/mac.py volatility/plugins/overlays/windows/__init__.py volatility/plugins/overlays/windows/crash_vtypes.py volatility/plugins/overlays/windows/hibernate_vtypes.py volatility/plugins/overlays/windows/kdbg_vtypes.py volatility/plugins/overlays/windows/kpcr_vtypes.py volatility/plugins/overlays/windows/pe_vtypes.py volatility/plugins/overlays/windows/ssdt_vtypes.py volatility/plugins/overlays/windows/tcpip_vtypes.py volatility/plugins/overlays/windows/vista.py volatility/plugins/overlays/windows/vista_sp0_x64_syscalls.py volatility/plugins/overlays/windows/vista_sp0_x64_vtypes.py volatility/plugins/overlays/windows/vista_sp0_x86_syscalls.py volatility/plugins/overlays/windows/vista_sp0_x86_vtypes.py volatility/plugins/overlays/windows/vista_sp12_x64_syscalls.py volatility/plugins/overlays/windows/vista_sp12_x86_syscalls.py volatility/plugins/overlays/windows/vista_sp1_x64_vtypes.py volatility/plugins/overlays/windows/vista_sp1_x86_vtypes.py volatility/plugins/overlays/windows/vista_sp2_x64_vtypes.py volatility/plugins/overlays/windows/vista_sp2_x86_vtypes.py volatility/plugins/overlays/windows/win2003.py volatility/plugins/overlays/windows/win2003_sp0_x86_syscalls.py volatility/plugins/overlays/windows/win2003_sp0_x86_vtypes.py volatility/plugins/overlays/windows/win2003_sp12_x64_syscalls.py volatility/plugins/overlays/windows/win2003_sp12_x86_syscalls.py volatility/plugins/overlays/windows/win2003_sp1_x64_vtypes.py volatility/plugins/overlays/windows/win2003_sp1_x86_vtypes.py volatility/plugins/overlays/windows/win2003_sp2_x64_vtypes.py volatility/plugins/overlays/windows/win2003_sp2_x86_vtypes.py volatility/plugins/overlays/windows/win7.py volatility/plugins/overlays/windows/win7_sp01_x64_syscalls.py volatility/plugins/overlays/windows/win7_sp01_x86_syscalls.py volatility/plugins/overlays/windows/win7_sp0_x64_vtypes.py volatility/plugins/overlays/windows/win7_sp0_x86_vtypes.py volatility/plugins/overlays/windows/win7_sp1_x64_vtypes.py volatility/plugins/overlays/windows/win7_sp1_x86_vtypes.py volatility/plugins/overlays/windows/windows.py volatility/plugins/overlays/windows/windows64.py volatility/plugins/overlays/windows/xp.py volatility/plugins/overlays/windows/xp_sp2_x86_syscalls.py volatility/plugins/overlays/windows/xp_sp2_x86_vtypes.py volatility/plugins/overlays/windows/xp_sp3_x86_vtypes.py volatility/plugins/registry/__init__.py volatility/plugins/registry/hivelist.py volatility/plugins/registry/hivescan.py volatility/plugins/registry/lsadump.py volatility/plugins/registry/printkey.py volatility/plugins/registry/registryapi.py volatility/plugins/registry/shellbags.py volatility/plugins/registry/shimcache.py volatility/win32/__init__.py volatility/win32/crashdump.py volatility/win32/domcachedump.py volatility/win32/hashdump.py volatility/win32/hive.py volatility/win32/lsasecrets.py volatility/win32/modules.py volatility/win32/network.py volatility/win32/rawreg.py volatility/win32/tasks.py volatility/win32/xpress.pyvolatility-2.3.1/volatility.egg-info/dependency_links.txt0000644000175000017500000000000112234427260023553 0ustar mikemike00000000000000 volatility-2.3.1/volatility.egg-info/top_level.txt0000644000175000017500000000001312234427260022231 0ustar mikemike00000000000000volatility volatility-2.3.1/volatility.egg-info/PKG-INFO0000644000175000017500000000040012234427260020574 0ustar mikemike00000000000000Metadata-Version: 1.0 Name: volatility Version: 2.3.1 Summary: Volatility -- Volatile memory framwork Home-page: http://www.volatilityfoundation.org Author: AAron Walters Author-email: awalters@4tphi.net License: GPL Description: UNKNOWN Platform: UNKNOWN